From whalenster at gmail.com Sat Oct 1 13:23:21 2016 From: whalenster at gmail.com (Sean Whalen) Date: Sat, 1 Oct 2016 13:23:21 -0400 Subject: [python-ldap] Searching for nested membership in AD groups In-Reply-To: References: <57EF053C.2000106@stroeder.com> Message-ID: I came up with some better examples to illistrate the problem. The following PowerShell code works: $userdn = 'CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net' $strFilter = "(member:1.2.840.113556.1.4.1941:=$userdn)" $objDomain = New-Object System.DirectoryServices.DirectoryEntry $objSearcher = New-Object System.DirectoryServices.DirectorySearcher $objSearcher.SearchRoot = $objDomain $objSearcher.PageSize = 1000 $objSearcher.Filter = $strFilter $objSearcher.SearchScope = "Subtree" $colProplist = "name" foreach ($i in $colPropList){ $objSearcher.PropertiesToLoad.Add($i) > $nul } $colResults = $objSearcher.FindAll() foreach ($objResult in $colResults) { $objItem = $objResult.Properties $objItem.name } But, the following python-ldap code returns zero results after taking some time: from __future__ import print_function import ldapfrom ldap.filter import escape_filter_chars base = "DC=example,DC=net" username = "ADLookup at example.net" password = "foobar" ad = ldap.initialize("ldap://ad.example.net") ad.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) ad.set_option(ldap.OPT_REFERRALS, 0) ad.bind_s(username, password) dn = "CN=Whalen\\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net" filter_string = "(memberof:1.2.840.113556.1.4.1941:={0})".format(escape_filter_chars(dn)) # (memberof:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net) # The backslash that escapes the comma in the CN must be escaped in a search filter string,# per RFC 2254, page 5 results = ad.search_s(base, ldap.SCOPE_SUBTREE, filterstr=filter_string, attrlist=["distinguishedName"]) results = [entry for dn, entry in results if isinstance(entry, dict)]print(results) At first I thought this due to was a bug or compatibility problem in python-ldap. However, running the same search using Microsoft's LDIFDE.EXE tool also returns zero results. LDIFDE.EXE -f results.txt -d "DC=example,DC=net" -r "(memberof:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean, OU=Users,OU=Users and Groups,DC=example,DC=net)" -l "name" Any idea what's going wrong, and how can I fix it? Also, I was able to join the list. The confirmation email got buried. On Fri, Sep 30, 2016 at 10:41 PM, Sean Whalen wrote: > Right, > > but when I use > (member:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users and > Groups,DC=redacted,DC=net) > > or > filter = '(member:1.2.840.113556.1.4.1941:=CN={0},OU=Users,OU=Users and > Groups,DC=redacted,DC=net)'.format(escape_dn_chars('Whalen, Sean')) > > I get > > File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line > 768, in search_s > return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly, > None,None,timeout=self.timeout) > File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line > 761, in search_ext_s > msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly, > serverctrls,clientctrls,timeout,sizelimit) > File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line > 757, in search_ext > timeout,sizelimit, > File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line > 263, in _ldap_call > result = func(*args,**kwargs) > ldap.FILTER_ERROR: {'desc': 'Bad search filter'} > > > On Fri, Sep 30, 2016 at 10:01 PM, Stephen J. Butler < > stephen.butler at gmail.com> wrote: > >> \5C is blackslash itself, not comma. I think what he wants is really: >> >> r'(member:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users >> and Groups,DC=redacted,DC=net)' >> >> Notice the raw string. Otherwise, if you aren't using a raw string, then: >> >> "(member:1.2.840.113556.1.4.1941:=CN=Whalen\\, Sean,OU=Users,OU=Users >> and Groups,DC=redacted,DC=net)" >> >> >> IDK how you're building your DN's in general, but what you should be >> doing is this when you have arbitrary input: >> >> from ldap.dn import escape_dn_chars >> >> filter = '(member:1.2.840.113556.1.4.1941:=CN={0},OU=Users,OU=Users and >> Groups,DC=redacted,DC=net)'.format(escape_dn_chars('Whalen, Sean')) >> >> That will always do the right thing. >> >> On Fri, Sep 30, 2016 at 7:37 PM, Michael Str?der >> wrote: >> >>> Sean Whalen wrote: >>> > Then I tried >>> > >>> > (member:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users >>> and >>> ^^^^ >>> Yes, you must escape the comma in the DN. >>> >>> But the escaped hex-encoded character \5C must fully *replace* the >>> comma. Or >>> simply escape the comma like \, (see RFC 4514). >>> >>> Bear in mind that you have to deal with extra escaping in Python string >>> syntax >>> when hard-coding a DN like this in your source code. >>> >>> Also note that there can be a bunch of specific performance differences >>> depending on how and from where you connect and bind to Active Directory, >>> especially if it's not well maintained (stale directory replicas / site >>> topology). >>> >>> Ciao, Michael. >>> >>> >>> _______________________________________________ >>> python-ldap mailing list >>> python-ldap at python.org >>> https://mail.python.org/mailman/listinfo/python-ldap >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Oct 1 13:37:19 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 1 Oct 2016 19:37:19 +0200 Subject: [python-ldap] Searching for nested membership in AD groups In-Reply-To: References: <57EF053C.2000106@stroeder.com> Message-ID: <57EFF44F.603@stroeder.com> Sean Whalen wrote: > But, the following |python-ldap| code returns zero results after taking some time: I wonder what module you're actually using. Your last e-mail implies that you're using https://pypi.python.org/pypi/pyldap with Python 3.5.x which is a heavily patched code fork of https://pypi.python.org/pypi/python-ldap. Personally I cannot help with pyldap. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From whalenster at gmail.com Sat Oct 1 14:49:13 2016 From: whalenster at gmail.com (Sean Whalen) Date: Sat, 1 Oct 2016 14:49:13 -0400 Subject: [python-ldap] Searching for nested membership in AD groups In-Reply-To: References:

Message-ID: Michael, I've tried with both python-ldap and pyldap and gotten the same results. If you can help me troubleshoot on python-ldap, I can probably make it work with pyldap. I really want to support Python 2 and 3. Aron, Escaping the whole search string also escaped the parentheses around my statement, generating an invalid search string. Thanks for the suggestion. On Sat, Oct 1, 2016 at 2:01 PM, Aron Patel wrote: > Could it be that your already trying to escaping the \ in your dn. So it > will translate to \\\\ Once you escape your full DN using the > escape_filter_chars. > > I would wrap my entire filter with the escape_filter_chars(filter_string) > instead of just trying to escape the DN manually. Just make sure you remove > any of your own escaping characters from the dn before applying the method. > > /Aron > > > > > Sent with Good (www.good.com) > > > > -----Original Message----- > *From: *Sean Whalen [whalenster at gmail.com] > *Sent: *Saturday, October 01, 2016 07:32 PM W. Europe Standard Time > *To: *python-ldap at python.org > *Subject: *Re: [python-ldap] Searching for nested membership in AD groups > > I came up with some better examples to illistrate the problem. > > The following PowerShell code works: > > $userdn = 'CN=Whalen\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net' > $strFilter = "(member:1.2.840.113556.1.4.1941:=$userdn)" > $objDomain = New-Object System.DirectoryServices.DirectoryEntry > $objSearcher = New-Object System.DirectoryServices.DirectorySearcher > $objSearcher.SearchRoot = $objDomain > $objSearcher.PageSize = 1000 > $objSearcher.Filter = $strFilter > $objSearcher.SearchScope = "Subtree" > $colProplist = "name" > foreach ($i in $colPropList){ > $objSearcher.PropertiesToLoad.Add($i) > $nul > } > $colResults = $objSearcher.FindAll() > foreach ($objResult in $colResults) > { > $objItem = $objResult.Properties > $objItem.name > } > > But, the following python-ldap code returns zero results after taking > some time: > > from __future__ import print_function > import ldapfrom ldap.filter import escape_filter_chars > > base = "DC=example,DC=net" > > username = "ADLookup at example.net" > password = "foobar" > > ad = ldap.initialize("ldap://ad.example.net") > ad.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) > ad.set_option(ldap.OPT_REFERRALS, 0) > ad.bind_s(username, password) > > dn = "CN=Whalen\\, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net" > > filter_string = "(memberof:1.2.840.113556.1.4.1941:={0})".format(escape_filter_chars(dn)) > # (memberof:1.2.840.113556.1.4.1941:=CN=Whalen\5c, Sean,OU=Users,OU=Users and Groups,DC=example,DC=net) > # The backslash that escapes the comma in the CN must be escaped in a search filter string,# per RFC 2254, page 5 > > results = ad.search_s(base, > ldap.SCOPE_SUBTREE, > filterstr=filter_string, > attrlist=["distinguishedName"]) > results = [entry for dn, entry in results if isinstance(entry, dict)]print(results) > > At first I thought this due to was a bug or compatibility problem in > python-ldap. However, running the same search using Microsoft's LDIFDE.EXE > tool also returns zero results. > > LDIFDE.EXE -f results.txt -d "DC=example,DC=net" -r "(memberof:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean, > OU=Users,OU=Users and Groups,DC=example,DC=net)" -l "name" > > Any idea what's going wrong, and how can I fix it? > Also, I was able to join the list. The confirmation email got buried. > > On Fri, Sep 30, 2016 at 10:41 PM, Sean Whalen > wrote: > >> Right, >> >> but when I use >> (member:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users and >> Groups,DC=redacted,DC=net) >> >> or >> filter = '(member:1.2.840.113556.1.4.1941:=CN={0},OU=Users,OU=Users and >> Groups,DC=redacted,DC=net)'.format(escape_dn_chars('Whalen, Sean')) >> >> I get >> >> File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line >> 768, in search_s >> return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,No >> ne,None,timeout=self.timeout) >> File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line >> 761, in search_ext_s >> msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serv >> erctrls,clientctrls,timeout,sizelimit) >> File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line >> 757, in search_ext >> timeout,sizelimit, >> File "/usr/local/lib/python3.5/dist-packages/ldap/ldapobject.py", line >> 263, in _ldap_call >> result = func(*args,**kwargs) >> ldap.FILTER_ERROR: {'desc': 'Bad search filter'} >> >> >> On Fri, Sep 30, 2016 at 10:01 PM, Stephen J. Butler < >> stephen.butler at gmail.com> wrote: >> >>> \5C is blackslash itself, not comma. I think what he wants is really: >>> >>> r'(member:1.2.840.113556.1.4.1941:=CN=Whalen\, Sean,OU=Users,OU=Users >>> and Groups,DC=redacted,DC=net)' >>> >>> Notice the raw string. Otherwise, if you aren't using a raw string, then: >>> >>> "(member:1.2.840.113556.1.4.1941:=CN=Whalen\\, Sean,OU=Users,OU=Users >>> and Groups,DC=redacted,DC=net)" >>> >>> >>> IDK how you're building your DN's in general, but what you should be >>> doing is this when you have arbitrary input: >>> >>> from ldap.dn import escape_dn_chars >>> >>> filter = '(member:1.2.840.113556.1.4.1941:=CN={0},OU=Users,OU=Users and >>> Groups,DC=redacted,DC=net)'.format(escape_dn_chars('Whalen, Sean')) >>> >>> That will always do the right thing. >>> >>> On Fri, Sep 30, 2016 at 7:37 PM, Michael Str?der >>> wrote: >>> >>>> Sean Whalen wrote: >>>> > Then I tried >>>> > >>>> > (member:1.2.840.113556.1.4.1941:=CN=Whalen\5c, >>>> Sean,OU=Users,OU=Users and >>>> ^^^^ >>>> Yes, you must escape the comma in the DN. >>>> >>>> But the escaped hex-encoded character \5C must fully *replace* the >>>> comma. Or >>>> simply escape the comma like \, (see RFC 4514). >>>> >>>> Bear in mind that you have to deal with extra escaping in Python string >>>> syntax >>>> when hard-coding a DN like this in your source code. >>>> >>>> Also note that there can be a bunch of specific performance differences >>>> depending on how and from where you connect and bind to Active >>>> Directory, >>>> especially if it's not well maintained (stale directory replicas / site >>>> topology). >>>> >>>> Ciao, Michael. >>>> >>>> >>>> _______________________________________________ >>>> python-ldap mailing list >>>> python-ldap at python.org >>>> https://mail.python.org/mailman/listinfo/python-ldap >>>> >>>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Oct 1 15:37:19 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 1 Oct 2016 21:37:19 +0200 Subject: [python-ldap] Searching for nested membership in AD groups In-Reply-To: References:

Message-ID: <57F0106F.3000608@stroeder.com> Sean Whalen wrote: > If you can help me troubleshoot on python-ldap, I don't have access to your AD. The only thing to suggest is to set trace_level=2. https://www.python-ldap.org/doc/html/ldap.html#ldap.initialize Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From whalenster at gmail.com Mon Oct 3 16:32:44 2016 From: whalenster at gmail.com (Sean Whalen) Date: Mon, 3 Oct 2016 16:32:44 -0400 Subject: [python-ldap] Why is Active Directory refusing to support a simple paged results search? Message-ID: I'm trying to use python-ldap to run a a simple paged search on an Active Directory server. See RFC 2696 Simplified sample code: import ldapfrom ldap.controls import SimplePagedResultsControl SERVER = "dc.example.net" USERNAME = "ADLookup" PASSWORD = "12345LuggageAmazing" BASE = "dc=example, dc=net" FILTER = "(sAMAccountName=sean.whalen)" PAGE_SIZE = 1000 ad = ldap.initialize("ldap://{0}".format(SERVER), trace_level=2) ad.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) ad.set_option(ldap.OPT_REFERRALS, 0) ad.simple_bind(USERNAME, PASSWORD) pc = SimplePagedResultsControl(criticality=True, size=PAGE_SIZE, cookie="") msgid = ad.search_ext(BASE, scope=ldap.SCOPE_SUBTREE, filterstr=FILTER, clientctrls=[pc]) # Skipping over processing because it the exception is raised at the above call Output: => result:1*** ldap://dc.example.net - SimpleLDAPObject.search_ext(('dc=example,dc=net', 2, '(sAMAccountName=sean.whalen)', None, 0, None, [('1.2.840.113556.1.4.319', True, b'0\x06\x02\x02\x03\xe8\x04\x00')], -1, 0), {})=> LDAPError - NOT_SUPPORTED: {'desc': 'Not Supported'} Is is possible that the server admins have disabled paged searches, or is something wrong with my code? -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon Oct 3 18:11:50 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Tue, 4 Oct 2016 00:11:50 +0200 Subject: [python-ldap] Why is Active Directory refusing to support a simple paged results search? In-Reply-To: References: Message-ID: <57F2D7A6.4010206@stroeder.com> Sean Whalen wrote: > USERNAME ="ADLookup" > [..] > ad.simple_bind(USERNAME,PASSWORD) Are you sure this is working? It might work with AD (because using the userPrincipalName value also works). But to be sure your app bound correctly I'd use the user entry's full bind-DN. > LDAPError-NOT_SUPPORTED:{'desc':'Not Supported'}| > > Is is possible that the server admins have disabled paged searches, or is > something wrong with my code? Maybe yes. Ask your admins. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From whalenster at gmail.com Mon Oct 3 19:41:13 2016 From: whalenster at gmail.com (Sean Whalen) Date: Mon, 3 Oct 2016 19:41:13 -0400 Subject: [python-ldap] Why is Active Directory refusing to support a simple paged results search? In-Reply-To: <57F2D7A6.4010206@stroeder.com> References: <57F2D7A6.4010206@stroeder.com> Message-ID: Good catch. I'm actually using the userPrincipalName, but did/ On Oct 3, 2016 6:11 PM, "Michael Str?der" wrote: > Sean Whalen wrote: > > USERNAME ="ADLookup" > > [..] > > ad.simple_bind(USERNAME,PASSWORD) > > Are you sure this is working? It might work with AD (because using the > userPrincipalName value also works). > But to be sure your app bound correctly I'd use the user entry's full > bind-DN. > > > LDAPError-NOT_SUPPORTED:{'desc':'Not Supported'}| > > > > Is is possible that the server admins have disabled paged searches, or is > > something wrong with my code? > > Maybe yes. Ask your admins. > > Ciao, Michael. > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From whalenster at gmail.com Mon Oct 3 19:43:42 2016 From: whalenster at gmail.com (Sean Whalen) Date: Mon, 3 Oct 2016 19:43:42 -0400 Subject: [python-ldap] Why is Active Directory refusing to support a simple paged results search? In-Reply-To: References: <57F2D7A6.4010206@stroeder.com> Message-ID: Good catch. I'm actually using the userPrincipalName, but I forgot to add the domain back on when I sanitized the credentials for the example. On Oct 3, 2016 7:41 PM, "Sean Whalen" wrote: > Good catch. I'm actually using the userPrincipalName, but did/ > > On Oct 3, 2016 6:11 PM, "Michael Str?der" wrote: > >> Sean Whalen wrote: >> > USERNAME ="ADLookup" >> > [..] >> > ad.simple_bind(USERNAME,PASSWORD) >> >> Are you sure this is working? It might work with AD (because using the >> userPrincipalName value also works). >> But to be sure your app bound correctly I'd use the user entry's full >> bind-DN. >> >> > LDAPError-NOT_SUPPORTED:{'desc':'Not Supported'}| >> > >> > Is is possible that the server admins have disabled paged searches, or >> is >> > something wrong with my code? >> >> Maybe yes. Ask your admins. >> >> Ciao, Michael. >> >> >> -------------- next part -------------- An HTML attachment was scrubbed... URL: From asyd at asyd.net Tue Oct 4 16:21:20 2016 From: asyd at asyd.net (Bruno Bonfils) Date: Tue, 4 Oct 2016 22:21:20 +0200 Subject: [python-ldap] About usage of name pyldap (and introducing ORM based on pyldap) Message-ID: <20161004202120.7uohqgvw7s3okyf7@gendo.asyd.net> Hello, I'm very close to finish and publish a basic ORM based on pyldap. I would like to know if you're agree I publish it on pypi with the name pyldap_orm. For people interested, here a working example of usage of the ORM: --8<-- # First, you must define kind of objects you want to manage: class LDAPUser(models.LDAPModelUser): base = 'ou=People,dc=example,dc=com' required_attributes = ['cn'] required_objectclasses = ['inetOrgPerson'] class LDAPUsers(models.LDAPModelUsers): children = LDAPUser # Create a LDAPSession to connect and authenticate to the LDAP server # Plain LDAP, LDAPs, and STARTTLS connect methods are available session = LDAPSession(backend='ldap://localhost:1389/', mode=LDAPSession.STARTTLS, cert='/home/asyd/tmp/ldapclient.pem', key='/home/asyd/tmp/ldapclient.pem') # As well as simple_bind, and SASL_EXTERNAL (client certificate mapped) # for authentication session.authenticate(mode=LDAPSession.AUTH_SASL_EXTERNAL) # You can now perform some search using LDAPModel(session).method() user = LDAPUser(session).by_attr('uid', 'asyd') # Attributes are available using user. print(user.dn) print(user.description) # To update an existing object, use standard python way user.description = ['new description'] user.save() # You can also create simple --8<-- I also provide a mapping from bytes to str, int, boolean regarding the attribute definition. cheers From michael at stroeder.com Tue Oct 4 16:32:58 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Tue, 4 Oct 2016 22:32:58 +0200 Subject: [python-ldap] About usage of name pyldap (and introducing ORM based on pyldap) In-Reply-To: <20161004202120.7uohqgvw7s3okyf7@gendo.asyd.net> References: <20161004202120.7uohqgvw7s3okyf7@gendo.asyd.net> Message-ID: <57F411FA.1030600@stroeder.com> Bruno Bonfils wrote: > I'm very close to finish and publish a basic ORM based on pyldap. You're not the first one. You'll find many wrapper / ORM / convenience modules on top of python-ldap on PyPI. > I would like to know if you're agree I publish it on pypi with the name > pyldap_orm. I don't mind. But thanks for asking. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From Manuel.Holtgrewe at bihealth.de Wed Oct 12 02:31:58 2016 From: Manuel.Holtgrewe at bihealth.de (Holtgrewe, Manuel) Date: Wed, 12 Oct 2016 06:31:58 +0000 Subject: [python-ldap] Problem with non-standard location of sasl.h In-Reply-To: References: Message-ID: ping Has anyone had a chance to look at this? This would make using python-ldap much easier in platform-as-a-service environments (I have trouble with flynn.io). The patch makes setup.py interpret the environment variables LIBRARY_PATH and INCLUDE_PATH. If they are not set then the behaviour is as without the patch. Kind Regards, Manuel -- Manuel Holtgrewe Bioinformatics Core Unit Berlin Institute of Health Phone: +49 30 450 543607 Postal Address: Chariteplatz 1, 10117 Berlin, Germany Visiting Address: Luisenstr. 56, 10117 Berlin, Germany ________________________________ From: Holtgrewe, Manuel Sent: Thursday, April 28, 2016 15:34 To: python-ldap at python.org Subject: Problem with non-standard location of sasl.h Dear all, I have a problem with non-standard locations of sasl.h. My installation sets INCLUDE_PATH and LIBRARY_PATH that is normally interpreted by gcc. However, the LDAP setup.py overrides this. I'm using pyldap and tried to commit my patch there [1]. The pyldap people asked me to propose the change upstream (here). What do you think? Cheers, Manuel [1] https://github.com/pyldap/pyldap/pull/40/files -- Manuel Holtgrewe Bioinformatics Core Unit Berlin Institute of Health Phone: +49 30 450 543607 Postal Address: Chariteplatz 1, 10117 Berlin, Germany Visiting Address: Luisenstr. 56, 10117 Berlin, Germany -------------- next part -------------- An HTML attachment was scrubbed... URL: From joeyhendricks20 at gmail.com Wed Oct 12 07:10:56 2016 From: joeyhendricks20 at gmail.com (Joey Hendricks) Date: Wed, 12 Oct 2016 13:10:56 +0200 Subject: [python-ldap] My Python project Message-ID: Dear Sir or Madam, My name is Joey Hendricks and i,m a 20 year old programming student. And I have been using your package "python-ldap latest version" in my python program I have been building this program for a school project. And might want to sell my project afterwards but my program makes use of your package "python-ldap latest version". It imports your package in order to make a connection to a Active directory and check data in the Active directory. And i,m wondering if i can use your package in my program and sell at a later point because I want to do this fair and right and don't wanna wrong you or commit plagiarism. I will be selling my code that imports your package and not your package people would need to download your package separately from your site and install it on their server but my code makes use of your package. Because i,m unexperienced in selling programs and licensing i don't know if can use your API in my program. Could you tell me or give me permission to use your API in my program and sell it at a later point or do i have to sell it under specific license or cant i use it at all? What do i need to do could you give some advice what i can do? I hope you can help me and thanks in advice. Sorry if my questions might be a bit vaguely English is not my native language i,m dutch. Kind regards Joey Hendricks -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Oct 12 07:20:08 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 12 Oct 2016 13:20:08 +0200 Subject: [python-ldap] My Python project In-Reply-To: References: Message-ID: <57FE1C68.6060601@stroeder.com> Joey, Joey Hendricks wrote: > My name is Joey Hendricks and i,m a 20 year old programming student. > And I have been using your package "python-ldap latest version" in my python > program I have been building this program for a school project. > And might want to sell my project afterwards but my program makes use of your > package "python-ldap latest version". > It imports your package in order to make a connection to a Active directory and > check data in the Active directory. > > And i,m wondering if i can use your package in my program and sell at a later > point because I want to do this fair and right and don't wanna wrong you or > commit plagiarism. The intention of using the rather blurry term "Python style license" was to allow everything which is allowed with Python itself. My more verbose answer in the mailing list archive summarizing the small issues is still valid: https://mail.python.org/pipermail/python-ldap/2012q2/003119.html Mainly this is one of the reasons why forking python-ldap code to make it work for Python 3.x is not an optimal solution. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Fri Nov 18 02:16:49 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Fri, 18 Nov 2016 08:16:49 +0100 Subject: [python-ldap] ANN: python-ldap 2.4.28 Message-ID: <3dad266e-c638-d56a-cb1a-3e9252f97154@stroeder.com> Find a new release of python-ldap: https://pypi.python.org/pypi/python-ldap/2.4.28 python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAP URLs and LDAPv3 schema). Project's web site: http://www.python-ldap.org/ Checksums: md5sum python-ldap-2.4.28.tar.gz 175e6bb0c900e8ba9e236b44ec0c0e92 sha1sum python-ldap-2.4.28.tar.gz a5024876cc493a5436ec5d7d5ea1a87bb88f5a44 sha256sum python-ldap-2.4.28.tar.gz d9aaa11974651b35993610993256fde9fc5e37039e0d318d0dc3963776ca21a9 Ciao, Michael. ---------------------------------------------------------------- Released 2.4.28 2016-11-17 Changes since 2.4.27: Lib/ * LDAPObject.unbind_ext_s() invokes LDAPObject._trace_file.flush() only if LDAPObject._trace_level is non-zero and Python is running in debug mode * LDAPObject.unbind_ext_s() now ignores AttributeError in case LDAPObject._trace_file has no flush() method * added dummy method ldap.logger.logging_file_class.flush() because LDAPObject.unbind_ext_s() invokes it -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From facevedo at openmailbox.org Thu Nov 24 08:14:02 2016 From: facevedo at openmailbox.org (Facundo Acevedo) Date: Thu, 24 Nov 2016 10:14:02 -0300 Subject: [python-ldap] Issues with modifiModlist In-Reply-To: References: Message-ID: I've tried a little more, I think that it only occurs with reversed strings. El 24/11/16 a las 09:58, Facundo Acevedo escribi?: > Hello, I've realized that the parameter of the old attribute is the same > length that the new, modifyModlist do not works as expected, it returns > an empty list. > > Example code for reproduce the issue: > > import ldap.modlist as modlist > > value = "Python" > reversed_value = value[::-1] > old = {} > new = {} > old["sn"] = value > new["sn"] = reversed_value > > ldif = modlist.modifyModlist(old, new) > > > I think the problem is in ldap/modlist.py:95 > replace_attr_value = len(old_value)!=len(new_value) > > > Version information: > Name: python-ldap > Version: 2.4.27 > Python 2.7.12 > > > > Greetings! > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From facevedo at openmailbox.org Thu Nov 24 07:58:31 2016 From: facevedo at openmailbox.org (Facundo Acevedo) Date: Thu, 24 Nov 2016 09:58:31 -0300 Subject: [python-ldap] Issues with modifiModlist Message-ID: Hello, I've realized that the parameter of the old attribute is the same length that the new, modifyModlist do not works as expected, it returns an empty list. Example code for reproduce the issue: import ldap.modlist as modlist value = "Python" reversed_value = value[::-1] old = {} new = {} old["sn"] = value new["sn"] = reversed_value ldif = modlist.modifyModlist(old, new) I think the problem is in ldap/modlist.py:95 replace_attr_value = len(old_value)!=len(new_value) Version information: Name: python-ldap Version: 2.4.27 Python 2.7.12 Greetings! -------------- next part -------------- A non-text attachment was scrubbed... Name: 0xFE5FD0C9.asc Type: application/pgp-keys Size: 7810 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From joeyhendricks20 at gmail.com Sat Nov 26 09:11:40 2016 From: joeyhendricks20 at gmail.com (Joey Hendricks) Date: Sat, 26 Nov 2016 15:11:40 +0100 Subject: [python-ldap] qeustion searching underlying OU with python-ldap Message-ID: Dear subscribers of the python LDAP mailing list, I have a qeustion on how to modify a password of a AD user. I have been doing it until now this way: name_search = "Test.Test" SEARCH_LOCATION = "OU=Assengraaf,DC=assengraaf,DC=nl" user_dn = ("CN=%s," + (SEARCH_LOCATION)) % name_search server = "ldaps://Server01.assengraaf.nl:636" ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) conn = ldap.initialize(server) conn.set_option(ldap.OPT_REFERRALS, 0) conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) conn.set_option( ldap.OPT_X_TLS_DEMAND, True ) conn.set_option( ldap.OPT_DEBUG_LEVEL, 4095) conn.simple_bind_s("Administrator at assengraaf.nl", "password") password_value1 = '"{0}\"'.format(password).encode("utf-16-le") add_pass = [(ldap.MOD_REPLACE, "UnicodePwd", password_value1)] conn.modify_s(user_dn, add_pass) But i want to be able to modify a user password without specifying the location of the user, i just want it to search the entire AD for that user. What would be the best way to achieve this? Hope you guys can help me out :) Kind regards Joey -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sat Nov 26 10:54:14 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 26 Nov 2016 16:54:14 +0100 Subject: [python-ldap] qeustion searching underlying OU with python-ldap In-Reply-To: References: Message-ID: <65a8cb0c-5636-7c50-0b7d-39239d899172@stroeder.com> Joey Hendricks wrote: > I have a qeustion on how to modify a password of a AD user. > I have been doing it until now this way: > [..] > But i want to be able to modify a user password without specifying the location > of the user, i just want it to search the entire AD for that user. > What would be the best way to achieve this? You have to provide the full DN of the user's entry when modifying it. You can simply search the user entry first with a filter like (sAMAccountName=user-id) and then use its DN. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From michael at stroeder.com Sat Nov 26 11:05:51 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sat, 26 Nov 2016 17:05:51 +0100 Subject: [python-ldap] Issues with modifiModlist In-Reply-To: References: Message-ID: Facundo Acevedo wrote: > Hello, I've realized that the parameter of the old attribute is the same > length that the new, modifyModlist do not works as expected, it returns > an empty list. > [..] > I think the problem is in ldap/modlist.py:95 > replace_attr_value = len(old_value)!=len(new_value) This line above is only an optimization short-cut for not having to examine each attribute value in case the list of attribute values is different by length anyway. Note that the attribute value lists are compared like sets because that's what LDAPv3 attributes contain: https://tools.ietf.org/html/rfc4511#section-4.1.7 In general LDAPv3 client implementations should not rely on order of attribute values. In practice all LDAPv3 servers I've tested do preserve and change the order of the attribute values as provided by the client. So the above optimization is indeed debatable. But note that you'll never know what all the other LDAP clients are doing in your deployment. Before going into considerations whether to change that in python-ldap or not: Which exact problem do you want to solve? Why is order significant in your application? Why do you want to use the above function instead of rolling your own which better fits your particular needs? Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From jfong at yelp.com Wed Dec 7 16:53:27 2016 From: jfong at yelp.com (Jen Fong) Date: Wed, 7 Dec 2016 13:53:27 -0800 Subject: [python-ldap] ReconnectLDAPObject and server controls in search results? Message-ID: Hi folks-- I currently have some code that uses ReconnectLDAPObject and search_s to enable automatic reconnecting to a flaky server. I now need to support fetching more results than is allowed by our server-side limit, so plan to use the SimplePagedResultsControl to fetch the results in pages. However, I couldn't find in the documentation how to retrieve the resulting control cookie in order to progress to the next page when using LDAPObject.search_ext_s since it returns simply the list of results for the page. Is it possible to use SimplePagedResultsControls with ReconnectLDAPObject.search_ext_s ? -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Wed Dec 7 16:58:08 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Wed, 7 Dec 2016 22:58:08 +0100 Subject: [python-ldap] ReconnectLDAPObject and server controls in search results? In-Reply-To: References: Message-ID: <8e7d4c82-b43b-18c9-749f-873bcf641386@stroeder.com> Jen Fong via python-ldap wrote: > I now need to support fetching more results than is allowed by our > server-side limit, so plan to use the SimplePagedResultsControl to fetch the > results in pages. Which LDAP server? Only MS AD has this strange behaviour of allowing to circumvent search size limits with this control. > However, I couldn't find in the documentation how to retrieve the resulting > control cookie in order to progress to the next page when using > LDAPObject.search_ext_s since it returns simply the list of results for the > page. Is it possible to use SimplePagedResultsControls with > ReconnectLDAPObject.search_ext_s ? See Demo/page_control.py in the source tar.gz. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From jfong at yelp.com Wed Dec 7 17:08:59 2016 From: jfong at yelp.com (Jen Fong) Date: Wed, 7 Dec 2016 14:08:59 -0800 Subject: [python-ldap] ReconnectLDAPObject and server controls in search results? In-Reply-To: <8e7d4c82-b43b-18c9-749f-873bcf641386@stroeder.com> References: <8e7d4c82-b43b-18c9-749f-873bcf641386@stroeder.com> Message-ID: Thanks for the quick reply Michael Yes, this is an active directory server we're talking to. I had a look at the demo, however that uses the asynchronous search request. That works in our code, but then loses the ReconnectLDAPObject's automated reconnection feature since that is only for synchronous requests. Can SimplePagedResultsControl be used with the *synchronous* search function? And if so, how do I get the resulting cookie? On Wed, Dec 7, 2016 at 1:58 PM, Michael Str?der wrote: > Jen Fong via python-ldap wrote: > > I now need to support fetching more results than is allowed by our > > server-side limit, so plan to use the SimplePagedResultsControl to fetch > the > > results in pages. > > Which LDAP server? Only MS AD has this strange behaviour of allowing to > circumvent search size limits with this control. > > > However, I couldn't find in the documentation how to retrieve the > resulting > > control cookie in order to progress to the next page when using > > LDAPObject.search_ext_s since it returns simply the list of results for > the > > page. Is it possible to use SimplePagedResultsControls with > > ReconnectLDAPObject.search_ext_s ? > > See Demo/page_control.py in the source tar.gz. > > Ciao, Michael. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen.butler at gmail.com Wed Dec 7 19:37:44 2016 From: stephen.butler at gmail.com (Stephen J. Butler) Date: Wed, 7 Dec 2016 18:37:44 -0600 Subject: [python-ldap] ReconnectLDAPObject and server controls in search results? In-Reply-To: References: <8e7d4c82-b43b-18c9-749f-873bcf641386@stroeder.com> Message-ID: I don't think the paged results cookie is good across reconnection anyway. You loose the benefit of that subclass in this case. On Wed, Dec 7, 2016 at 4:08 PM, Jen Fong via python-ldap < python-ldap at python.org> wrote: > Thanks for the quick reply Michael > > Yes, this is an active directory server we're talking to. > > I had a look at the demo, however that uses the asynchronous search > request. That works in our code, but then loses the ReconnectLDAPObject's > automated reconnection feature since that is only for synchronous requests. > > Can SimplePagedResultsControl be used with the *synchronous* search > function? And if so, how do I get the resulting cookie? > > On Wed, Dec 7, 2016 at 1:58 PM, Michael Str?der > wrote: > >> Jen Fong via python-ldap wrote: >> > I now need to support fetching more results than is allowed by our >> > server-side limit, so plan to use the SimplePagedResultsControl to >> fetch the >> > results in pages. >> >> Which LDAP server? Only MS AD has this strange behaviour of allowing to >> circumvent search size limits with this control. >> >> > However, I couldn't find in the documentation how to retrieve the >> resulting >> > control cookie in order to progress to the next page when using >> > LDAPObject.search_ext_s since it returns simply the list of results for >> the >> > page. Is it possible to use SimplePagedResultsControls with >> > ReconnectLDAPObject.search_ext_s ? >> >> See Demo/page_control.py in the source tar.gz. >> >> Ciao, Michael. >> >> > > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jfong at yelp.com Wed Dec 7 21:02:15 2016 From: jfong at yelp.com (Jen Fong) Date: Wed, 7 Dec 2016 18:02:15 -0800 Subject: [python-ldap] ReconnectLDAPObject and server controls in search results? In-Reply-To: References: <8e7d4c82-b43b-18c9-749f-873bcf641386@stroeder.com>

Message-ID: Ah, thanks Stephen; that makes a lot of sense. We'll be sure to add our own reconnect logic in this case. On Wed, Dec 7, 2016 at 4:37 PM, Stephen J. Butler wrote: > I don't think the paged results cookie is good across reconnection anyway. > You loose the benefit of that subclass in this case. > > > > On Wed, Dec 7, 2016 at 4:08 PM, Jen Fong via python-ldap < > python-ldap at python.org> wrote: > >> Thanks for the quick reply Michael >> >> Yes, this is an active directory server we're talking to. >> >> I had a look at the demo, however that uses the asynchronous search >> request. That works in our code, but then loses the ReconnectLDAPObject's >> automated reconnection feature since that is only for synchronous requests. >> >> Can SimplePagedResultsControl be used with the *synchronous* search >> function? And if so, how do I get the resulting cookie? >> >> On Wed, Dec 7, 2016 at 1:58 PM, Michael Str?der >> wrote: >> >>> Jen Fong via python-ldap wrote: >>> > I now need to support fetching more results than is allowed by our >>> > server-side limit, so plan to use the SimplePagedResultsControl to >>> fetch the >>> > results in pages. >>> >>> Which LDAP server? Only MS AD has this strange behaviour of allowing to >>> circumvent search size limits with this control. >>> >>> > However, I couldn't find in the documentation how to retrieve the >>> resulting >>> > control cookie in order to progress to the next page when using >>> > LDAPObject.search_ext_s since it returns simply the list of results >>> for the >>> > page. Is it possible to use SimplePagedResultsControls with >>> > ReconnectLDAPObject.search_ext_s ? >>> >>> See Demo/page_control.py in the source tar.gz. >>> >>> Ciao, Michael. >>> >>> >> >> _______________________________________________ >> python-ldap mailing list >> python-ldap at python.org >> https://mail.python.org/mailman/listinfo/python-ldap >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Dec 8 02:26:10 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Thu, 8 Dec 2016 08:26:10 +0100 Subject: [python-ldap] ReconnectLDAPObject and server controls in search results? In-Reply-To: References: <8e7d4c82-b43b-18c9-749f-873bcf641386@stroeder.com>

Message-ID: Jen Fong wrote: > We'll be sure to add our own reconnect logic in this case. You could wrap the underlying code and call ReconnectLDAPObject.reconnect(uri) before retrying. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: From r at robakdesign.com Sun Dec 11 09:39:25 2016 From: r at robakdesign.com (=?UTF-8?Q?Bart=C5=82omiej_Rutkowski?=) Date: Sun, 11 Dec 2016 14:39:25 +0000 Subject: [python-ldap] New application using python-ldap Message-ID: Hi, I wrote a simple web app for changing LDAP users passwords and I thought you might want to include it in your list of apps using python-ldap ( https://www.python-ldap.org/apps.html): https://github.com/bartekrutkowski/ldapass Let me know if you'd have any questions. And thanks for working on python-ldap! :) Kind regards, Bartek Rutkowski -- --------------------------------- http://robakdesign.com --------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Sun Dec 11 11:08:00 2016 From: michael at stroeder.com (=?UTF-8?Q?Michael_Str=c3=b6der?=) Date: Sun, 11 Dec 2016 17:08:00 +0100 Subject: [python-ldap] New application using python-ldap In-Reply-To: References: Message-ID: <3e0ec058-0df0-f608-87aa-a71ae9272acd@stroeder.com> Bart?omiej Rutkowski wrote: > I wrote a simple web app for changing LDAP users passwords and I thought you > might want to include it in your list of apps using python-ldap > (https://www.python-ldap.org/apps.html): Note that for various reasons I had already considered to remove that page (including the link to my own stuff). And now I've removed it. Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3829 bytes Desc: S/MIME Cryptographic Signature URL: