From william at blackhats.net.au Mon Apr 5 21:18:22 2021 From: william at blackhats.net.au (William Brown) Date: Tue, 6 Apr 2021 11:18:22 +1000 Subject: [python-ldap] Multiple timeout values in python-ldap, which ones are applicable In-Reply-To: References: Message-ID: <14D23B5B-BDEB-4BFD-B1A4-95ABA9F7CBF3@blackhats.net.au> > On 18 Mar 2021, at 18:26, varun mittal wrote: > > I am using python-ldap==3.1.0 with python3 to query my AD server. > > With the following timeout values: > > ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 30) > ldap.set_option(ldap.OPT_TIMEOUT, 120) > conn = ldap.initialize(ldap://server-ip) > > Using 3 types of queries - synchronous search_s(), asynchronous with and without paging search_ext() > > I am not using any timeout in the _ext method. > > One of my LDAP searches(asynchronous with paging) took about 14 minutes to complete, in the customer environment. Eventually, the search was successful. I think you may want OPT_TIMELIMIT to limit the search time, rather than OPT_TIMEOUT. As well, because you are doing this as async with paging, there may be other timing interactions here that could be subtle and interacting. Hope that helps a bit > > Looking at the documentation, I am not sure which timeout value would be applicable here. > > I thought setting OPT_TIMEOUT should suffice for all kinds of searches. > > What am I missing here? > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap -- Sincerely, William From vmittal05 at gmail.com Tue Apr 6 01:45:47 2021 From: vmittal05 at gmail.com (varun mittal) Date: Tue, 6 Apr 2021 11:15:47 +0530 Subject: [python-ldap] Multiple timeout values in python-ldap, which ones are applicable In-Reply-To: <14D23B5B-BDEB-4BFD-B1A4-95ABA9F7CBF3@blackhats.net.au> References: <14D23B5B-BDEB-4BFD-B1A4-95ABA9F7CBF3@blackhats.net.au> Message-ID: > I think you may want OPT_TIMELIMIT to limit the search time, rather than OPT_TIMEOUT. Oh , the documentation says TIMELIMIT is deprecated in favour of TIMEOUT On Tue, Apr 6, 2021 at 6:48 AM William Brown wrote: > > > On 18 Mar 2021, at 18:26, varun mittal wrote: > > > > I am using python-ldap==3.1.0 with python3 to query my AD server. > > > > With the following timeout values: > > > > ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 30) > > ldap.set_option(ldap.OPT_TIMEOUT, 120) > > conn = ldap.initialize(ldap://server-ip) > > > > Using 3 types of queries - synchronous search_s(), asynchronous with and > without paging search_ext() > > > > I am not using any timeout in the _ext method. > > > > One of my LDAP searches(asynchronous with paging) took about 14 minutes > to complete, in the customer environment. Eventually, the search was > successful. > > I think you may want OPT_TIMELIMIT to limit the search time, rather than > OPT_TIMEOUT. > > As well, because you are doing this as async with paging, there may be > other timing interactions here that could be subtle and interacting. > > Hope that helps a bit > > > > > Looking at the documentation, I am not sure which timeout value would be > applicable here. > > > > I thought setting OPT_TIMEOUT should suffice for all kinds of searches. > > > > What am I missing here? > > _______________________________________________ > > python-ldap mailing list > > python-ldap at python.org > > https://mail.python.org/mailman/listinfo/python-ldap > > -- > Sincerely, > > William > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From villanuevareed at gmail.com Wed Apr 7 02:19:36 2021 From: villanuevareed at gmail.com (Reed Villanueva) Date: Tue, 6 Apr 2021 20:19:36 -1000 Subject: [python-ldap] base and filterstr combination for search_s() function to get user with matching `sAMAccountName` when base DN's lowest elements are just Group CNs? Message-ID: Is there a way to write an LDAP search filter string or base DN syntax to get user with matching sAMAccountName property when the target base DN's lowest elements are Group CNs (not actually users/Person objects)? Never worked with LDAP querying before, so don't have a great understanding on how to do this. Have an AD path of Group CNs (where the users therein are defined in multiple other locations) like... DC=myorg,DC=local OU=datagroups OU=zones CN=group1 CN=group2 ... ...and have two parameters that I have available for matching against the a login string: - A single base DN (eg. OU=zones,OU=datagroups,DC=myorg,DC=local) that will be accepted as a base arg by a python-ldap.search_s() function . - A search filter string to act on that base DN and return a single user/Person with matching sAMAccountName that will be used as the filterstr arg in the python-ldap.search_s() function . The default format is 'sAMAccountName={login}' Have also tried... base_dn = OU=zones,OU=datagroups,DC=myorg,DC=local search_filter = (&({login}=sAMAccountName)(|(memberOf=CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local)(memberOf=CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local))) ...to no avail. Anyone with more experience know how I can do this? Anything I appear to be misunderstanding about the situation (since again, I don't work w/ LDAP querying very often)? -------------- next part -------------- An HTML attachment was scrubbed... URL: From william at blackhats.net.au Wed Apr 7 20:00:16 2021 From: william at blackhats.net.au (William Brown) Date: Thu, 8 Apr 2021 10:00:16 +1000 Subject: [python-ldap] base and filterstr combination for search_s() function to get user with matching `sAMAccountName` when base DN's lowest elements are just Group CNs? In-Reply-To: References: Message-ID: <4D3C6FA7-6A62-4EEB-9F9C-0E8FA6DD93DF@blackhats.net.au> > On 7 Apr 2021, at 16:19, Reed Villanueva wrote: > > Is there a way to write an LDAP search filter string or base DN syntax to get user with matching sAMAccountName property when the target base DN's lowest elements are Group CNs (not actually users/Person objects)? Never worked with LDAP querying before, so don't have a great understanding on how to do this. > > Have an AD path of Group CNs (where the users therein are defined in multiple other locations) like... > > DC=myorg,DC=local > OU=datagroups > OU=zones > CN=group1 > CN=group2 > ... > > ...and have two parameters that I have available for matching against the a login string: > > ? A single base DN (eg. OU=zones,OU=datagroups,DC=myorg,DC=local) that will be accepted as a base arg by a python-ldap.search_s() function. > ? A search filter string to act on that base DN and return a single user/Person with matching sAMAccountName that will be used as the filterstr arg in the python-ldap.search_s() function. The default format is 'sAMAccountName={login}' > Have also tried... > > base_dn = OU=zones,OU=datagroups,DC=myorg,DC=local > search_filter = (&({login}=sAMAccountName)(|(memberOf=CN=zone1,OU=zones,OU=datagroups,DC=myorg,DC=local)(memberOf=CN=zone2,OU=zones,OU=datagroups,DC=myorg,DC=local))) > I think the mistake is here: You should have sAMAccountName={login}, not the other way around. To help a bit, this blog may help: https://fy.blackhats.net.au/blog/html/pages/ldap_guide_part_2_searching.html It explains how search filters work a bit more, and the scopes. In this case, provided you are using SCOPE_SUBTREE, what you have will work. Hope that helps, > ...to no avail. > > Anyone with more experience know how I can do this? Anything I appear to be misunderstanding about the situation (since again, I don't work w/ LDAP querying very often)? > _______________________________________________ > python-ldap mailing list > python-ldap at python.org > https://mail.python.org/mailman/listinfo/python-ldap -- Sincerely, William From Yannick.Ring at crown.com Mon Jun 28 19:57:04 2021 From: Yannick.Ring at crown.com (Ring, Yannick) Date: Mon, 28 Jun 2021 23:57:04 +0000 Subject: [python-ldap] License clarification Message-ID: Hi, Python-ldap is licensed under a 'Python-style license'. Is this a PSF-2.0 license or a license you have created your own? Can you clarify what you mean by a python-style license? Best, Yannick Ring Software Engineer Ph: +64 9 525 7780 www.crownnewzealand.com [cid:a507b7c9-6e5d-45b5-8000-4f5c6eb881e5] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Outlook-jzlmpryw.png Type: image/png Size: 13535 bytes Desc: Outlook-jzlmpryw.png URL: From pviktori at redhat.com Tue Jun 29 09:23:47 2021 From: pviktori at redhat.com (Petr Viktorin) Date: Tue, 29 Jun 2021 15:23:47 +0200 Subject: [python-ldap] License clarification In-Reply-To: References: Message-ID: <5728cb6a-03ab-8d07-b7d6-34847d70e400@redhat.com> On 29. 06. 21 1:57, Ring, Yannick wrote: > Hi, > > > Python-ldap is licensed under a 'Python-style license'. Is this a > PSF-2.0 license or a license you have created your own? Can you clarify > what you mean by a python-style license? Your guess is as good as ours. The people who put this licence in are no longer involved with the project, and the full authorship history was not preserved. This was discussed in the past: - https://mail.python.org/pipermail/python-ldap/2012q2/003119.html - https://mail.python.org/pipermail/python-ldap/2014q2/003374.html - https://github.com/python-ldap/python-ldap/issues/233 I assume that the license is the sentence that refers to "Python-style license" and assume this means a highly permissive open source license that only requires preservation of the text of the LICENCE file (including the disclaimer paragraph). (This is based on recent legal advice, but I am not a lawyer and advice meant for me might not apply to you.) I just opened a PR that: - adds this clarification to the README - puts future contributions under MIT And that's the best we can currently do.