[rcardenes at debian.org: Re: Bug#179108: ldap_initialize patch]
Michael Ströder
michael at stroeder.com
Sun Apr 6 17:33:16 CEST 2003
Peter Hawkins wrote:
>>
> Q: "Why you want to pass a NULL argument to ldap_initialize?"
>
> Short answer: Because you _can_ do it (at least in C)
I have to admit that I'm not in favour of following everything that is
possible with the OpenLDAP C API. Note that the C API is considered to be
highly flawed (see postings on OpenLDAP lists). Especially this particular
feature could cause some FAQs. Before accepting a patch I would really like
to understand the background issues.
> Long answer:
>
> Passing a NULL argument to ldap_initialize, you prevent this code from
> running (excerpt from ldap_initialize/OpenLDAP 2.0.27):
>
> if (url != NULL) {
> rc = ldap_set_option(ld, LDAP_OPT_URI, url);
> if ( rc != LDAP_SUCCESS ) {
> ldap_ld_free(ld, 1, NULL, NULL);
> return rc;
> }
> }
>
> I haven't checked deeply, but it seems to deactivate further URI
> checkins, making the LDAP library assume that you want to connect to a
> local LDAP server.
What does local exactly mean? I guess the LDAP URI is taken from ldap.conf
if uri is NULL. Is that right? If yes, I have to admit that I have some
objections to introduce (implicit) support for ldap.conf in python-ldap.
I posted a message to openldap-software at OpenLDAP.org to find out......
> It seems to help on some scenarios involving broken
> DNS configs, and it probably (again, I haven't checked) speeds up
> initial bindings even at good configured DNS places, as you don't need to
> make lookups
Well, at some point you have to make a DNS lookup. Where does the speed up
come from?
> It makes difference for me
> (severals seconds waiting for the lookup to timeout -> 0 seconds passing
> NULL), since I cannot modify those (possibly) broken DNS records.
Maybe it's me but I still don't get it. If you have a DNS name of an LDAP
server you're trying to connect the lookup for the IP address has to be
done. If DNS entries are completely broken and you already know the IP
address you can pass this to ldap.initialize().
Or do you suspect the OpenLDAP libs to do reverse lookups in the URL checking?
Did you compile your OpenLDAP with --enable-wrappers (TCP wrapper support)?
This could cause reverse lookups on the server's side. Not sure if it also
has an effect on the client libs.
> Anyway, there's no reason to not been able to send a NULL as URL
> argument to ldap_initialize, since the API _does_ recognize it as a
> valid argument
I have some plans to let python-ldap be just a wrapper above other APIs
(e.g. ADSI on Win32 or maybe a pure Python version). Therefore there MUST be
a good rationale to change semantics of the uri argument of
ldap.initialize() or introduce a dependency on OpenLDAP's ldap.conf.
>(in fact OpenLDAP's client
> tools use NULL as the default argument to ldap_initialize if you don't
> specify -h or -H).
I guess that's where ldap.conf is used.
> Of course, if Michael has a more deep view of OpenLDAP internals than I
No, I don't have more insight. In fact I'm not very familiar with the C part
of python-ldap which is hard to maintain for me since David Leonard does not
have time to spent anymore. Contributions welcome (e.g. support for extended
controls).
> I can keep applying patches.
Instead you could derive from ldap.ldapobject.LDAPObject and do the host
lookup once(!) in the __init__() method passing an IP address to underlying
_ldap.initialize(). Or better rewrite your LDAP applications to keep
persistent connections. See ldap.ldapobject.ReconnectLDAPObject for a
pickable version of LDAPObject.
Ciao, Michael.
More information about the python-ldap
mailing list