From alet at librelogiciel.com Tue Apr 6 19:21:57 2004 From: alet at librelogiciel.com (Jerome Alet) Date: Tue, 6 Apr 2004 19:21:57 +0200 Subject: referrals Message-ID: <20040406172157.GA26138@mail.librelogiciel.com> Hi there, First I have to say I ask on behalf of an user of my own software. I don't have such a setup, and don't have the full configuration details : I wanted to know if special coding is needed to support referrals ? Is there some code example somewhere on how to deal with them ? When doing a modify_s() on a slave server, here's the exception an user of my software obtains : {'info': 'modifications require authentication', 'desc': 'Strong(er) authentication required'} but I was told both servers are configured exactly the same way (disk mirror) except the lines necessary to make replication work. the bind being done is simple, there's no encryption, and I didn't change any of the ldap object's properties/options Any idea, pointer, or anything else ? Thanks in advance Jerome Alet -- "Now that I'm connected to the Internet, everybody seems to know that I've got a small dick." - Me. From gdoughtie at anim.dreamworks.com Tue Apr 6 22:48:34 2004 From: gdoughtie at anim.dreamworks.com (Gavin Doughtie) Date: Tue, 06 Apr 2004 13:48:34 -0700 Subject: ldap.sasl.gssapi example? Message-ID: <407317A2.4060008@anim.dreamworks.com> I'm having fits with ldap.sasl, and was wondering if perhaps I was just suffering from a conceptual gap. Maybe there's some sample code someplace that I couldn't find with google? I need to use Kerberos authentication through GSSAPI to talk to our LDAP server. I have a valid Kerberos ticket granting ticket, and I can use the ldapadd utility to accomplish what I want on the server in question, so I know that my account is properly provisioned. Code looks like this: l = ldap.open('ldapserver.dreamworks.com') auth = ldap.sasl.gssapi() l.sasl_interactive_bind_s('', auth) traceback like this: l.sasl_interactive_bind_s('', auth) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 196, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,serverctrls,clientctrls) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) ldap.LOCAL_ERROR: {'desc': 'Local error'} -- Gavin Doughtie DreamWorks SKG From michael at stroeder.com Wed Apr 7 00:38:27 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Apr 2004 00:38:27 +0200 Subject: referrals In-Reply-To: <20040406172157.GA26138@mail.librelogiciel.com> References: <20040406172157.GA26138@mail.librelogiciel.com> Message-ID: <40733163.3090801@stroeder.com> Jerome Alet wrote: > > I wanted to know if special coding is needed to support referrals ? Yes. > Is there some code example somewhere on how to deal with them ? I don't have simple code snippet around. > When doing a modify_s() on a slave server, here's the exception > an user of my software obtains : In a master-slave replication scenario the slave server is probably read-only for applications. Ciao, Michael. From michael at stroeder.com Wed Apr 7 00:41:04 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Apr 2004 00:41:04 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <407317A2.4060008@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> Message-ID: <40733200.40300@stroeder.com> Gavin Doughtie wrote: > I need to use Kerberos authentication through GSSAPI to talk to our LDAP > server. I don't have personal experience with such a setup. > I have a valid Kerberos ticket granting ticket, and I can use > the ldapadd utility to accomplish what I want on the server in question, > [..] > ldap.LOCAL_ERROR: {'desc': 'Local error'} Just guessing: Is the Python script running as the same user as your ldapadd test? Does the Python script have access to the Kerberos ticket? Ciao, Michael. From gdoughtie at anim.dreamworks.com Wed Apr 7 01:19:02 2004 From: gdoughtie at anim.dreamworks.com (Gavin Doughtie) Date: Tue, 06 Apr 2004 16:19:02 -0700 Subject: ldap.sasl.gssapi example? In-Reply-To: <40733200.40300@stroeder.com> References: <407317A2.4060008@anim.dreamworks.com> <40733200.40300@stroeder.com> Message-ID: <40733AE6.4050203@anim.dreamworks.com> I'm running the Python script from an interactive shell, and I have a Kerberos ticket. So far, everything is running as me with my tickets. As far as the Python script having access -- well, as far as I can understand things it *should* have access via the native sasl library which, using GSSAPI, should go grab my ticket and present it to the LDAP server. However, I think either the sasl_bind_interactive method is broken or I'm not giving it the right information. Michael Str?der wrote: > Gavin Doughtie wrote: > >> I need to use Kerberos authentication through GSSAPI to talk to our >> LDAP server. > > > I don't have personal experience with such a setup. > >> I have a valid Kerberos ticket granting ticket, and I can use the >> ldapadd utility to accomplish what I want on the server in question, >> [..] >> ldap.LOCAL_ERROR: {'desc': 'Local error'} > > > Just guessing: > > Is the Python script running as the same user as your ldapadd test? > > Does the Python script have access to the Kerberos ticket? > > Ciao, Michael. -- Gavin Doughtie DreamWorks SKG From michael at stroeder.com Wed Apr 7 01:23:54 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Apr 2004 01:23:54 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <40733AE6.4050203@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> <40733200.40300@stroeder.com> <40733AE6.4050203@anim.dreamworks.com> Message-ID: <40733C0A.9000404@stroeder.com> Gavin Doughtie wrote: > I'm running the Python script from an interactive shell, and I have a > Kerberos ticket. So far, everything is running as me with my tickets. As > far as the Python script having access -- well, as far as I can > understand things it *should* have access via the native sasl library > which, using GSSAPI, should go grab my ticket and present it to the LDAP > server. Running as the same user? > However, I think either the sasl_bind_interactive method is > broken or I'm not giving it the right information. Hmm, maybe it's broken. Please raise debug level set with ldap.set_option(ldap.OPT_DEBUG_LEVEL,0). Maybe this gives some hints. Ciao, Michael. From alet at librelogiciel.com Wed Apr 7 09:00:17 2004 From: alet at librelogiciel.com (Jerome Alet) Date: Wed, 7 Apr 2004 09:00:17 +0200 Subject: referrals In-Reply-To: <40733163.3090801@stroeder.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> Message-ID: <20040407070017.GB2371@mail.librelogiciel.com> On Wed, Apr 07, 2004 at 12:38:27AM +0200, Michael Str?der wrote: > Jerome Alet wrote: > > > >I wanted to know if special coding is needed to support referrals ? > > Yes. Ouch ! That's short ! > >Is there some code example somewhere on how to deal with them ? > > I don't have simple code snippet around. I can't find any on google either. Does anyone else have such an example to share ? > >When doing a modify_s() on a slave server, here's the exception > >an user of my software obtains : > > In a master-slave replication scenario the slave server is probably > read-only for applications. Yes, this is the case. So tell me if I understand correctly : - My app tries to do the modification to the server it is bound to, which is the slave. - This fails AND automatic referral handling is not activated because I've not coded anything special to handle referrals. - Then the exception is about authentication because stronger credentials would be needed to write to the slave. Am I correct ? Thanks in advance Jerome Alet -- "Now that I'm connected to the Internet, everybody seems to know that I've got a small dick." - Me. From michael at stroeder.com Wed Apr 7 09:52:44 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Apr 2004 09:52:44 +0200 Subject: referrals In-Reply-To: <20040407070017.GB2371@mail.librelogiciel.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> Message-ID: <4073B34C.4020001@stroeder.com> Jerome Alet wrote: > On Wed, Apr 07, 2004 at 12:38:27AM +0200, Michael Str?der wrote: > >>Jerome Alet wrote: >> >>>I wanted to know if special coding is needed to support referrals ? >> >>Yes. > > Ouch ! That's short ! Yes, since your mileage may vary. >>>Is there some code example somewhere on how to deal with them ? >> >>I don't have simple code snippet around. You could try to let the OpenLDAP libs handle the referral by setting: ldap.set_option(ldap.OPT_REFERRALS,1) Note that referral handling in OpenLDAP libs is considered to be broken. You could try to handle the referral by catching the exception ldap.REFERRAL which contains the LDAP URL of the referred LDAP entry/server: ldap.set_option(ldap.OPT_REFERRALS,0) You can dig into the source code of web2ldap to find out how I'm doing it. Try to provoke the same situation with web2ldap to see what happens. web2ldap asks for a new login when following a referral. > Yes, this is the case. So tell me if I understand correctly : > > - My app tries to do the modification to the server it is bound to, > which is the slave. > > - This fails AND automatic referral handling is not activated because > I've not coded anything special to handle referrals. > > - Then the exception is about authentication because stronger > credentials would be needed to write to the slave. > > Am I correct ? Not sure since this depends on server configuration. You have to find out yourself what really happens in your environment. Ciao, Michael. From gdoughtie at anim.dreamworks.com Wed Apr 7 01:42:30 2004 From: gdoughtie at anim.dreamworks.com (Gavin Doughtie) Date: Tue, 06 Apr 2004 16:42:30 -0700 Subject: ldap.sasl.gssapi example? In-Reply-To: <40733C0A.9000404@stroeder.com> References: <407317A2.4060008@anim.dreamworks.com> <40733200.40300@stroeder.com> <40733AE6.4050203@anim.dreamworks.com> <40733C0A.9000404@stroeder.com> Message-ID: <40734066.60204@anim.dreamworks.com> Yes, running as the same user. Here's the detailed dump: ldap_interactive_sasl_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection ldap_int_open_connection ldap_connect_to_host: ldap4.anim.dreamworks.com ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.4.141:389 ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_is_sock_ready: 3 ldap_ndelay_off: 3 ldap_err2string <--- failure ldap_free_connection ldap_send_unbind ldap_free_connection: act Do I need to put any more information in the ldap.sasl.gssapi() object? Michael Str?der wrote: > Gavin Doughtie wrote: > >> I'm running the Python script from an interactive shell, and I have a >> Kerberos ticket. So far, everything is running as me with my tickets. >> As far as the Python script having access -- well, as far as I can >> understand things it *should* have access via the native sasl library >> which, using GSSAPI, should go grab my ticket and present it to the >> LDAP server. > > > Running as the same user? > >> However, I think either the sasl_bind_interactive method is broken or >> I'm not giving it the right information. > > > Hmm, maybe it's broken. Please raise debug level set with > ldap.set_option(ldap.OPT_DEBUG_LEVEL,0). Maybe this gives some hints. > > Ciao, Michael. -- Gavin Doughtie DreamWorks SKG (818) 695-3821 From michael at stroeder.com Wed Apr 7 12:22:08 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Apr 2004 12:22:08 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <407317A2.4060008@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> Message-ID: <4073D650.3060507@stroeder.com> Gavin Doughtie wrote: > ldap.LOCAL_ERROR: {'desc': 'Local error'} Can you please catch the exception and display it using str()? See Demo/sasl_bind.py. I'm experimenting with GSSAPI right now but currently I'm getting: Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Incorrect net address)', 'desc': 'Local error'} Ciao, Michael. From michael at stroeder.com Wed Apr 7 12:22:08 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Apr 2004 12:22:08 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <407317A2.4060008@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> Message-ID: <4073D650.3060507@stroeder.com> Gavin Doughtie wrote: > ldap.LOCAL_ERROR: {'desc': 'Local error'} Can you please catch the exception and display it using str()? See Demo/sasl_bind.py. I'm experimenting with GSSAPI right now but currently I'm getting: Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Incorrect net address)', 'desc': 'Local error'} Ciao, Michael. From michael at stroeder.com Wed Apr 7 12:57:53 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 07 Apr 2004 12:57:53 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <4073D650.3060507@stroeder.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> Message-ID: <4073DEB1.6090609@stroeder.com> Michael Str?der wrote: > > I'm experimenting with GSSAPI right now It seems to work for me. Since I'm not a Kerberos expert I can't provide more detailed help. It seems to also depend on the interface's IP address. I succeeded by fetching the TGT with kinit --no-addresses michael Note that you should really dig into the issues with your local configuration! Simply doing copy&paste of such a kinit command above could lead to security issues! Anyone else here who has more insights? Ciao, Michael. From michael at stroeder.com Thu Apr 8 14:15:58 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 08 Apr 2004 14:15:58 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <40743CCF.8050102@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> <40743CCF.8050102@anim.dreamworks.com> Message-ID: <4075427E.2020902@stroeder.com> Gavin Doughtie wrote: > OK, here's the result from running my modified sasl_bind.py (below): > > marlin [~/src/mod/python/users](SHARK)(55)> kinit > Password for gdoughtie at ANIM.DREAMWORKS.COM: Could you please try with kinit --no-addresses > Error using SASL mechanism GSSAPI {'desc': 'Local error'} Hmm, really no 'info' field? What Kerberos lib are you using? I'm using heimdal 0.6 and cyrus-sasl 2.1.15 shipped with my SuSE 9.0 system. If anything goes wrong there's a message in the 'info' field containing also Kerberos-related text. Ciao, Michael. From gdoughtie at anim.dreamworks.com Wed Apr 7 19:39:27 2004 From: gdoughtie at anim.dreamworks.com (Gavin Doughtie) Date: Wed, 07 Apr 2004 10:39:27 -0700 Subject: ldap.sasl.gssapi example? In-Reply-To: <4073D650.3060507@stroeder.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> Message-ID: <40743CCF.8050102@anim.dreamworks.com> OK, here's the result from running my modified sasl_bind.py (below): marlin [~/src/mod/python/users](SHARK)(55)> kinit Password for gdoughtie at ANIM.DREAMWORKS.COM: marlin [~/src/mod/python/users](SHARK)(56)> klist Ticket cache: FILE:/tmp/krb5cc_3501 Default principal: gdoughtie at ANIM.DREAMWORKS.COM Valid starting Expires Service principal 04/07/04 10:36:46 04/07/04 20:36:46 krbtgt/ANIM.DREAMWORKS.COM at ANIM.DREAMWORKS.COM Kerberos 4 ticket cache: /tmp/tkt3501 klist: You have no tickets cached marlin [~/src/mod/python/users](SHARK)(57)> python ./sasl_bind.py ******************** GSSAPI ******************** *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.sasl_interactive_bind_s (('', , None, None),{}) Error using SASL mechanism GSSAPI {'desc': 'Local error'} (, , ) File "./sasl_bind.py", line 72, in ? l.sasl_interactive_bind_s("", sasl_auth) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 196, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,serverctrls,clientctrls) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.unbind_ext ((None, None),{}) marlin [~/src/mod/python/users](SHARK)(58)> ------------------------------------------------- code ---------- # For documentation, see comments in Module/LDAPObject.c and the # ldap.sasl module documentation. import traceback import sys import ldap,ldap.sasl ldap.sasl._trace_level=0 ldap.set_option(ldap.OPT_DEBUG_LEVEL,0) for ldap_uri,sasl_mech,sasl_cb_value_dict in [ ( "ldap://etzadaat.anim.dreamworks.com:389/", 'GSSAPI', { ldap.sasl.CB_AUTHNAME :'', ldap.sasl.CB_PASS :'', } ), # ( # "ldap://localhost:1390/", # 'CRAM-MD5', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), # ( # "ldap://localhost:1390/", # 'PLAIN', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), # ( # "ldap://localhost:1390/", # 'LOGIN', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), # ( # "ldapi://%2Ftmp%2Fopenldap-socket/", # 'EXTERNAL', # { } # ), # ( # "ldap://localhost:1390/", # 'GSSAPI', # { } # ), # ( # "ldap://localhost:1390/", # 'DIGEST-MD5', # { # ldap.sasl.CB_AUTHNAME :'fred', # ldap.sasl.CB_PASS :'secret', # } # ), ]: sasl_auth = ldap.sasl.sasl(sasl_cb_value_dict,sasl_mech) print 20*'*',sasl_auth.mech,20*'*' # Open the LDAP connection l = ldap.initialize(ldap_uri,trace_level=1) # Set protocol version to LDAPv3 to enable SASL bind! #l.protocol_version = 3 l.protocol_version = ldap.VERSION3 try: l.sasl_interactive_bind_s("", sasl_auth) except ldap.LDAPError,e: print 'Error using SASL mechanism ', sasl_auth.mech,str(e), sys.exc_info() traceback.print_tb(sys.exc_info()[2]) else: print 'Sucessfully bound using SASL mechanism',sasl_auth.mech,'as',repr(l.whoami_s()) l.unbind() --------------------------------------------- end code ---------- Michael Str?der wrote: > Gavin Doughtie wrote: > > ldap.LOCAL_ERROR: {'desc': 'Local error'} > > Can you please catch the exception and display it using str()? See > Demo/sasl_bind.py. > > I'm experimenting with GSSAPI right now but currently I'm getting: > > Error using SASL mechanism GSSAPI {'info': 'SASL(-1): generic failure: > GSSAPI Error: Miscellaneous failure (see text) (Incorrect net > address)', 'desc': 'Local error'} > > Ciao, Michael. -- Gavin Doughtie DreamWorks SKG (818) 695-3821 From michael at stroeder.com Thu Apr 8 19:55:42 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 08 Apr 2004 19:55:42 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <40758BCA.5040505@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> <40743CCF.8050102@anim.dreamworks.com> <4075427E.2020902@stroeder.com> <40758BCA.5040505@anim.dreamworks.com> Message-ID: <4075921E.3040700@stroeder.com> Gavin Doughtie wrote: > Here's the complete scoop: > [..] > Name : krb5-workstation Relocations: (not relocateable) > [..] > URL : http://web.mit.edu/kerberos/www/ It seems you're using the MIT Kerberos implementation which is known to have some issues with OpenLDAP (mainly cause it's not thread-safe). In opposite to that I'm using the heimdal implementation. http://www.pdc.kth.se/heimdal/ As I said I do not have much experience with Kerberos. It simply works for me. It seems I can't really help with your setup. Ciao, Michael. From gdoughtie at anim.dreamworks.com Thu Apr 8 19:28:42 2004 From: gdoughtie at anim.dreamworks.com (Gavin Doughtie) Date: Thu, 08 Apr 2004 10:28:42 -0700 Subject: ldap.sasl.gssapi example? In-Reply-To: <4075427E.2020902@stroeder.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> <40743CCF.8050102@anim.dreamworks.com> <4075427E.2020902@stroeder.com> Message-ID: <40758BCA.5040505@anim.dreamworks.com> Here's the complete scoop: marlin [~/src/mod/python/users](SHARK)(90)> rpm -qi krb5-workstation Name : krb5-workstation Relocations: (not relocateable) Version : 1.2.7 Vendor: (none) Release : 14 Build Date: Wed 13 Aug 2003 03:33:05 PM PDT Install Date: Thu 25 Mar 2004 09:36:58 AM PST Build Host: tuna.anim.dreamworks.com Group : System Environment/Base Source RPM: krb5-1.2.7-14.src.rpm Size : 1229404 License: MIT, freely distributable. Signature : DSA/SHA1, Wed 12 Nov 2003 01:33:16 PM PST, Key ID c4e64780ae5317ff URL : http://web.mit.edu/kerberos/www/ Summary : Kerberos 5 programs for use on workstations. Description : Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd) as well as kerberized versions of Telnet and FTP. If your network uses Kerberos, this package should be installed on every workstation. marlin [~/src/mod/python/users](SHARK)(91)> rpm -qi cyrus-sasl Name : cyrus-sasl Relocations: (not relocateable) Version : 2.1.15 Vendor: Red Hat, Inc. Release : 3 Build Date: Thu 21 Aug 2003 12:27:29 PM PDT Install Date: Thu 25 Mar 2004 09:38:29 AM PST Build Host: daffy.perf.redhat.com Group : System Environment/Libraries Source RPM: cyrus-sasl-2.1.15-3.src.rpm Size : 534045 License: Freely Distributable Signature : DSA/SHA1, Wed 24 Sep 2003 11:11:29 AM PDT, Key ID 219180cddb42a60e Packager : Red Hat, Inc. URL : http://asg.web.cmu.edu/sasl/sasl-library.html Summary : The Cyrus SASL library. Description : The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. marlin [~/src/mod/python/users](SHARK)(92)> kinit --no-addresses kinit: invalid option -- - kinit: invalid option -- n kinit: invalid option -- o kinit: invalid option -- - kinit: invalid option -- a kinit: invalid option -- d kinit: invalid option -- d Bad lifetime value esses Usage: kinit [-5] [-4] [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-f | -F] [-p | -P] [-A] [-v] [-R] [-k [-t keytab_file]] [-c cachename] [-S service_name] [principal] options: valid with Kerberos: -5 Kerberos 5 (available) -4 Kerberos 4 (available) (Default behavior is to try Kerberos 5) -V verbose Either 4 or 5 -l lifetime Either 4 or 5 -s start time 5 -r renewable lifetime 5 -f forwardable 5 -F not forwardable 5 -p proxiable 5 -P not proxiable 5 -A do not include addresses 5 -v validate 5 -R renew 5, or both 5 and 4 -k use keytab 5, or both 5 and 4 -t filename of keytab to use 5, or both 5 and 4 -c Kerberos 5 cache name 5 -S service 5, or both 5 and 4 marlin [~/src/mod/python/users](SHARK)(93)> kinit -A Password for gdoughtie at ANIM.DREAMWORKS.COM: marlin [~/src/mod/python/users](SHARK)(94)> python sasl sasl_bind.py~ sasl_bind.py marlin [~/src/mod/python/users](SHARK)(94)> python sasl_bind.py ******************** GSSAPI ******************** *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.set_option ((17, 3),{}) *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.sasl_interactive_bind_s (('', , None, None),{}) Error using SASL mechanism GSSAPI {'desc': 'Local error'} (, , ) File "sasl_bind.py", line 72, in ? l.sasl_interactive_bind_s("", sasl_auth) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 196, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,serverctrls,clientctrls) File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) *** ldap://etzadaat.anim.dreamworks.com:389/ - SimpleLDAPObject.unbind_ext ((None, None),{}) Michael Str?der wrote: > Gavin Doughtie wrote: > >> OK, here's the result from running my modified sasl_bind.py (below): >> >> marlin [~/src/mod/python/users](SHARK)(55)> kinit >> Password for gdoughtie at ANIM.DREAMWORKS.COM: > > > Could you please try with > > kinit --no-addresses > >> Error using SASL mechanism GSSAPI {'desc': 'Local error'} > > > Hmm, really no 'info' field? > > What Kerberos lib are you using? > > I'm using heimdal 0.6 and cyrus-sasl 2.1.15 shipped with my SuSE 9.0 > system. > > If anything goes wrong there's a message in the 'info' field containing > also Kerberos-related text. > > Ciao, Michael. -- Gavin Doughtie DreamWorks SKG (818) 695-3821 From gdoughtie at anim.dreamworks.com Thu Apr 8 22:49:28 2004 From: gdoughtie at anim.dreamworks.com (Gavin Doughtie) Date: Thu, 08 Apr 2004 13:49:28 -0700 Subject: ldap.sasl.gssapi example? In-Reply-To: <4075921E.3040700@stroeder.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> <40743CCF.8050102@anim.dreamworks.com> <4075427E.2020902@stroeder.com> <40758BCA.5040505@anim.dreamworks.com> <4075921E.3040700@stroeder.com> Message-ID: <4075BAD8.6000804@anim.dreamworks.com> Does the example below work on your system (or anybody else's on this list?) This is the example I've been using to test sasl_bind with a little cleanup. -------------------- 8< ----------------------------------- # For documentation, see comments in Module/LDAPObject.c and the # ldap.sasl module documentation. import traceback import sys import ldap,ldap.sasl ldap.sasl._trace_level=0 ldap.set_option(ldap.OPT_DEBUG_LEVEL,0) ############### CHANGE THIS TO YOUR SERVER ################## MY_LDAP_SERVER = "ldap://put.your.server.url.here/" for ldap_uri,sasl_mech,sasl_cb_value_dict in [ ( MY_LDAP_SERVER, 'GSSAPI', { ldap.sasl.CB_AUTHNAME :'', ldap.sasl.CB_PASS :'', } ), ]: sasl_auth = ldap.sasl.sasl(sasl_cb_value_dict,sasl_mech) print 20*'*',sasl_auth.mech,20*'*' # Open the LDAP connection l = ldap.initialize(ldap_uri,trace_level=1) # Set protocol version to LDAPv3 to enable SASL bind! l.protocol_version = ldap.VERSION3 try: l.sasl_interactive_bind_s("", sasl_auth) except ldap.LDAPError,e: print 'Error using SASL mechanism ', sasl_auth.mech,str(e), sys.exc_info() traceback.print_tb(sys.exc_info()[2]) else: print 'Sucessfully bound using SASL mechanism',sasl_auth.mech,'as',repr(l.whoami_s()) l.unbind() -------------------- 8< ----------------------------------- Michael Str?der wrote: > Gavin Doughtie wrote: > > Here's the complete scoop: > > [..] > > Name : krb5-workstation Relocations: (not > relocateable) > > [..] > > URL : http://web.mit.edu/kerberos/www/ > > It seems you're using the MIT Kerberos implementation which is known to > have some issues with OpenLDAP (mainly cause it's not thread-safe). In > opposite to that I'm using the heimdal implementation. > > http://www.pdc.kth.se/heimdal/ > > As I said I do not have much experience with Kerberos. It simply works > for me. It seems I can't really help with your setup. > > Ciao, Michael. > -- Gavin Doughtie DreamWorks SKG (818) 695-3821 From paul at subsignal.org Fri Apr 9 00:38:07 2004 From: paul at subsignal.org (paul k) Date: Fri, 09 Apr 2004 00:38:07 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <4075BAD8.6000804@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> <40743CCF.8050102@anim.dreamworks.com> <4075427E.2020902@stroeder.com> <40758BCA.5040505@anim.dreamworks.com> <4075921E.3040700@stroeder.com> <4075BAD8.6000804@anim.dreamworks.com> Message-ID: <4075D44F.40105@subsignal.org> Gavin Doughtie wrote: > Does the example below work on your system (or anybody else's on this > list?) Your code looks strange to me but I'm by no means an expert here. I can confirm that if I set my hostname and change digest-md5 to gssapi in the provided sasl_bind.py from the Demo directory, SASL GSSAPI binds work fine against Openldap 2.2.8 with SASL 2.1.17 and both MIT kerberos 1.3.1 and a current heimdal snapshot from late march. Python Versions are 2.2.3 and 2.3.3, python-ldap is pre19, system is linux 2.6 ######### code from sasl_bind.py ################## import ldap, ldap.sasl l = ldap.initialize("ldap://localhost") auth = ldap.sasl.gssapi("") l.sasl_bind_s("", auth) res = l.search_s("dc=nil,dc=b17",ldap.SCOPE_BASE,"(objectClass=*)") print res l.unbind() ######### results ######################### nil python-test # python sasl_bind.py SASL/GSSAPI authentication started SASL username: root at B17 SASL SSF: 56 SASL installing layers [('dc=nil,dc=b17', {'objectClass': ['top', 'dcObject', 'domain', 'domainRelatedObject'], 'associatedDomain': ['nil.b17'], 'dc': ['nil']})] hth Paul From michael at stroeder.com Fri Apr 9 21:52:43 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 09 Apr 2004 21:52:43 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <4075BAD8.6000804@anim.dreamworks.com> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> <40743CCF.8050102@anim.dreamworks.com> <4075427E.2020902@stroeder.com> <40758BCA.5040505@anim.dreamworks.com> <4075921E.3040700@stroeder.com> <4075BAD8.6000804@anim.dreamworks.com> Message-ID: <4076FF0B.5070706@stroeder.com> Gavin Doughtie wrote: > Does the example below work on your system (or anybody else's on this > list?) Yes, it simply works. Due to my local setup without DNS I have to use kinit --no-addresses when obtaining the TGT. After running the program I also have a ticket for the LDAP service. $ klist Credentials cache: FILE:/tmp/krb5cc_500 Principal: michael at STROEDER.COM Issued Expires Principal Apr 9 21:51:00 Apr 10 07:51:00 krbtgt/STROEDER.COM at STROEDER.COM Apr 9 21:51:02 Apr 10 07:51:00 ldap/localhost at STROEDER.COM Ciao, Michael. From michael at stroeder.com Fri Apr 9 21:54:29 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 09 Apr 2004 21:54:29 +0200 Subject: ldap.sasl.gssapi example? In-Reply-To: <4075D44F.40105@subsignal.org> References: <407317A2.4060008@anim.dreamworks.com> <4073D650.3060507@stroeder.com> <40743CCF.8050102@anim.dreamworks.com> <4075427E.2020902@stroeder.com> <40758BCA.5040505@anim.dreamworks.com> <4075921E.3040700@stroeder.com> <4075BAD8.6000804@anim.dreamworks.com> <4075D44F.40105@subsignal.org> Message-ID: <4076FF75.2070502@stroeder.com> paul k wrote: > Gavin Doughtie wrote: > >> Does the example below work on your system (or anybody else's on this >> list?) > > Your code looks strange to me His code is taken from Demo/sasl_bind.py and is correct. > auth = ldap.sasl.gssapi("") ldap.sasl.gssapi is just a primitive convenience wrapper class around ldap.sasl.sasl for GSSAPI. Ciao, Michael. From dman+yahoo at dman13.dyndns.org Wed Apr 7 16:49:07 2004 From: dman+yahoo at dman13.dyndns.org (Derrick 'dman' Hudson) Date: Wed, 7 Apr 2004 10:49:07 -0400 Subject: referrals In-Reply-To: <4073B34C.4020001@stroeder.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> Message-ID: <20040407144907.GC765@dman13.dyndns.org> On Wed, Apr 07, 2004 at 09:52:44AM +0200, Michael Str?der wrote: | >>Jerome Alet wrote: | >>>Is there some code example somewhere on how to deal with them ? | You could try to let the OpenLDAP libs handle the referral by setting: | | ldap.set_option(ldap.OPT_REFERRALS,1) I tried this. (actually, I wrote ldap.set_option(ldap.OPT_REFERRALS, ldap.LDAP_OPT_ON) instead of using a literal integer.) | Note that referral handling in OpenLDAP libs is considered to be broken. Indeed, it didn't work. My experience, thus far, is that very few applications actually handle referrals. gq: no web2ldap: yes imp/horede: no python-ldap/libldap2: no (not automatically, as noted above) It was a rather disappointing discovery when setting up the fallback server. -D -- "He is no fool who gives up what he cannot keep to gain what he cannot lose." --Jim Elliot www: http://dman13.dyndns.org/~dman/ jabber: dman at dman13.dyndns.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From michael at stroeder.com Fri Apr 9 23:25:53 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 09 Apr 2004 23:25:53 +0200 Subject: referrals In-Reply-To: <20040407144907.GC765@dman13.dyndns.org> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> <20040407144907.GC765@dman13.dyndns.org> Message-ID: <407714E1.5010809@stroeder.com> First note that your From: address did not match your subscriber address. Thus I had to manually approve your posting. Please post with your subscriber address as From:. Derrick 'dman' Hudson wrote: > > My experience, thus far, is that very few applications actually handle > referrals. > [..] > It was a rather disappointing discovery when setting up the fallback > server. The point is that handling of referrals is not something you can solve in a generic way because referrals are used for achieving different goals. Unless you provide more information about what you want to achieve in *your* specific setup I can't give any real advice. Ciao, Michael. From alet at librelogiciel.com Fri Apr 9 23:37:49 2004 From: alet at librelogiciel.com (Jerome Alet) Date: Fri, 9 Apr 2004 23:37:49 +0200 Subject: referrals In-Reply-To: <407714E1.5010809@stroeder.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> <20040407144907.GC765@dman13.dyndns.org> <407714E1.5010809@stroeder.com> Message-ID: <20040409213748.GC24599@mail.librelogiciel.com> Good evening, On Fri, Apr 09, 2004 at 11:25:53PM +0200, Michael Str?der wrote: > > The point is that handling of referrals is not something you can solve in a > generic way because referrals are used for achieving different goals. > Unless you provide more information about what you want to achieve in > *your* specific setup I can't give any real advice. In my particular case, my application just binds to a slave server and reads datas successfully, but whenever I do an add or a modify, or a delete, I want to either have python-ldap rebind to the master (as hinted by the slave server it seems) and do the modification there instead of on the slave, or receive an exception with its arguments containing the master server's url and any other interesting information needed to have my own code do another bind and the modifications I wanted to do in the first place. No sure it is very clear. Summarised it could be : do all reads from the slave and all writes to the master. bye Jerome Alet -- "Now that I'm connected to the Internet, everybody seems to know that I've got a small dick." - Me. From michael at stroeder.com Fri Apr 9 23:52:45 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 09 Apr 2004 23:52:45 +0200 Subject: referrals In-Reply-To: <20040409213748.GC24599@mail.librelogiciel.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> <20040407144907.GC765@dman13.dyndns.org> <407714E1.5010809@stroeder.com> <20040409213748.GC24599@mail.librelogiciel.com> Message-ID: <40771B2D.10102@stroeder.com> Jerome Alet wrote: > > In my particular case, my application just binds to a slave server > and reads datas successfully, but whenever I do an add or a modify, > or a delete, I want to either have python-ldap rebind to the master > (as hinted by the slave server it seems) and do the modification > there instead of on the slave, or receive an exception with its > arguments containing the master server's url and any other > interesting information needed to have my own code do another bind > and the modifications I wanted to do in the first place. > > No sure it is very clear. Summarised it could be : do all reads from > the slave and all writes to the master. Well, if your master providing write access is always the same server I don't see a need to use referrals at all. ;-) Ciao, Michael. From alet at librelogiciel.com Sat Apr 10 00:02:05 2004 From: alet at librelogiciel.com (Jerome Alet) Date: Sat, 10 Apr 2004 00:02:05 +0200 Subject: referrals In-Reply-To: <40771B2D.10102@stroeder.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> <20040407144907.GC765@dman13.dyndns.org> <407714E1.5010809@stroeder.com> <20040409213748.GC24599@mail.librelogiciel.com> <40771B2D.10102@stroeder.com> Message-ID: <20040409220205.GD24599@mail.librelogiciel.com> On Fri, Apr 09, 2004 at 11:52:45PM +0200, Michael Str?der wrote: > Jerome Alet wrote: > > > >No sure it is very clear. Summarised it could be : do all reads from > >the slave and all writes to the master. > > Well, if your master providing write access is always the same server I > don't see a need to use referrals at all. ;-) I beg to differ : I'd prefer my program to ignore the LDAP architecture of the particular site, since it must work on many different ones. I just want my software to deal with a single LDAP server at any time, and if for a particular operation python-ldap receives informations telling it that another server should be asked for this operation instead, then I'd really like python-ldap to do all the dirty work automatically for me, and in the worst case, tell my program it can't but "here-is-the-server-to-ask-instead" : in this case I'd modify my program to do another bind and retry the operation there, but if python-ldap already does this for me then I couldn't be more happy... bye Jerome Alet -- "Now that I'm connected to the Internet, everybody seems to know that I've got a small dick." - Me. From michael at stroeder.com Sat Apr 10 00:10:49 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 10 Apr 2004 00:10:49 +0200 Subject: referrals In-Reply-To: <20040409220205.GD24599@mail.librelogiciel.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> <20040407144907.GC765@dman13.dyndns.org> <407714E1.5010809@stroeder.com> <20040409213748.GC24599@mail.librelogiciel.com> <40771B2D.10102@stroeder.com> <20040409220205.GD24599@mail.librelogiciel.com> Message-ID: <40771F69.6060706@stroeder.com> Jerome Alet wrote: > > I'd prefer my program to ignore the LDAP > architecture of the particular site, since it must work on > many different ones. I can understand this goal (see web2ldap) but... > I just want my software to deal with a single LDAP server at any > time, and if for a particular operation python-ldap receives > informations telling it that another server should be asked for this > operation instead, then I'd really like python-ldap to do all the > dirty work automatically for me, Think about these aspects: Which bind information (method, username or bind-DN, credentials) to use at the referred server? Should the application continue to use the referred server after referral has been received or switch back to the original server? (Hint: Think about referrals being knowledge references to other parts of the DIT vs. your master-slave scenario.) You can believe me: I already thought about various aspects. I never came up with some ideas I was really confident it will work in a generic way. Ciao, Michael. From alet at librelogiciel.com Sat Apr 10 00:21:49 2004 From: alet at librelogiciel.com (Jerome Alet) Date: Sat, 10 Apr 2004 00:21:49 +0200 Subject: referrals In-Reply-To: <40771F69.6060706@stroeder.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> <20040407144907.GC765@dman13.dyndns.org> <407714E1.5010809@stroeder.com> <20040409213748.GC24599@mail.librelogiciel.com> <40771B2D.10102@stroeder.com> <20040409220205.GD24599@mail.librelogiciel.com> <40771F69.6060706@stroeder.com> Message-ID: <20040409222149.GA25449@mail.librelogiciel.com> On Sat, Apr 10, 2004 at 12:10:49AM +0200, Michael Str?der wrote: > > Think about these aspects: > > Which bind information (method, username or bind-DN, credentials) to use at > the referred server? isn't the information returned a complete LDAP url with all necessary information ? > Should the application continue to use the referred server after referral > has been received or switch back to the original server? > (Hint: Think about referrals being knowledge references to other parts of > the DIT vs. your master-slave scenario.) Sh.t ! You're right ! Thanks for your help, you opened my eyes (and it's probably time to close them again until tomorrow, thinking about all this while sleeping) bye Jerome Alet -- "Now that I'm connected to the Internet, everybody seems to know that I've got a small dick." - Me. From michael at stroeder.com Sat Apr 10 00:26:02 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 10 Apr 2004 00:26:02 +0200 Subject: referrals In-Reply-To: <20040409222149.GA25449@mail.librelogiciel.com> References: <20040406172157.GA26138@mail.librelogiciel.com> <40733163.3090801@stroeder.com> <20040407070017.GB2371@mail.librelogiciel.com> <4073B34C.4020001@stroeder.com> <20040407144907.GC765@dman13.dyndns.org> <407714E1.5010809@stroeder.com> <20040409213748.GC24599@mail.librelogiciel.com> <40771B2D.10102@stroeder.com> <20040409220205.GD24599@mail.librelogiciel.com> <40771F69.6060706@stroeder.com> <20040409222149.GA25449@mail.librelogiciel.com> Message-ID: <407722FA.8010802@stroeder.com> Jerome Alet wrote: > On Sat, Apr 10, 2004 at 12:10:49AM +0200, Michael Str?der wrote: > >>Think about these aspects: >> >>Which bind information (method, username or bind-DN, credentials) to use at >>the referred server? > > isn't the information returned a complete LDAP url with all necessary > information ? Nope. 1. There's nothing in a LDAP URL containing bind method or SASL auth information. 2. It's probably not a good idea to put credentials (e.g. passwords) in a LDAP URL. Ciao, Michael. From key-ldap-dev at KSquared.NET Mon May 3 23:55:01 2004 From: key-ldap-dev at KSquared.NET (Ken Key) Date: Mon, 3 May 2004 14:55:01 -0700 (PDT) Subject: How to get msgid from ldap.result() call? Message-ID: <45120.199.46.30.140.1083621301.squirrel@www.ksquared.net> Hi Folks, when calling ldap.result(msgid=ldap.RES_ANY) on several outstanding async client requests in python-ldap 2.0.0pre21, I cannot find a way to get the received message ID. In looking through the sources, it appears the information is never preserved. I locally hacked my copy of LDAPObject.c to make ldap.result() return a 3-part tuple of (result_type, result_data, result_msgid), where result_msgid = ldap_msgid(msg) after the msg was determined to be good. I need the message ID to match up the reply with the originating request context. Am I missing something? Is there already a way to retreive the msgid that I missed? Thanks for any info, K^2 From michael at stroeder.com Tue May 4 09:03:16 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 04 May 2004 09:03:16 +0200 Subject: How to get msgid from ldap.result() call? In-Reply-To: <45120.199.46.30.140.1083621301.squirrel@www.ksquared.net> References: <45120.199.46.30.140.1083621301.squirrel@www.ksquared.net> Message-ID: <40974034.7030804@stroeder.com> Ken Key wrote: > > when calling ldap.result(msgid=ldap.RES_ANY) on several > outstanding async client requests in python-ldap 2.0.0pre21, I > cannot find a way to get the received message ID. In current implementation the msgid is not passed to the calling application. > In looking > through the sources, it appears the information is never preserved. > I locally hacked my copy of LDAPObject.c to make ldap.result() > return a 3-part tuple of (result_type, result_data, result_msgid), > where result_msgid = ldap_msgid(msg) after the msg was determined > to be good. Please provide a patch. > I need the message ID to match up the reply with the > originating request context. This would also be very handy for a completely async LDAPObject implementation which dispatches results to calling threads without having to use thread locks around each _ldap call. Ciao, Michael. From key-ldap-dev at KSquared.NET Tue May 4 19:59:37 2004 From: key-ldap-dev at KSquared.NET (Ken Key) Date: Tue, 4 May 2004 10:59:37 -0700 (PDT) Subject: How to get msgid from ldap.result() call? In-Reply-To: <40974034.7030804@stroeder.com> References: <45120.199.46.30.140.1083621301.squirrel@www.ksquared.net> <40974034.7030804@stroeder.com> Message-ID: <51293.199.46.30.140.1083693577.squirrel@www.ksquared.net> >> In looking >> through the sources, it appears the information is never preserved. >> I locally hacked my copy of LDAPObject.c to make ldap.result() >> return a 3-part tuple of (result_type, result_data, result_msgid), >> where result_msgid = ldap_msgid(msg) after the msg was determined >> to be good. > > Please provide a patch. I've attached the diff below to the change I was testing in Modules/LDAPObject.c. It is not a complete fix, as I still need to go through the rest of the code to change the result() return handling to deal with the 3 element tuple. The hack was just a quick proof of concept change to see if I could get my proxy server to work. I'll work up a more complete patch in a couple of days. Honestly, I half expected this idea to be rejected. Won't changing this return value break any 3rd party code that uses ldap.result() when they crack out the elements of the return tuple? I must confess that I am new to Python (and LDAP), so perhaps I'm asking a stupid question. >> I need the message ID to match up the reply with the >> originating request context. > > This would also be very handy for a completely async LDAPObject > implementation which dispatches results to calling threads without having > to > use thread locks around each _ldap call. I think I follow that, but it's a bit over my head. I'm just looking for a way to lookup the client who's proxy request this reply was for. Regards, K^2 -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: LDAPObject.c-diffs.txt URL: From michael at stroeder.com Tue May 4 20:12:25 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 04 May 2004 20:12:25 +0200 Subject: How to get msgid from ldap.result() call? In-Reply-To: <51293.199.46.30.140.1083693577.squirrel@www.ksquared.net> References: <45120.199.46.30.140.1083621301.squirrel@www.ksquared.net> <40974034.7030804@stroeder.com> <51293.199.46.30.140.1083693577.squirrel@www.ksquared.net> Message-ID: <4097DD09.2030301@stroeder.com> Ken Key wrote: > > I've attached the diff below to the change I was testing in > Modules/LDAPObject.c. Thanks a lot. > It is not a complete fix, as I still > need to go through the rest of the code to change the result() > return handling to deal with the 3 element tuple. > [..] > I'll work up a more complete patch in a couple of days. Don't worry. I'll work that out. > Honestly, > I half expected this idea to be rejected. Won't changing this > return value break any 3rd party code that uses ldap.result() > when they crack out the elements of the return tuple? I will probably preserve result() as is and provide a second method result2() or similar with class ldap.ldapobject.LDAPObject which returns the complete 3-tuple. Ciao, Michael. From key-ldap-dev at KSquared.NET Wed May 5 03:10:33 2004 From: key-ldap-dev at KSquared.NET (Ken Key) Date: Tue, 4 May 2004 18:10:33 -0700 (PDT) Subject: Why LDAPObject.._ldap_object_lock around library calls? Message-ID: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> Hi Folks, I'm having a little trouble with the _ldap_object_lock in the LDAPObject around ldap library function calls. Is the link to protect against threads making function calls when the _ldap module is linked against the non-reentrant version of the libldap? That is, wouldn't it be safe to get rid of the _ldap_object_lock references in LDAPObject._ldap_call() if the module is linked against libldap_r? Or is there some other, non-threadsafe reason that I'm missing? Thanks for any info, K^2 From michael at stroeder.com Wed May 5 07:50:20 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 05 May 2004 07:50:20 +0200 Subject: Why LDAPObject.._ldap_object_lock around library calls? In-Reply-To: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> References: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> Message-ID: <4098809C.5030302@stroeder.com> Ken Key wrote: > > I'm having a little trouble with the _ldap_object_lock in the > LDAPObject around ldap library function calls. Which trouble do you have? > Is the link > to protect against threads making function calls when the _ldap > module is linked against the non-reentrant version of the libldap? > That is, wouldn't it be safe to get rid of the _ldap_object_lock > references in LDAPObject._ldap_call() if the module is linked > against libldap_r? Or is there some other, non-threadsafe reason > that I'm missing? According to related postings on the OpenLDAP lists libldap_r is re-entrant on a per-connection basis. Therefore linking with libldap_r improves the situation since a finer-grained locking is used in LDAPObject class (see method _ldap_lock()). Note that proper support for libldap_r also depends on the version of the OpenLDAP libs used. Ciao, Michael. From michael at stroeder.com Wed May 5 19:31:44 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 05 May 2004 19:31:44 +0200 Subject: python-ldap In-Reply-To: References: Message-ID: <40992500.2070607@stroeder.com> pnovess at mac.com wrote: > > I then tried to compile it from the tar.gz file. However, that complains > of not finding a file that is suppose to be located within the directory > of the extracted python-ldap directory. Did you forget to include > Lib/ldap.py and schema.py in the Lib directory? See item 6. on http://python-ldap.sourceforge.net/faq.shtml > what is the long term support of LDAP within Python? See item 1. on http://python-ldap.sourceforge.net/faq.shtml You're welcome to join the mailing list (Cc:-ed - rather low-traffic). Ciao, Michael. From michael at stroeder.com Wed May 5 20:04:00 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 05 May 2004 20:04:00 +0200 Subject: How to get msgid from ldap.result() call? In-Reply-To: <4097DD09.2030301@stroeder.com> References: <45120.199.46.30.140.1083621301.squirrel@www.ksquared.net> <40974034.7030804@stroeder.com> <51293.199.46.30.140.1083693577.squirrel@www.ksquared.net> <4097DD09.2030301@stroeder.com> Message-ID: <40992C90.5060307@stroeder.com> Michael Str?der wrote: > Ken Key wrote: > >> It is not a complete fix, as I still >> need to go through the rest of the code to change the result() >> return handling to deal with the 3 element tuple. >> [..] >> I'll work up a more complete patch in a couple of days. > > Don't worry. I'll work that out. I've checked in your patch with modifications to ldap.ldapobject (see below). Modules/: * New method result2() returns 3-tuple containing the msgid of the outstanding operation ldap.ldapobject: * LDAPObject.result2() (see above). LDAPObject.result() uses LDAPObject.result2(). Ciao, Michael. From key at KSquared.NET Wed May 5 19:31:17 2004 From: key at KSquared.NET (Ken Key) Date: Wed, 5 May 2004 10:31:17 -0700 (PDT) Subject: Why LDAPObject.._ldap_object_lock around library calls? In-Reply-To: <4098809C.5030302@stroeder.com> References: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> <4098809C.5030302@stroeder.com> Message-ID: <60698.199.46.30.140.1083778277.squirrel@www.ksquared.net> > Ken Key wrote: >> >> I'm having a little trouble with the _ldap_object_lock in the >> LDAPObject around ldap library function calls. > > Which trouble do you have? I have to admit that at this point the problem is theoretical. I have yet to implement the code. This is based on my visual inspection of how things work beneath me. I need to have two threads, a Producer and Consumer (relative to LDAP), accessing LDAP library calls. The Producer thread idles on a work request Queue. It formulates async LDAP requests which resulting in async ldap_add/_modify/_delete/_search operation. The Consumer thread idles on the ldap_result(), takes the msgid to find the matching outstanding async operation, translates the results into a form my proxy protocol and puts it on the work result Queue. This means that the Consumer thread's idle state is sitting in the ldap_result() call (waiting on it's select()). As a resulting, it will be holding the _ldap_object_lock() for the connection. When my Producer thread gets it's work request, it cannot make it's async calls as it will be blocked on the self._ldap_object_lock.acquire() >> Is the link >> to protect against threads making function calls when the _ldap >> module is linked against the non-reentrant version of the libldap? >> That is, wouldn't it be safe to get rid of the _ldap_object_lock >> references in LDAPObject._ldap_call() if the module is linked >> against libldap_r? Or is there some other, non-threadsafe reason >> that I'm missing? > > According to related postings on the OpenLDAP lists libldap_r is > re-entrant > on a per-connection basis. Therefore linking with libldap_r improves the > situation since a finer-grained locking is used in LDAPObject class (see > method _ldap_lock()). However, the lock is still across all methods of an instance of the LDAPObject, and thus in force for all operations on the connection, across all threads. That's the problem. > Note that proper support for libldap_r also depends on the version of the > OpenLDAP libs used. Understood. I was trying to determine if there were reasons beyond the underlying binary OpenLDAP client libraries that the locking was in place. If not, I was thinking of overriding the _ldap_call() in my own class and eliminating it, since the ldap_r is a requirement for my proxy's environment. At this point the question is mostly academic for me, as I am changing my model to a pool of worker-threads, each with their own connection. I kinda hate doing that as it can't be as effecient as sharing the connection and processing async. I may switch back if I can figure out how to do so safely. Thanks for the info! K^2 From key-ldap-dev at KSquared.NET Wed May 5 21:26:12 2004 From: key-ldap-dev at KSquared.NET (Ken Key) Date: Wed, 5 May 2004 12:26:12 -0700 (PDT) Subject: Why LDAPObject.._ldap_object_lock around library calls? In-Reply-To: <4098809C.5030302@stroeder.com> References: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> <4098809C.5030302@stroeder.com> Message-ID: <33093.199.46.30.140.1083785172.squirrel@www.ksquared.net> Ah, I found the answer to my question. Since we store the thread state in the LDAPObject instance, the object cannot be shared between my two threads. I tossed together a prototype of the two-thread model I was thinking of. With the LDAPObject._ldap_lock in place, I got the deadlock I was afraid of. When I removed the _ldap_lock.acquire/release in _ldap_call() I got the "saving thread twice?" fatal error from the LDAP_BEGIN_ALLOW_THREADS() when the second thread makes the second function call. This message may arrive out-of-order with my original reply, sorry about that. I forgot to reset my From: line. Cheers, K^2 From michael at stroeder.com Wed May 5 21:58:01 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 05 May 2004 21:58:01 +0200 Subject: Why LDAPObject.._ldap_object_lock around library calls? In-Reply-To: <60698.199.46.30.140.1083778277.squirrel@www.ksquared.net> References: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> <4098809C.5030302@stroeder.com> <60698.199.46.30.140.1083778277.squirrel@www.ksquared.net> Message-ID: <40994749.50006@stroeder.com> Ken Key wrote: > > I need to have two threads, a Producer and Consumer (relative to LDAP), > [..] > translates the results into > a form my proxy protocol and puts it on the work result Queue. I probably don't understand what you're after. However I try to give some answers. >>According to related postings on the OpenLDAP lists libldap_r is >>re-entrant >>on a per-connection basis. Therefore linking with libldap_r improves the >>situation since a finer-grained locking is used in LDAPObject class (see >>method _ldap_lock()). > > However, the lock is still across all methods of an instance of the > LDAPObject, and thus in force for all operations on the connection, > across all threads. That's the problem. Your threads should use different LDAP connections thus LDAPObject instances. > I was trying to determine if there were reasons beyond the > underlying binary OpenLDAP client libraries that the locking was in > place. The OpenLDAP libs are the problem. Nothing in python-ldap requires the locks. > If not, I was thinking of overriding the _ldap_call() in > my own class and eliminating it, since the ldap_r is a requirement > for my proxy's environment. Don't do this! The OpenLDAP libs are not re-entrant within one connection context. See OpenLDAP mailings list archives for details. Ciao, Michael. From michael at stroeder.com Wed May 5 22:03:16 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 05 May 2004 22:03:16 +0200 Subject: Why LDAPObject.._ldap_object_lock around library calls? In-Reply-To: <33093.199.46.30.140.1083785172.squirrel@www.ksquared.net> References: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> <4098809C.5030302@stroeder.com> <33093.199.46.30.140.1083785172.squirrel@www.ksquared.net> Message-ID: <40994884.2080409@stroeder.com> Ken Key wrote: > Ah, I found the answer to my question. Since we store the thread > state in the LDAPObject instance, the object cannot be shared between > my two threads. It can be shared. That's what the locks are for. But not in a completely async manner like you're trying. Maybe your problem is that you are using result2() in a blocking manner. You can let it somewhat poll the results. But this is CPU intensive. (History: I had a non-blocking version of result() in former versions of python-ldap to avoid locking over long time spans. But some people experienced serious problems with it.) > I tossed together a prototype of the two-thread model I was thinking of. > With the LDAPObject._ldap_lock in place, I got the deadlock I was > afraid of. When I removed the _ldap_lock.acquire/release in > _ldap_call() I got the "saving thread twice?" fatal error from the > LDAP_BEGIN_ALLOW_THREADS() when the second thread makes the second > function call. Don't mess around with the locks! They are needed because of the OpenLDAP libs. Ciao, Michael. From key-ldap-dev at KSquared.NET Wed May 5 22:32:37 2004 From: key-ldap-dev at KSquared.NET (Ken Key) Date: Wed, 5 May 2004 13:32:37 -0700 (PDT) Subject: Why LDAPObject.._ldap_object_lock around library calls? In-Reply-To: <40994749.50006@stroeder.com> References: <56341.199.46.30.140.1083719433.squirrel@www.ksquared.net> <4098809C.5030302@stroeder.com> <60698.199.46.30.140.1083778277.squirrel@www.ksquared.net> <40994749.50006@stroeder.com> Message-ID: <33412.199.46.30.140.1083789157.squirrel@www.ksquared.net> > Don't do this! The OpenLDAP libs are not re-entrant within one connection > context. See OpenLDAP mailings list archives for details. > Ahh. This is the crux of my problem! I was working on the mistaken assumption that the ldap_r library verion was fully (operational) thread-safe. As you can tell, I'm a newbie to LDAP as well as Python. Thanks for saving me from myself! K^2 From tesno2 at hotmail.com Tue May 11 23:06:40 2004 From: tesno2 at hotmail.com (Jerry Lee) Date: Tue, 11 May 2004 21:06:40 +0000 Subject: Where's the RES_BIND? Message-ID: Hello All, I just dusted off a QT LDAP browser I had been working on and noticed it didn't work. A bit of investigation revealed that after: import ldap >>>c = ldap.open(host='localhost', port=389) >>>msg = c.bind("cn=root,o=University of Michigan, >>>c=US","secret",ldap.AUTH_SIMPLE) >>>msg 1 >>>status,res =c.result(msg,1,5) >>>status 97 97? It used to be 'RES_BIND'..... Guess things have changed a bit :-) Any idea where it might be documented what result is returning?? These docs: http://python-ldap.sourceforge.net/doc/python-ldap/ldap-objects.html seem a bit off. Thanks in advance, Jerry. From dman at dman13.dyndns.org Tue May 11 23:23:37 2004 From: dman at dman13.dyndns.org (Derrick 'dman' Hudson) Date: Tue, 11 May 2004 17:23:37 -0400 Subject: Where's the RES_BIND? In-Reply-To: References: Message-ID: <20040511212337.GB1798@dman13.dyndns.org> On Tue, May 11, 2004 at 09:06:40PM +0000, Jerry Lee wrote: | Hello All, | | I just dusted off a QT LDAP browser I had been working on and noticed it | didn't work. | A bit of investigation revealed that after: | import ldap | >>>c = ldap.open(host='localhost', port=389) | >>>msg = c.bind("cn=root,o=University of Michigan, | >>>c=US","secret",ldap.AUTH_SIMPLE) | >>>msg | 1 | >>>status,res =c.result(msg,1,5) | >>>status | 97 | | 97? It used to be 'RES_BIND'..... | Guess things have changed a bit :-) Use the symbolic names provided by the module. Don't use string literals. | Any idea where it might be documented what result is returning?? http://sourceforge.net/mailarchive/forum.php?forum_id=4346&max_rows=25&style=flat&viewmonth=200403&viewday=11 | These docs: | http://python-ldap.sourceforge.net/doc/python-ldap/ldap-objects.html | seem a bit off. The docs are missing the module constants. One way to see what is available : $ python Python 2.3.3 (#2, Feb 24 2004, 09:29:20) [GCC 3.3.3 (Debian)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ldap >>> dir(ldap) For the code shown above, use : import ldap [...] status,res =c.result(msg,1,5) if status == ldap.RES_BIND : print "result is BIND" -D -- \begin{humor} Disclaimer: If I receive a message from you, you are agreeing that: 1. I am by definition, "the intended recipient" 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on USENET or the WWW. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message \end{humor} www: http://dman13.dyndns.org/~dman/ jabber: dman at dman13.dyndns.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From michael at stroeder.com Wed May 12 20:05:03 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 12 May 2004 20:05:03 +0200 Subject: Where's the RES_BIND? In-Reply-To: References: Message-ID: <40A2674F.7090201@stroeder.com> Jerry Lee wrote: > > Any idea where it might be documented what result is returning?? > These docs: > http://python-ldap.sourceforge.net/doc/python-ldap/ldap-objects.html > seem a bit off. Docs are already fixed in CVS version. I will release these updated docs ASAP. Ciao, Michael. From michael at stroeder.com Tue May 18 21:43:29 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 18 May 2004 21:43:29 +0200 Subject: Leave Sourceforge? Message-ID: <40AA6761.2050605@stroeder.com> HI! SF is a nice service for distributed development and the infrastructure is helpful for many projects. And we don't have to pay for it. So it was natural for David to move the python-ldap stuff to SF when he did not have much time to work on it himself anymore. But sometimes using SF really drives me crazy! - Some things, e.g. the file-release system, have such a messy user interface with ad banners that it's really waste of time to use it. - Access is often damn slow - Systems are quite often not available (e.g. can't login/CVS with ssh) - SSL setup for web interface screwed up => security pop-ups Furthermore: - Since quite some time I'm the only developer who is really applying patches to the python-ldap code => there's no need for CVS access. - Additionally the python-ldap project does not make use of many of the SF features (trackers are rarely used, the documentation is just on the normal web page, etc.). Therefore I'd like to ask the community here if there are any objections against moving the python-ldap stuff away from SF.net into my own private web space (probably under http://www.stroeder.com/pylib/). In my private environment I can implement scripts for doing many things automagically which would save me lot of time. Ciao, Michael. From gwidion at mpc.com.br Tue May 18 22:11:46 2004 From: gwidion at mpc.com.br (Joao S. O. Bueno) Date: Tue, 18 May 2004 17:11:46 -0300 Subject: Leave Sourceforge? In-Reply-To: <40AA6761.2050605@stroeder.com> References: <40AA6761.2050605@stroeder.com> Message-ID: <200405181711.46538.gwidion@mpc.com.br> Hi, I would have no problem with that at all. If there is no problem with it, I think it would be important to redirect anyone who hits current sourceforge develelopment area to be sent to the new space. Thank you for consulting the list at all. JS -><- On Tuesday 18 May 2004 16:43, Michael Str?der wrote: > HI! > > SF is a nice service for distributed development and the infrastructure is > helpful for many projects. And we don't have to pay for it. So it was > natural for David to move the python-ldap stuff to SF when he did not have > much time to work on it himself anymore. > > But sometimes using SF really drives me crazy! > From michael at stroeder.com Tue May 18 22:27:32 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 18 May 2004 22:27:32 +0200 Subject: Please update Win32 builds Message-ID: <40AA71B4.6030801@stroeder.com> HI! I'd like to kindly ask maintainers of Win32 builds to update their binary distributions. Please.... Ciao, Michael. From michael at stroeder.com Tue May 18 22:31:56 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 18 May 2004 22:31:56 +0200 Subject: FYI: python-ldap at OpenLDAP booth, Linuxtag 2004 Message-ID: <40AA72BC.3000507@stroeder.com> HI! There will be an OpenLDAP booth at Linuxtag 2004, Karlsruhe, Germany (see http://www.linuxtag.org/2004/, currently Java-buggy) where I also participate and will present web2ldap. Off course I'm available to answer questions about python-ldap either. Ciao, Michael. From jens at dataflake.org Wed May 19 05:41:03 2004 From: jens at dataflake.org (Jens Vagelpohl) Date: Tue, 18 May 2004 23:41:03 -0400 Subject: Leave Sourceforge? In-Reply-To: <40AA6761.2050605@stroeder.com> References: <40AA6761.2050605@stroeder.com> Message-ID: <5A21B8CA-A946-11D8-9E0D-000D9368D272@dataflake.org> > Therefore I'd like to ask the community here if there are any > objections > against moving the python-ldap stuff away from SF.net into my own > private > web space (probably under http://www.stroeder.com/pylib/). In my > private > environment I can implement scripts for doing many things automagically > which would save me lot of time. +1 I'd do the same thing for any project where I would be the "last man standing" like you are. jens From ezust at users.sourceforge.net Sat May 22 18:55:00 2004 From: ezust at users.sourceforge.net (S. Alan Ezust) Date: Sat, 22 May 2004 12:55:00 -0400 Subject: Which sha to use? Message-ID: <200405221255.00262.ezust@users.sourceforge.net> Hi, I'm new here. Which SHA to use? slappasswd claims to use SHA digests, but it's not the same as what the python sha built-in uses. Does the LDAP python library have its own sha interface that's compatible with slappasswd? : >>> import sha >>> x = sha.new("foobar") >>> x.digest() '\x88C\xd7\xf9$\x16!\x1d\xe9\xeb\xb9c\xffL\xe2\x81%\x93(x' >>> x.hexdigest() '8843d7f92416211de9ebb963ff4ce28125932878' $ slappasswd New password: foobar {SSHA}ssib43Zm62dDYjKVLYg/IMXJMBJPMYDG Why are these different anyway? Should I be using the sha built-in differently? question #2: Is there a simple example of how to add the first user/sha-password/e-mail into a brand-new LDAP repository and then query it to get the user back? -- S. Alan Ezust Ottawa, Ontario, Canada http://cartan.cas.suffolk.edu/~sae From michael at stroeder.com Mon May 24 11:41:56 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 24 May 2004 11:41:56 +0200 Subject: Which sha to use? In-Reply-To: <200405221255.00262.ezust@users.sourceforge.net> References: <200405221255.00262.ezust@users.sourceforge.net> Message-ID: <40B1C364.9040101@stroeder.com> S. Alan Ezust wrote: > > Which SHA to use? slappasswd claims to use SHA digests, but it's not the same > as what the python sha built-in uses. It is the same SHA-1 hash algorithm. > $ slappasswd > New password: foobar > {SSHA}ssib43Zm62dDYjKVLYg/IMXJMBJPMYDG This is a salted SHA-1 hash. http://www.openldap.org/faq/data/cache/347.html Ciao, Michael. From mcicogni at libero.it Fri May 21 23:24:41 2004 From: mcicogni at libero.it (Mauro Cicognini) Date: Fri, 21 May 2004 23:24:41 +0200 Subject: Leave Sourceforge? In-Reply-To: <40AA6761.2050605@stroeder.com> References: <40AA6761.2050605@stroeder.com> Message-ID: <40AE7399.7080002@libero.it> Michael Str?der wrote: > - Since quite some time I'm the only developer who is really applying > patches to the python-ldap code => there's no need for CVS access. Too right :-( I'm sad I can't contribute, I wish I could but I really am at a loss for time just to do what I must do. This said, kudos to Michael, you're doing such a great job. > Therefore I'd like to ask the community here if there are any > objections against moving the python-ldap stuff away from SF.net into > my own private web space (probably under > http://www.stroeder.com/pylib/). In my private environment I can > implement scripts for doing many things automagically which would save > me lot of time. Well, I'd normally be against moving out of a shared space to a private one, but if it can make your life easier I am totally in favor. +1. Mauro From mcicogni at libero.it Fri May 21 23:28:06 2004 From: mcicogni at libero.it (Mauro Cicognini) Date: Fri, 21 May 2004 23:28:06 +0200 Subject: Please update Win32 builds In-Reply-To: <40AA71B4.6030801@stroeder.com> References: <40AA71B4.6030801@stroeder.com> Message-ID: <40AE7466.5090403@libero.it> Michael Str?der wrote: > I'd like to kindly ask maintainers of Win32 builds to update their > binary distributions. I'll try. This will mean updating the win32 build of the OpenLDAP lib... which is currently evolving quite a bit (at long last!), so this will all be more complicated... but I'll try. Don't hold your breath though, before the end of next week nothing will happen on my part :-( Mauro From brkbrh at hotmail.com Wed Jun 9 16:58:43 2004 From: brkbrh at hotmail.com (Becky Hepper) Date: Wed, 09 Jun 2004 14:58:43 +0000 Subject: Certificate Confusion:hostname does not match CN Message-ID: Hi, I am working on a RH 9 Linux system. Below is the code I'm using: l = ldap.initialize('ldaps://x.x.x:636') l.protocol_version=ldap.VERSION3 l.simple_bind_s("username", "password") l.unbind_s() I got the following error: "SSL3_GET_SERVER_CERTIFICATE: certificate verify failed". So I asked the people that control the LDAP server for a key. They sent me the Netscape certificate: cert7.db & key3.db. If I put those two files in my home directory and add this line to my code: ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "/home/jack") I get an error: "TLS: hostname does not match CN in peer certificate". Does anyone know what that error means? Can I use the cert7.db or does it have to be converted to a PEM file? I get the same error if I use the following line in my code: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "/usr/share/ssl/cert.pem") What is this cert.pem file that automatically gets installed? Is it just an example or did RH convert the cert7.db? Thanks! From dman at dman13.dyndns.org Wed Jun 9 19:42:11 2004 From: dman at dman13.dyndns.org (Derrick 'dman' Hudson) Date: Wed, 9 Jun 2004 13:42:11 -0400 Subject: Certificate Confusion:hostname does not match CN In-Reply-To: References: Message-ID: <20040609174211.GA16882@dman13.dyndns.org> On Wed, Jun 09, 2004 at 02:58:43PM +0000, Becky Hepper wrote: [...] | I got the following error: "SSL3_GET_SERVER_CERTIFICATE: certificate | verify failed". The cert could be self-signed. Unless the CA (Certificate Authority) certificate is known (and trusted) by the client, the verification will fail because the client has no way to automatically trust the certificate. | So I asked the people that control the LDAP server for a | key. They sent me the Netscape certificate: cert7.db & key3.db. If I put | those two files in my home directory and add this line to my code: | ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "/home/jack") This solves that problem. | I get an error: "TLS: hostname does not match CN in peer | certificate". Does anyone know what that error means? This means that you tried to connect to a machine using the name 'foo'. However the CN (Common Name) in the SSL certificate is 'bar'. The CN in the certificate needs to match the hostname used to connect in order for automatic verification to work. One cause for this problem is a machine with multiple host names. In this scenario, make sure you are using the name in the CN of the cert and not some other name that resolves to that host. Another cause is a poorly made cert. If this is the case, have the server administrators recreate the cert and instruct them to specify the correct hostname as the CN for the cert. BTW, you can demonstrate both of these "error" conditions with a web browser. The only difference is the browser then prompts the user and allows the user to manually choose to trust the cert when automatic verification fails. HTH, -D -- "Open Source Software - Sometimes you get more than you paid for..." www: http://dman13.dyndns.org/~dman/ jabber: dman at dman13.dyndns.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: From michael at stroeder.com Fri Jun 11 12:48:43 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 11 Jun 2004 12:48:43 +0200 Subject: Certificate Confusion:hostname does not match CN In-Reply-To: References: Message-ID: <40C98E0B.5010107@stroeder.com> Becky Hepper wrote: > > I got the following error: "SSL3_GET_SERVER_CERTIFICATE: certificate > verify failed". So I asked the people that control the LDAP server for > a key. They sent me the Netscape certificate: cert7.db & key3.db. If I > put those two files in my home directory and add this line to my code: > ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, "/home/jack") I get an > error: "TLS: hostname does not match CN in peer certificate". ??? How did you build python-ldap? I really wonder why this does anything useful. > Can I use the cert7.db or does it > have to be converted to a PEM file? python-ldap uses the OpenLDAP libs which in turn use the OpenSSL libs which cannot handle Netscape certificate database files => you have to use PEM files. > I get the same error if I use the > following line in my code: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, > "/usr/share/ssl/cert.pem") What is this cert.pem file that > automatically gets installed? There's nothing automatically installed. cert.pem should contain the CA certificate against which the server certificate is validated. Recommended reading: http://www.openldap.org/faq/index.cgi?_highlightWords=ssl&file=185 Ciao, Michael. From michael at stroeder.com Wed Jun 30 18:29:32 2004 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 30 Jun 2004 18:29:32 +0200 Subject: Notes on ActivePython and IIS In-Reply-To: <200406300908.36693.gfortune@mail.ewu.edu> References: <200406300908.36693.gfortune@mail.ewu.edu> Message-ID: <40E2EA6C.5010608@stroeder.com> Greg Fortune wrote: > I fought with the python-ldap module last night, but couldn't get it to behave > properly. It would import when working on the command line or through > PythonWin, but refused to import through ASP/IIS. I would get a module not > found error message. Please post a complete traceback. > This morning, I tried the .exe installer from Mauro > (python-ldap-2.0.0pre14.win32-py2.3.exe) and it worked like a charm. Very often I had seg faults when using it with standard Python 2.3.3. Ciao, Michael. From gfortune at mail.ewu.edu Wed Jun 30 18:08:36 2004 From: gfortune at mail.ewu.edu (Greg Fortune) Date: Wed, 30 Jun 2004 09:08:36 -0700 Subject: Notes on ActivePython and IIS Message-ID: <200406300908.36693.gfortune@mail.ewu.edu> I fought with the python-ldap module last night, but couldn't get it to behave properly. It would import when working on the command line or through PythonWin, but refused to import through ASP/IIS. I would get a module not found error message. This morning, I tried the .exe installer from Mauro (python-ldap-2.0.0pre14.win32-py2.3.exe) and it worked like a charm. It appears that the package from volker doesn't function properly with ActivePython through ASP (python-2.3-ldap-2.0.0pre11.win32.zip) although it might simply be the difference in version numbers. btw, I installed the .zip file by copying the ldap directory and files into c:\Python23\Lib\site-packages so I believe I got it installed correctly. Greg Fortune From gfortune at mail.ewu.edu Wed Jun 30 21:04:49 2004 From: gfortune at mail.ewu.edu (Greg Fortune) Date: Wed, 30 Jun 2004 12:04:49 -0700 Subject: Notes on ActivePython and IIS In-Reply-To: <40E2EA6C.5010608@stroeder.com> References: <200406300908.36693.gfortune@mail.ewu.edu> <40E2EA6C.5010608@stroeder.com> Message-ID: <200406301204.49804.gfortune@mail.ewu.edu> I'm on the list so no need to cc: me with your reply... On Wednesday 30 June 2004 09:29 am, you wrote: > Greg Fortune wrote: > > I fought with the python-ldap module last night, but couldn't get it to > > behave properly. It would import when working on the command line or > > through PythonWin, but refused to import through ASP/IIS. I would get a > > module not found error message. > > Please post a complete traceback. ############## Without any ldap module installed on the ASP page. ----------------------------------------------------- Traceback: File "", line 7, in ? exceptions.ImportError: No module named ldap ----------------------------------------------------- From the command line, import ldap gives >>> import ldap Traceback (most recent call last): File "", line 1, in ? ImportError: No module named ldap ############### After copying the contents of the zip file into the site-packages directory. ----------------------------------------------------- Traceback: File "", line 7, in ? exceptions.ImportError: No module named ldap ----------------------------------------------------- From the command line, it imports successfully. ################ After deleting the necessary files and installing via the .exe, the import is successful from both the command line and ASP. Python version: 2.3.2 (#49, Nov 13 2003, 10:34:54) [MSC v.1200 32 bit (Intel)] I wrapped the traceback to make sure we were getting a full traceback as it didn't look terribly helpful. The code on that page is as follows: <%@ LANGUAGE="Python" %> <% import sys if(Server.MapPath('/admin/libs') not in sys.path): sys.path.append(Server.MapPath('/admin/libs')) Response.write(str(sys.version) + '
') try: import ldap except ImportError, err: (t, val, tb) = sys.exc_info() import traceback msg = '-----------------------------------------------------
' msg += 'Traceback:\n' msg += '
'.join(traceback.format_tb(tb)) + '
' msg += '%s: %s
' % (t, val) msg += '-----------------------------------------------------
' Response.write(msg) > > > This morning, I tried the .exe installer from Mauro > > (python-ldap-2.0.0pre14.win32-py2.3.exe) and it worked like a charm. > > Very often I had seg faults when using it with standard Python 2.3.3. This is with ActivePython, but it might have the same problem :( I've used ldap with Python 2.3.3 (#1, May 25 2004, 08:52:15) [GCC 3.3.2 20031218 (Gentoo Linux 3.3.2-r5, propolice-3.3-7)] on linux2 and it seems to work fine. I'll watch for the segfaults... Greg Fortune