From michael at stroeder.com Tue Apr 5 18:32:08 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 05 Apr 2005 18:32:08 +0200 Subject: problem with the case of attributes' names In-Reply-To: <20050331171730.GA22753@mail.librelogiciel.com> References: <20050331120646.GI13761@mail.librelogiciel.com> <424BFC26.2070607@stroeder.com> <20050331171730.GA22753@mail.librelogiciel.com> Message-ID: <4252BD88.6000600@stroeder.com> Jerome Alet wrote: > > On Thu, Mar 31, 2005 at 03:33:26PM +0200, Michael Str?der wrote: > > Am I right in thinking that each time I use search_s() I should > transform the result this way so that the app doesn't care : > > --- CUT --- > result = server.search_s(base, scope, fiterexp, attributes) > if result : > result = [ (dn, ldap.cidict.cidict(attrs)) for (dn, attrs) in result ] > --- CUT --- This may solve it. But note that there are also some alias problems. One example from recent OpenLDAP schema: ( 2.5.4.9 NAME ( 'street' 'streetAddress' ) DESC ... ) > OK, so if I always transform the search results with the above code, > and if I directly use these transformed results when calling > modifyModlist() for both old and new entries, all should be fine ? In theory everything should be fine regarding case of attribute type names. But please test yourself! Ciao, Michael. From michael at stroeder.com Mon Apr 11 16:46:48 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 11 Apr 2005 16:46:48 +0200 Subject: AD sizelimit In-Reply-To: References: Message-ID: <425A8DD8.3090104@stroeder.com> geert.van.muylem at utimaco.be wrote: > > I have an Active Directory with some 9000 users. > How can I retrieve all users with ldap. I only get back 1000 entries > (which is the page size of AD) > I've tried to set the pagesize to 10000, but still the same result This is not an python-ldap issue. Maybe you have more luck asking in a AD-specific forum like news:microsoft.public.windows.server.active_directory Ciao, Michael. From geert.van.muylem at utimaco.be Tue Apr 5 01:53:17 2005 From: geert.van.muylem at utimaco.be (geert.van.muylem at utimaco.be) Date: Tue, 5 Apr 2005 01:53:17 +0200 Subject: AD sizelimit Message-ID: Hi all, I have an Active Directory with some 9000 users. How can I retrieve all users with ldap. I only get back 1000 entries (which is the page size of AD) I've tried to set the pagesize to 10000, but still the same result l = ldap.open(gADServer) l.simple_bind_s(gADWho, gADCred) s = ldap.async.List(l) s.startSearch(ADContainer, searchScope, searchFilter, sizelimit=10000) try: partial = s.processResults() except ldap.SIZELIMIT_EXCEEDED: sys.stderr.write('Warning: Server-side size limit exceeded.\n') else: if partial: sys.stderr.write('Warning: Only partial results received.\n') sys.stdout.write('%d results received.\n' % (len(s.allResults))) result: Warning: Server-side size limit exceeded. 1000 results received. Thanks, Geert -------------- next part -------------- An HTML attachment was scrubbed... URL: From deepak at arlut.utexas.edu Mon Apr 11 19:50:45 2005 From: deepak at arlut.utexas.edu (Deepak Giridharagopal) Date: Mon, 11 Apr 2005 12:50:45 -0500 Subject: AD sizelimit In-Reply-To: References: Message-ID: <1113241845.6523.27.camel@csdpc10.arlut.utexas.edu> On Tue, 2005-04-05 at 01:53 +0200, geert.van.muylem at utimaco.be wrote: > I have an Active Directory with some 9000 users. > How can I retrieve all users with ldap. I only get back 1000 entries > (which is the page size of AD) > I've tried to set the pagesize to 10000, but still the same result I think that setting sizelimit to 10000 only sets a client-side limit on the number of results to return. AD, however, imposes a server-side limit of 1000, so that explains why the sizelimit argument you give has no effect. I've actually run into this, and there's 2 solutions I can think of: 1) Use the 'paged results' LDAP control (RFC 2696) to get your users in chunks. This would require using a CVS build of python-ldap since support for LDAP controls hasn't appeared in a release yet. I actually haven't tried this approach yet, but I will be soon for a project at my laboratory. 2) The quick fix: increase the pagesize on your AD server. Here's how: http://support.microsoft.com/default.aspx?scid=kb;en-us;315071&sd=tech Basically, you'll need to use ntdsutil.exe to modify the 'MaxPageSize' attribute. Cheers! deepak -- Deepak Giridharagopal Applied Research Laboratories University of Texas at Austin From michael at stroeder.com Sat Apr 16 11:40:43 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 16 Apr 2005 11:40:43 +0200 Subject: Help In-Reply-To: <20050415103232.44853.qmail@web8404.mail.in.yahoo.com> References: <20050415103232.44853.qmail@web8404.mail.in.yahoo.com> Message-ID: <4260DD9B.7070005@stroeder.com> sudhi ndra wrote: > > I have installed openldap2.2.24 successfully Did you compile OpenLDAP with SASL support. Please post the output of ldd /libldap_r > def > sasl_interactive_bind_s(self,who,auth,serverctrls=None,clientctrls=None,sasl_flags=ldap.SASL_QUIET): > > AttributeError: 'module' object has no attribute > 'SASL_QUIET' Can you also please post your setup.cfg? Ciao, Michael. From lakkur_sudhi at yahoo.co.in Fri Apr 15 12:32:32 2005 From: lakkur_sudhi at yahoo.co.in (sudhi ndra) Date: Fri, 15 Apr 2005 11:32:32 +0100 (BST) Subject: Help Message-ID: <20050415103232.44853.qmail@web8404.mail.in.yahoo.com> Hello, I have installed openldap2.2.24 successfully and now i want install python-ldap interface, so that i can access LDAP server(In Redhat 9) from Plone using LDAPUserFolder.At this instance i got struck with an error which as follows:- [root at intranet1 python-ldap-2.0.2]# /usr/local/src/Zope-2.7.2-0/bin/python Python 2.3.3 (#1, Apr 14 2005, 11:06:41) [GCC 3.2.2 20030222 (Red Hat Linux 3.2.2-5)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ldap Traceback (most recent call last): File "", line 1, in ? File "/usr/local/lib/python2.3/site-packages/ldap/__init__.py", line 46, in ? from functions import open,initialize,init,explode_dn,explode_rdn,get_option,set_option File "/usr/local/lib/python2.3/site-packages/ldap/functions.py", line 34, in ? from ldap.ldapobject import LDAPObject File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 43, in ? class SimpleLDAPObject: File "/usr/local/lib/python2.3/site-packages/ldap/ldapobject.py", line 192, in SimpleLDAPObject def sasl_interactive_bind_s(self,who,auth,serverctrls=None,clientctrls=None,sasl_flags=ldap.SASL_QUIET): AttributeError: 'module' object has no attribute 'SASL_QUIET' >>> Help me..................Got struck with this...... Thanks in advance Bye Sudhindra L A Mail me to sudhindraa at karna.com From sudhindra_be_cs at yahoo.co.in Mon Apr 18 08:34:08 2005 From: sudhindra_be_cs at yahoo.co.in (sudhindra aswathanarayana) Date: Mon, 18 Apr 2005 07:34:08 +0100 (BST) Subject: Help Message-ID: <20050418063408.27233.qmail@web8201.mail.in.yahoo.com> Hello, I am configuring LDAPuserfolder with Zope in order to access LDAP server running at RedHat Linux 9.0......during startup of ZOPE server.....i got the following error....help me to tackle the issue The error is as follows:- [root at intranet1 bin]# ./runzope ------ 2005-04-18T12:03:36 INFO(0) ZServer HTTP server started at Mon Apr 18 12:03:36 2005 Hostname: intranet1 Port: 8080 ------ 2005-04-18T12:03:36 INFO(0) ZServer FTP server started at Mon Apr 18 12:03:36 2005 Hostname: intranet1 Port: 8021 ------ 2005-04-18T12:03:36 INFO(0) Zope Set effective user to "zope" ------ 2005-04-18T12:03:38 INFO(0) IngeniWeb NOTICE global_symbols.py:20:Mon Apr 18 12:03:38 2005: 'Starting /opt/zope/instance0/Products/GroupUserFolder at 4 debug level' ------ 2005-04-18T12:03:38 ERROR(200) Zope Could not import Products.LDAPUserFolder Traceback (most recent call last): File "/opt/zope/Zope2.7.2/lib/python/OFS/Application.py", line 660, in import_product product=__import__(pname, global_dict, global_dict, silly) File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/__init__.py", line 15, in ? from LDAPUserFolder import addLDAPUserFolderForm, \ File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/LDAPUserFolder.py", line 27, in ? from LDAPUser import LDAPUser File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/LDAPUser.py", line 23, in ? from utils import _verifyUnicode, encoding File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/utils.py", line 25, in ? import ldap File "/opt/python23/lib/python2.3/site-packages/ldap/__init__.py", line 21, in ? from _ldap import * ImportError: libldap_r-2.2.so.7: cannot open shared object file: No such file or directory Traceback (most recent call last): File "/opt/zope/Zope2.7.2/lib/python/Zope/Startup/run.py", line 50, in ? run() File "/opt/zope/Zope2.7.2/lib/python/Zope/Startup/run.py", line 19, in run start_zope(opts.configroot) File "/opt/zope/Zope2.7.2/lib/python/Zope/Startup/__init__.py", line 51, in start_zope starter.startZope() File "/opt/zope/Zope2.7.2/lib/python/Zope/Startup/__init__.py", line 230, in startZope Zope.startup() File "/opt/zope/Zope2.7.2/lib/python/Zope/__init__.py", line 47, in startup _startup() File "/opt/zope/Zope2.7.2/lib/python/Zope/App/startup.py", line 45, in startup OFS.Application.import_products() File "/opt/zope/Zope2.7.2/lib/python/OFS/Application.py", line 637, in import_products import_product(product_dir, product_name, raise_exc=debug_mode) File "/opt/zope/Zope2.7.2/lib/python/OFS/Application.py", line 660, in import_product product=__import__(pname, global_dict, global_dict, silly) File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/__init__.py", line 15, in ? from LDAPUserFolder import addLDAPUserFolderForm, \ File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/LDAPUserFolder.py", line 27, in ? from LDAPUser import LDAPUser File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/LDAPUser.py", line 23, in ? from utils import _verifyUnicode, encoding File "/opt/zope/Zope2.7.2/lib/python/Products/LDAPUserFolder/utils.py", line 25, in ? import ldap File "/opt/python23/lib/python2.3/site-packages/ldap/__init__.py", line 21, in ? from _ldap import * ImportError: libldap_r-2.2.so.7: cannot open shared object file: No such file or directory Reply me Thanks in advance Bye Sudhindra L A From michael at stroeder.com Mon Apr 18 20:24:56 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 18 Apr 2005 20:24:56 +0200 Subject: Help In-Reply-To: <20050418064204.47660.qmail@web8410.mail.in.yahoo.com> References: <20050418064204.47660.qmail@web8410.mail.in.yahoo.com> Message-ID: <4263FB78.9070609@stroeder.com> sudhi ndra wrote: > > ldd: > /usr/local/src/openldap-2.2.24/libraries/libldap_r: No > such file or directory /usr/local/src/openldap-2.2.24/libraries/libldap_r is the source directory of libldap_r. Did you install OpenLDAP with 'make install'? > My setup.cfg sent as attachment The directories set with directive library_dirs are pointing to the source directories. This will likely not work. OpenLDAP is not properly installed. Ciao, Michael. From michael at stroeder.com Mon Apr 18 20:26:56 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 18 Apr 2005 20:26:56 +0200 Subject: Help In-Reply-To: <20050418063408.27233.qmail@web8201.mail.in.yahoo.com> References: <20050418063408.27233.qmail@web8201.mail.in.yahoo.com> Message-ID: <4263FBF0.5050405@stroeder.com> sudhindra aswathanarayana wrote: > > ImportError: libldap_r-2.2.so.7: cannot open shared > object file: No such file or directory Similar to item 11. on http://python-ldap.sourceforge.net/faq.shtml Ciao, Michael. From michael at stroeder.com Wed Apr 20 19:17:39 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 20 Apr 2005 19:17:39 +0200 Subject: caching In-Reply-To: <20050420170337.GA6521@mail.librelogiciel.com> References: <20050420170337.GA6521@mail.librelogiciel.com> Message-ID: <42668EB3.3080502@stroeder.com> Jerome Alet wrote: > > is there some caching mechanism in python-ldap ? No. > if not wouldn't it be desirable to have one ? Maybe. It really depends... Note that the caching in OpenLDAP client libs was considered broken. That's why the wrapper code for making OpenLDAP's client-side caching available to python-ldap was removed. > if yes, I'm ok to try to do it. I'd go for sub-classing LDAPObject and hook into method search_ext_s(). Well, caching for async search operations does not really make sense anyway. Issues which come to mind: * There can be lots of subtle details to consider which might lead to different search results (e.g. access control, the ManageDSAIT controls, etc.) * take care of flushing the right objects from your cache when modifying entries * for security reasons flush your whole cache when (re-)binding on a given LDAP connection I'm sure there are more issues... Ciao, Michael. From alet at librelogiciel.com Wed Apr 20 19:03:37 2005 From: alet at librelogiciel.com (Jerome Alet) Date: Wed, 20 Apr 2005 19:03:37 +0200 Subject: caching Message-ID: <20050420170337.GA6521@mail.librelogiciel.com> Hi there, while browsing the python-ldap documentation I couldn't find any way to have python-ldap do some optional caching of retrieved datas. is there some caching mechanism in python-ldap ? if not wouldn't it be desirable to have one ? if yes, I'm ok to try to do it. please tell bye Jerome Alet From alet at librelogiciel.com Wed Apr 20 19:23:15 2005 From: alet at librelogiciel.com (Jerome Alet) Date: Wed, 20 Apr 2005 19:23:15 +0200 Subject: caching In-Reply-To: <42668EB3.3080502@stroeder.com> References: <20050420170337.GA6521@mail.librelogiciel.com> <42668EB3.3080502@stroeder.com> Message-ID: <20050420172315.GB6521@mail.librelogiciel.com> On Wed, Apr 20, 2005 at 07:17:39PM +0200, Michael Str?der wrote: > > Note that the caching in OpenLDAP client libs was considered broken. > That's why the wrapper code for making OpenLDAP's client-side caching > available to python-ldap was removed. I thought about python-ldap specific code, by modifying the search methods and invalidating modified entries in the add/modify/delete methods > > if yes, I'm ok to try to do it. > > I'd go for sub-classing LDAPObject and hook into method search_ext_s(). Just what I thought at first glance. > Issues which come to mind: > * There can be lots of subtle details to consider which might lead to > different search results (e.g. access control, the ManageDSAIT controls, > etc.) > * take care of flushing the right objects from your cache when modifying > entries > * for security reasons flush your whole cache when (re-)binding on a > given LDAP connection > > I'm sure there are more issues... Well, if I've got the time, I'll give it a try next week. bye Jerome Alet From fabio.marcone at duet.it Fri Apr 22 18:21:09 2005 From: fabio.marcone at duet.it (Fabio Marcone) Date: Fri, 22 Apr 2005 18:21:09 +0200 Subject: examples Message-ID: <200504221821.09309.fabio.marcone@duet.it> Hi! I'm a newbie of python and ldap. Deleting and search are ok, but I don't understand how to use modify and add. I tried to study source but without results. Can anyone give me a full example using modify and add? Thanks very much, Fabio -- Dott. Fabio Marcone 2T srl Telefono +39 - 0871- 540154 Fax +39 - 0871- 571594 Indirizzo Viale B. Croce 573, 66013 Chieti Scalo (CH) From jens at dataflake.org Fri Apr 22 18:34:43 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Fri, 22 Apr 2005 18:34:43 +0200 Subject: examples In-Reply-To: <200504221821.09309.fabio.marcone@duet.it> References: <200504221821.09309.fabio.marcone@duet.it> Message-ID: On Apr 22, 2005, at 18:21, Fabio Marcone wrote: > Hi! > > I'm a newbie of python and ldap. > > Deleting and search are ok, but I don't understand how to use modify > and add. Please see the docs here: http://python-ldap.sourceforge.net/docs.shtml jens From Paul_S_Johnson at mnb.uscourts.gov Mon Apr 18 23:22:18 2005 From: Paul_S_Johnson at mnb.uscourts.gov (Paul_S_Johnson at mnb.uscourts.gov) Date: Mon, 18 Apr 2005 16:22:18 -0500 Subject: Trouble compiling python-ldap: LDAP_SASL_QUIET Message-ID: I hit an error when trying to build python-ldap. The first error encountered: Modules/LDAPObject.c:574: error: `LDAP_SASL_QUIET' undeclared (first use in this function) I am using Cyrus SASL on Solaris 9 SPARC 64-bit. I had to compile Cyrus with the switch "--with-des=no" due to an error I was not able to resolve. I am hoping this is not the cause. Any ideas? Thanks, Paul. Compilation output: ================================================================= mnbweb6 # python setup.py build extra_compile_args: extra_objects: include_dirs: /usr/local/openldap-OPENLDAP_REL_ENG_2_2/include /usr/local/sasl/include/sasl /usr/include/sasl /usr/local/include/sasl library_dirs: /usr/local/openldap-OPENLDAP_REL_ENG_2_2/lib /usr/local/sasl/lib /usr/local/lib/sasl2 libs: ldap_r lber ssl crypto sasl2 running build running build_py file Lib/ldap.py (for module ldap) not found file Lib/ldap/schema.py (for module ldap.schema) not found file Lib/ldap.py (for module ldap) not found file Lib/ldap/schema.py (for module ldap.schema) not found running build_ext building '_ldap' extension /usr/local/bin/gcc -fno-strict-aliasing -DNDEBUG -g -O3 -Wall -Wstrict-prototypes -fPIC -DHAVE_LIBLDAP_R -DHAVE_SASL -DHAVE_TLS -DLDAPMODULE_VERSION=2.0.6 -IModules -I/usr/local/openldap-OPENLDAP_REL_ENG_2_2/include -I/usr/local/sasl/include/sasl -I/usr/include/sasl -I/usr/local/include/sasl -I/usr/local/include/sasl -I/usr/local/include/python2.3 -c Modules/LDAPObject.c -o build/temp.solaris-2.9-sun4u-2.3/Modules/LDAPObject.o In file included from Modules/LDAPObject.c:20: /usr/local/include/sasl/sasl.h:343: warning: function declaration isn't a prototype Modules/LDAPObject.c: In function `interaction': Modules/LDAPObject.c:497: warning: unused variable `dflt' Modules/LDAPObject.c: In function `l_ldap_sasl_interactive_bind_s': Modules/LDAPObject.c:574: error: `LDAP_SASL_QUIET' undeclared (first use in this function) Modules/LDAPObject.c:574: error: (Each undeclared identifier is reported only once Modules/LDAPObject.c:574: error: for each function it appears in.) Modules/LDAPObject.c:593: warning: implicit declaration of function `ldap_sasl_interactive_bind_s' Modules/LDAPObject.c:564: warning: unused variable `cred' Modules/LDAPObject.c:571: warning: unused variable `version' Modules/LDAPObject.c:573: warning: unused variable `defaults' Modules/LDAPObject.c: In function `l_ldap_start_tls_s': Modules/LDAPObject.c:901: warning: implicit declaration of function `ldap_start_tls_s' Modules/LDAPObject.c: In function `l_ldap_passwd': Modules/LDAPObject.c:1003: warning: implicit declaration of function `ldap_passwd' Modules/LDAPObject.c: At top level: Modules/LDAPObject.c:980: warning: `l_ldap_passwd' defined but not used error: command '/usr/local/bin/gcc' failed with exit status 1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Fri Apr 29 14:16:10 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 29 Apr 2005 14:16:10 +0200 Subject: ANN: python-ldap-2.0.7 Message-ID: <4272258A.9040200@stroeder.com> Find a new release of python-ldap: http://python-ldap.sourceforge.net/ python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAPURLs and LDAPv3 schema). From michael at stroeder.com Mon May 2 20:22:44 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 02 May 2005 20:22:44 +0200 Subject: encodings while modify AD with linux-client In-Reply-To: <200505021803.21158.steuwer@univention.de> References: <200505021803.21158.steuwer@univention.de> Message-ID: <42766FF4.9030706@stroeder.com> Ingo Steuwer wrote: > > modlist=[(ldap.MOD_REPLACE,"description",[u"hall?le".encode('ISO-8859-1')])] > lo.modify_s("CN=moreusers,CN=Users,%s"%ldap_base,modlist) LDAPv3 mandates use of Unicode with UTF-8 encoding. You are accessing Active Directory via its LDAPv3 interface. Hence it expects UTF-8. > It is documented that Active Directory uses ISO-8859-1 and not utf8 (like > Openldap an others). I doubt that. Well, depends on what "Active Directory uses ISO-8859-1" really means... But the charset of the internal storage of AD is not relevant when accessing it through LDAPv3. > So, is this a python-ldap or openldap-problem Nope. The applications using python-ldap are responsible to provide the proper charset and encoding at the API level. > (I know, great chanceto start an AD-Flamewar)? (Not at all.) > Any experiences/solutions? I've tried it. It works for me with UTF-8. Ciao, Michael. From steuwer at univention.de Mon May 2 18:03:20 2005 From: steuwer at univention.de (Ingo Steuwer) Date: Mon, 2 May 2005 18:03:20 +0200 Subject: encodings while modify AD with linux-client Message-ID: <200505021803.21158.steuwer@univention.de> Hello I've got some encoding-trouble accessing Active Directory with python-ldap (slightly modified 2.0.6) on linux (openldap-client 2.1.30). I can modify a container-description using umlauts without an Error/Exception: [..] lo.simple_bind_s(login_dn, login_pw) modlist=[(ldap.MOD_REPLACE,"description",[u"hall?le".encode('ISO-8859-1')])] lo.modify_s("CN=moreusers,CN=Users,%s"%ldap_base,modlist) [..] Search for this container or view it in windows will result the description "hallle" (umlauts are "cutted"). Using an different encoding (different from ISo-8859-1/Latin) will result in an exception, like this one with unicode: File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 298, in modify_s msgid = self.modify(dn,modlist) File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 295, in modify return self.modify_ext(dn,modlist,None,None) File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 268, in modify_ext return self._ldap_call(self._l.modify_ext,dn,modlist,serverctrls,clientctrls) File "/usr/lib/python2.3/site-packages/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) TypeError: ('expected a string in the list', u'hal\xf6le') It is documented that Active Directory uses ISO-8859-1 and not utf8 (like Openldap an others). So, is this a python-ldap or openldap-problem (I know, great chanceto start an AD-Flamewar)? Any experiences/solutions? Thanks! Ingo Steuwer -- Ingo Steuwer steuwer at univention.de fon: +49 421 22 232- 0 Entwicklung Linux for Your Business Univention GmbH http://www.univention.de/ fax: +49 421 22 232-99 From steuwer at univention.de Tue May 3 09:41:39 2005 From: steuwer at univention.de (Ingo Steuwer) Date: Tue, 3 May 2005 09:41:39 +0200 Subject: encodings while modify AD with linux-client In-Reply-To: <42766FF4.9030706@stroeder.com> References: <200505021803.21158.steuwer@univention.de> <42766FF4.9030706@stroeder.com> Message-ID: <200505030941.39749.steuwer@univention.de> Am Montag, 2. Mai 2005 20:22 schrieb Michael Str?der: > Ingo Steuwer wrote: > > modlist=[(ldap.MOD_REPLACE,"description",[u"hall?le".encode('ISO-8859-1') > >])] lo.modify_s("CN=moreusers,CN=Users,%s"%ldap_base,modlist) > > LDAPv3 mandates use of Unicode with UTF-8 encoding. You are accessing > Active Directory via its LDAPv3 interface. Hence it expects UTF-8. > > > It is documented that Active Directory uses ISO-8859-1 and not utf8 (like > > Openldap an others). > > I doubt that. Well, depends on what "Active Directory uses ISO-8859-1" > really means... This was mentioned in a documentation of a python-ldap-based tool a can't find anymore... google stuff. > But the charset of the internal storage of AD is not relevant when > accessing it through LDAPv3. > > > So, is this a python-ldap or openldap-problem > > Nope. The applications using python-ldap are responsible to provide the > proper charset and encoding at the API level. > [..] > > I've tried it. It works for me with UTF-8. Just to be sure: You tried it which way? My experiences are that python-ldap doesn't allow the use of unicode in a modlist (see Exception in my first mail, "expected a string in the list"). Which python-version do you use? Furthermore it seems to me that python-ldap does not use unicode internaly. If I read from AD I get unicode strings which are handled by python like Latin -- which means I have to convert them like "unicode(value,'utf8')". I expected that modlist will need also unicode as normal strings but that will give me the other conversion-exception ("ordinal not in range(128)"). Regards Ingo Steuwer > Ciao, Michael. -- Ingo Steuwer steuwer at univention.de fon: +49 421 22 232- 0 Entwicklung Linux for Your Business Univention GmbH http://www.univention.de/ fax: +49 421 22 232-99 From steuwer at univention.de Tue May 3 18:55:39 2005 From: steuwer at univention.de (Ingo Steuwer) Date: Tue, 3 May 2005 18:55:39 +0200 Subject: encodings while modify AD with linux-client In-Reply-To: <200505030941.39749.steuwer@univention.de> References: <200505021803.21158.steuwer@univention.de> <42766FF4.9030706@stroeder.com> <200505030941.39749.steuwer@univention.de> Message-ID: <200505031855.39273.steuwer@univention.de> OK, got it -- but it was't obvious...: modlist=[(ldap.MOD_REPLACE,"description","hall?le".decode('latin').encode('utf8'))] Greetings Ingo Am Dienstag, 3. Mai 2005 09:41 schrieb Ingo Steuwer: > Am Montag, 2. Mai 2005 20:22 schrieb Michael Str?der: > > Ingo Steuwer wrote: > > > modlist=[(ldap.MOD_REPLACE,"description",[u"hall?le".encode('ISO-8859-1 > > >') ])] lo.modify_s("CN=moreusers,CN=Users,%s"%ldap_base,modlist) > > > > LDAPv3 mandates use of Unicode with UTF-8 encoding. You are accessing > > Active Directory via its LDAPv3 interface. Hence it expects UTF-8. > > > > > It is documented that Active Directory uses ISO-8859-1 and not utf8 > > > (like Openldap an others). > > > > I doubt that. Well, depends on what "Active Directory uses ISO-8859-1" > > really means... > > This was mentioned in a documentation of a python-ldap-based tool a can't > find anymore... google stuff. > > > But the charset of the internal storage of AD is not relevant when > > accessing it through LDAPv3. > > > > > So, is this a python-ldap or openldap-problem > > > > Nope. The applications using python-ldap are responsible to provide the > > proper charset and encoding at the API level. > > [..] > > > I've tried it. It works for me with UTF-8. > > Just to be sure: You tried it which way? My experiences are that > python-ldap doesn't allow the use of unicode in a modlist (see Exception in > my first mail, "expected a string in the list"). Which python-version do > you use? > > Furthermore it seems to me that python-ldap does not use unicode internaly. > If I read from AD I get unicode strings which are handled by python like > Latin -- which means I have to convert them like "unicode(value,'utf8')". > I expected that modlist will need also unicode as normal strings but that > will give me the other conversion-exception ("ordinal not in range(128)"). > > Regards > Ingo Steuwer > > > Ciao, Michael. -- Ingo Steuwer steuwer at univention.de fon: +49 421 22 232- 0 Entwicklung Linux for Your Business Univention GmbH http://www.univention.de/ fax: +49 421 22 232-99 From mhammond at skippinet.com.au Mon May 9 15:16:06 2005 From: mhammond at skippinet.com.au (Mark Hammond) Date: Mon, 9 May 2005 23:16:06 +1000 Subject: Escaping of binary characters Message-ID: <174201c55499$42c4f260$0a0a0a0a@enfoldsystems.local> Hi, I'm using python-ldap in conjunction with Zope and the LDAPUserFolder product to talk to a Windows Active Directory server. One of the objects I am trying to fetch via LDAP is objectGUID - a binary value. It seems to me that the current implementation of ldap.filters.escape_filter_chars is too conservative in choosing the characters to escape. For example, escape_filter_chars("\x01") currently returns "\x01" (ie, the value as passed in), where it would be better if it returned "\\01" (ie 3 characters in total). I believe this still conforms to RFC2254. I have provided a sample implementation at http://sourceforge.net/support/tracker.php?aid=1193271 - the patch there escapes all non-printable characters. Once this patch is in place, I can query this binary objectGUID attribute, and all other testing appears to work fine (as you would expect though - most of my testing involves printable characters ;). The existing tests all still pass (but I struggled to create a test-case that failed.) As a side-note, I did test extended characters (and saw this in your recent archives). An extended character entered in the Windows ADSI UI is reflected correctly in my browser via Zope. I'd say this is a good indication that the utf-8 escaping is working correctly. Thanks, Mark From michael at stroeder.com Tue May 10 13:56:27 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 10 May 2005 13:56:27 +0200 Subject: Escaping of binary characters In-Reply-To: <174201c55499$42c4f260$0a0a0a0a@enfoldsystems.local> References: <174201c55499$42c4f260$0a0a0a0a@enfoldsystems.local> Message-ID: <4280A16B.90204@stroeder.com> Mark Hammond wrote: > I'm using python-ldap in conjunction with Zope and the LDAPUserFolder > product to talk to a Windows Active Directory server. One of the objects I > am trying to fetch via LDAP is objectGUID - a binary value. Can you please provide sample Python code so I can see what you really want to achieve? Are you searching entries by objectGUID assertion values? > It seems to me that the current implementation of > ldap.filters.escape_filter_chars is too conservative in choosing the > characters to escape. This implementation simply trys to preserve a human-readable form of the search filter as much as possible. > I have provided a sample implementation at > http://sourceforge.net/support/tracker.php?aid=1193271 - the patch there > escapes all non-printable characters. I saw this but I won't accept the patch. Although not technically wrong it has the disadvantage that search filters won't be human-readable anymore (which is very handy for debugging). But actually nothing forces you to use python-ldap's helper function ldap.filter.escape_filter_chars(). You can simply use your own implementation in your code. You could even substitute python-ldap's implementation by initially overwriting it import ldap.filter ldap.filter.escape_filter_chars = my_funky_escape_filter_chars > Once this patch is in place, I can > query this binary objectGUID attribute, Again I don't exactly understand what you're trying to achieve. Ciao, Michael. From mhammond at skippinet.com.au Tue May 10 15:39:12 2005 From: mhammond at skippinet.com.au (Mark Hammond) Date: Tue, 10 May 2005 23:39:12 +1000 Subject: Escaping of binary characters In-Reply-To: <4280A16B.90204@stroeder.com> Message-ID: <189a01c55565$a79cdbe0$0a0a0a0a@enfoldsystems.local> > Mark Hammond wrote: > > I'm using python-ldap in conjunction with Zope and the > LDAPUserFolder > > product to talk to a Windows Active Directory server. One > of the objects I > > am trying to fetch via LDAP is objectGUID - a binary value. > > Can you please provide sample Python code so I can see what you really > want to achieve? Are you searching entries by objectGUID > assertion values? I don't actually have neat sample code - I'm observing this inside Zope. However, what happens is: * We query for the attribute 'objectGUID'. We get back a 16 byte string - a raw binary representation of the 128-bit GUID. This part works fine - we get the binary value from LDAP correctly. * Later, we call search_s with a filter string '(objectGUID={string})', after calling escape_filter_chars with the exact value as previously fetched. The filter fails, but succeeds with my implementation of escape_filter_chars. > > It seems to me that the current implementation of > > ldap.filters.escape_filter_chars is too conservative in choosing the > > characters to escape. > > This implementation simply trys to preserve a human-readable > form of the > search filter as much as possible. On closer inspection, my version is too aggressive. Instead of: if c < '0' or c > 'z' or c in "\\*()": it should read: if c < ' ' or c > '~' or c in "\\*()": which includes some extra punctuation. As far as I can tell, that will leave all 'printable' characters alone and should leave things as readable (even if slightly different than) the current implementation > But actually nothing forces you to use python-ldap's helper function > ldap.filter.escape_filter_chars(). You can simply use your own > implementation in your code. You could even substitute python-ldap's > implementation by initially overwriting it > > import ldap.filter > ldap.filter.escape_filter_chars = my_funky_escape_filter_chars Yes, you are correct in that nothing is forcing us to use your function - I just thought you would like to know :) Cheers, Mark From michael at stroeder.com Wed May 11 18:52:36 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Wed, 11 May 2005 18:52:36 +0200 Subject: Escaping of binary characters In-Reply-To: <189a01c55565$a79cdbe0$0a0a0a0a@enfoldsystems.local> References: <189a01c55565$a79cdbe0$0a0a0a0a@enfoldsystems.local> Message-ID: <42823854.6020405@stroeder.com> Mark Hammond wrote: > > I don't actually have neat sample code - I'm observing this inside Zope. Is this a publicly available Zope component like LDAPUserFolder? > However, what happens is: > > * We query for the attribute 'objectGUID'. We get back a 16 byte string - a > raw binary representation of the 128-bit GUID. This part works fine - we > get the binary value from LDAP correctly. Just curious because I'm always interested to learn anything people are doing via LDAP: Do you store the objectGUID to reference the single entry later? Does this reference has to survive renaming of the entry? If no, why don't you use the DN of the entry for a base level search later? > * Later, we call search_s with a filter string '(objectGUID={string})', > after calling escape_filter_chars with the exact value as previously > fetched. The filter fails, but succeeds with my implementation of > escape_filter_chars. Is this code specific for Active Directory (seems so to me)? Or does your code has to work with any LDAP server with a configurable unique and DN-independent attribute similar to objectGUID (e.g. entryUUID comes to mind for OpenLDAP 2.2+)? IMHO searching with the exact objectGUID returns exactly one entry anyway. Therefore you could also use the entry's DN and retrieve the entry with a base level search. Well, I still didn't get the point of why you need a octet string objectGUID in a search filter. > it should read: > > if c < ' ' or c > '~' or c in "\\*()": > > which includes some extra punctuation. As far as I can tell, that > will leave all 'printable' characters alone and should leave things > as readable (even if slightly different than) the current > implementation Hmm, if I got you right this still escapes NON-ASCII chars which otherwise could be displayed as UTF-8 encoded Unicode chars. I'm also afraid this significantly slows down this function which is probably not a big deal in most applications. Ciao, Michael. From michael at stroeder.com Thu May 12 09:51:44 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 12 May 2005 09:51:44 +0200 Subject: Escaping of binary characters In-Reply-To: <72E9D96A-DAC9-45C6-BA95-E5FA64FE03EB@dataflake.org> References: <189a01c55565$a79cdbe0$0a0a0a0a@enfoldsystems.local> <42823854.6020405@stroeder.com> <72E9D96A-DAC9-45C6-BA95-E5FA64FE03EB@dataflake.org> Message-ID: <42830B10.40908@stroeder.com> Jens Vagelpohl wrote: > > But then again, even if he could use the DN, I suppose the real problem > is that you cannot "round trip" the value. You can't just grab it from > a search result and use it to formulate another query, even if you send > it through ldap.escape_filter_chars, if I understand the problem > correctly. After all it seems to me the idea of "the right" implementation of ldap.escape_filter_chars() is broken. Basically one has to escape the assertion value based on subschema knowledge (the LDAPSyntax here). Note: I'm rather scared of escaping all chars by default since it could also break interoperability with some badly implemented LDAP servers. My suggestion for a workaround is to add both implementations and let the application developer decide which to use. We could make the differences clear in the __doc__ string. This could be achieved by a flag passed as arg to ldap.escape_filter_chars() def escape_filter_chars(assertion_value,escape_all_chars=0): A schema-aware application could simply set this flag if it determines that the assertion attribute has a syntax which is not human-readable. Ciao, Michael. From mhammond at skippinet.com.au Thu May 12 00:57:49 2005 From: mhammond at skippinet.com.au (Mark Hammond) Date: Thu, 12 May 2005 08:57:49 +1000 Subject: Escaping of binary characters In-Reply-To: <42823854.6020405@stroeder.com> Message-ID: <029c01c5567c$dbbac0f0$120a0a0a@enfoldsystems.local> > Mark Hammond wrote: > > > > I don't actually have neat sample code - I'm observing this > > inside Zope. > > Is this a publicly available Zope component like LDAPUserFolder? It is exactly LDAPUserFolder ;) > > However, what happens is: > > > > * We query for the attribute 'objectGUID'. We get back a > 16 byte string - a > > raw binary representation of the 128-bit GUID. This part > works fine - we > > get the binary value from LDAP correctly. > > Just curious because I'm always interested to learn anything > people are > doing via LDAP: > > Do you store the objectGUID to reference the single entry later? Yes. > Does this reference has to survive renaming of the entry? It is the persistent "user ID" - clearly it is desirable if it does survive renaming (and indeed all operations other than "delete") MS explicitly suggests using objectGUID over the dn or any other attribute for such an ID. > > * Later, we call search_s with a filter string > '(objectGUID={string})', > > after calling escape_filter_chars with the exact value as previously > > fetched. The filter fails, but succeeds with my implementation of > > escape_filter_chars. > > Is this code specific for Active Directory (seems so to me)? Or does > your code has to work with any LDAP server with a configurable unique > and DN-independent attribute similar to objectGUID (e.g. > entryUUID comes > to mind for OpenLDAP 2.2+)? I'm afraid I don't know the answer to that. Using the ActiveDirectory is the only time I have found a binary attribute I have needed to use. I suspect entryUUID will face a similar issue, as will any other attempt to store a binary string. [As a side note, when using the AD interfaces directly (ie, not via LDAP), you can specify the value for this GUID in a number of different ways. When going via LDAP, it appears only the raw binary value works. I suspect MS were trying to keep "standard" when talking via LDAP] > IMHO searching with the exact objectGUID returns exactly one entry > anyway. Therefore you could also use the entry's DN and retrieve the > entry with a base level search. Yes we could, but that sounds like an extreme solution to an escaping issue. > Well, I still didn't get the point of why you need a octet string > objectGUID in a search filter. Basically, we have just configured LDAPUserFolder to use objectGUID as the user ID. The way LDAPUserFolder works causes this search to happen. It does a search to locate the attributes for the previously fetched user-id. As I mentioned, it all works perfectly if the string is escaped more aggressively. > > it should read: > > > > if c < ' ' or c > '~' or c in "\\*()": > > > > which includes some extra punctuation. As far as I can tell, that > > will leave all 'printable' characters alone and should leave things > > as readable (even if slightly different than) the current > > implementation > > Hmm, if I got you right this still escapes NON-ASCII chars which > otherwise could be displayed as UTF-8 encoded Unicode chars. > > I'm also afraid this significantly slows down this function which is > probably not a big deal in most applications. Yes, all good points. As mentioned, I can arrange to avoid your escaping function and am happy to do so. But as this appears the only obstacle to using octet strings it seems a shame to leave it alone. Easily avoided for me, so I'm happy with whatever you decide. Cheers, Mark. From jens at dataflake.org Thu May 12 02:57:31 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Thu, 12 May 2005 02:57:31 +0200 Subject: Escaping of binary characters In-Reply-To: <42823854.6020405@stroeder.com> References: <189a01c55565$a79cdbe0$0a0a0a0a@enfoldsystems.local> <42823854.6020405@stroeder.com> Message-ID: <72E9D96A-DAC9-45C6-BA95-E5FA64FE03EB@dataflake.org> On May 11, 2005, at 18:52, Michael Str?der wrote: > Mark Hammond wrote: > >> I don't actually have neat sample code - I'm observing this inside >> Zope. >> > > Is this a publicly available Zope component like LDAPUserFolder? Yes, Mark uses that truly brilliant piece of software ;) > Do you store the objectGUID to reference the single entry later? > > Does this reference has to survive renaming of the entry? > If no, why don't you use the DN of the entry for a base level > search later? That's an excellent question. Mark, is that what you are trying to do, identify one specific entry by using the objectGUID? But then again, even if he could use the DN, I suppose the real problem is that you cannot "round trip" the value. You can't just grab it from a search result and use it to formulate another query, even if you send it through ldap.escape_filter_chars, if I understand the problem correctly. jens From leelouch at hotmail.com Fri May 13 16:24:14 2005 From: leelouch at hotmail.com (Ali Fawaz) Date: Fri, 13 May 2005 16:24:14 +0200 Subject: problem with ldap_sasl_bind Message-ID: <4284B88E.2030603@hotmail.com> Hi, I have a problem when I am trying to use ldap_sasl_bind Traceback (most recent call last): File "test.py", line 33, in ? l.sasl_interactive_bind_s("uid=afawaz,cn=users,dc=arteris,dc=net","Mona3592") File "/home/afawaz/download/python-ldap-2.0.7/build/lib.linux-i686-2.3/ldap/ldapobject.py", line 196, in sasl_interactive_bind_s return self._ldap_call(self._l.sasl_interactive_bind_s,who,auth,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls),sasl_flags) File "/home/afawaz/download/python-ldap-2.0.7/build/lib.linux-i686-2.3/ldap/ldapobject.py", line 94, in _ldap_call result = func(*args,**kwargs) AttributeError: 'str' object has no attribute 'mech' here is my code import ldap l = ldap.open("ldapserver") l.sasl_interactive_bind_s("uid=id,cn=users,dc=company,dc=net","") do you have idea's thanks for help Alain From michael at stroeder.com Fri May 13 16:42:22 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 13 May 2005 16:42:22 +0200 Subject: problem with ldap_sasl_bind In-Reply-To: <4284B88E.2030603@hotmail.com> References: <4284B88E.2030603@hotmail.com> Message-ID: <4284BCCE.8020605@stroeder.com> Ali Fawaz wrote: > > l.sasl_interactive_bind_s("uid=afawaz,cn=users,dc=arteris,dc=net","Mona3592") > [..] > AttributeError: 'str' object has no attribute 'mech' The second argument is not a string. Please have a look at files Demo/sasl_bind.py and Lib/ldap/sasl.py in the source distribution. Ciao, Michael. From bethany at pixar.com Sat May 14 01:34:18 2005 From: bethany at pixar.com (Bethany Jane Hanson) Date: Fri, 13 May 2005 16:34:18 -0700 Subject: python-ldap and mac os x tiger, missing symbols Message-ID: <149c89b56238fa2ba2b699da9341da60@pixar.com> Hi! I'm trying to compile python-ldap (2.0.7) on mac os x 10.4.0. It appears to be failing on missing symbols: ld: Undefined symbols: _ldap_attributetype_free _ldap_matchingrule_free _ldap_objectclass_free _ldap_str2attributetype _ldap_str2matchingrule _ldap_str2objectclass _ldap_str2syntax _ldap_syntax_free The same thing compiles just fine on mac os x 10.3.x. I'm including the same libraries on both compiles. I heard a rumor that this might be a known issue and easily solved through some magic gcc flag. However, I haven't found anything on the net that would tell me what magic gcc flag this would be. Do you guys know anything about this? Thanks! bjh From jens at dataflake.org Sat May 14 03:48:43 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Sat, 14 May 2005 03:48:43 +0200 Subject: python-ldap and mac os x tiger, missing symbols In-Reply-To: <149c89b56238fa2ba2b699da9341da60@pixar.com> References: <149c89b56238fa2ba2b699da9341da60@pixar.com> Message-ID: <8DB641DE-31F8-4433-BD44-26ED6F9F8E64@dataflake.org> On May 14, 2005, at 01:34, Bethany Jane Hanson wrote: > The same thing compiles just fine on mac os x 10.3.x. I'm > including the same libraries on both compiles. Tiger has quite a few issues compiling certain things. For one, I have not found a way to compile Python 2.3.5 on it at all. 2.4.1 works fine. And python-ldap built with Python 2.4.1 works. But building for the system-python in /usr/bin fails with problems like the ones you saw. jens From jean-marc.pouchoulon at ac-montpellier.fr Mon May 16 13:48:16 2005 From: jean-marc.pouchoulon at ac-montpellier.fr (jean-marc.pouchoulon at ac-montpellier.fr) Date: Mon, 16 May 2005 13:48:16 +0200 Subject: using python-ldap with twisted ? Message-ID: <42888880.1050308@ac-montpellier.fr> Bonjour, Does anyone has some examples of using python-ldap with twisted ? Thanks. From michael at stroeder.com Tue May 17 09:40:28 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 17 May 2005 09:40:28 +0200 Subject: using python-ldap with twisted ? In-Reply-To: <42888880.1050308@ac-montpellier.fr> References: <42888880.1050308@ac-montpellier.fr> Message-ID: <42899FEC.7050503@stroeder.com> jean-marc.pouchoulon at ac-montpellier.fr wrote: > > Does anyone has some examples of using python-ldap with twisted ? I never worked with Twisted. Are you talking about use of the async LDAP operation methods and hiw to dispatch results. There's also a package called 'ldaptor' which is a LDAPv3 implementation based on Twisted. Never used and I don't know anything about the project's status. Ciao, Michael. From bethany at pixar.com Mon May 16 22:31:30 2005 From: bethany at pixar.com (Bethany Jane Hanson) Date: Mon, 16 May 2005 13:31:30 -0700 Subject: python-ldap and mac os x tiger, missing symbols In-Reply-To: <8DB641DE-31F8-4433-BD44-26ED6F9F8E64@dataflake.org> References: <149c89b56238fa2ba2b699da9341da60@pixar.com> <8DB641DE-31F8-4433-BD44-26ED6F9F8E64@dataflake.org> Message-ID: <691195748a3883f80e172bdf60b04283@pixar.com> interesting. i also heard this: "You need to un-define _XOPEN_SOURCE and _POSIX_C_SOURCE in order to successfully compile python sources on Tiger. Also, you need to use a build of Python that was configured on Tiger (either our 2.3 port or a 2.4.1 configured on Tiger)." I'm trying 2.4.1 out now. What a bummer. Thanks! bjh On May 13, 2005, at 6:48 PM, Jens Vagelpohl wrote: > > On May 14, 2005, at 01:34, Bethany Jane Hanson wrote: > >> The same thing compiles just fine on mac os x 10.3.x. I'm including >> the same libraries on both compiles. > > Tiger has quite a few issues compiling certain things. For one, I have > not found a way to compile Python 2.3.5 on it at all. 2.4.1 works > fine. And python-ldap built with Python 2.4.1 works. But building for > the system-python in /usr/bin fails with problems like the ones you > saw. > > jens From michael at stroeder.com Tue May 17 19:51:30 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 17 May 2005 19:51:30 +0200 Subject: authentication problem In-Reply-To: <200505171750.42642.fabio.marcone@duet.it> References: <200505171750.42642.fabio.marcone@duet.it> Message-ID: <428A2F22.60709@stroeder.com> Fabio Marcone wrote: > > I've to authenticate users using python and ldap. I have this problem: > password in ldap and password calculate using slappasswd are different > (password in ldap was calculated using slappasswd too). You shouldn't validate a password via LDAP by a CompareRequest. Use an appropriate BindRequest instead. See http://stroeder.com/proxy_auth_ldap.html for a short example using a simple bind request. Whether to protect against a clear text password being transmitted (by LDAP or StartTLS ext.op. or SASL bind) depends on your security requirements and the capabilities of your LDAP server. See Demo/initialize.py for how to use StartTLS ext. op. See Demo/sasl_bind.py for SASL bind requests. Ciao, Michael. From fabio.marcone at duet.it Tue May 17 17:50:42 2005 From: fabio.marcone at duet.it (Fabio Marcone) Date: Tue, 17 May 2005 17:50:42 +0200 Subject: authentication problem Message-ID: <200505171750.42642.fabio.marcone@duet.it> Hi! I've to authenticate users using python and ldap. I have this problem: password in ldap and password calculate using slappasswd are different (password in ldap was calculated using slappasswd too). How can I authenticate users in another way? Thanks, Fabio -- Dott. Fabio Marcone 2T srl Telefono +39 - 0871- 540154 Fax +39 - 0871- 571594 Indirizzo Viale B. Croce 573, 66013 Chieti Scalo (CH) From jens at dataflake.org Tue May 17 22:22:55 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Tue, 17 May 2005 22:22:55 +0200 Subject: python-ldap and mac os x tiger, missing symbols In-Reply-To: References: <149c89b56238fa2ba2b699da9341da60@pixar.com> <8DB641DE-31F8-4433-BD44-26ED6F9F8E64@dataflake.org> Message-ID: <9C294A81-F8AD-43C5-9FC8-A3DC4147419C@dataflake.org> On May 17, 2005, at 21:58, Bethany Jane Hanson wrote: > Hi Jens! I tried building python 2.4.1 and python-ldap 2.0.7 last > night. Both of them built and installed without errors, but when I > ran Python and tried to use the ldap module it complained about > missing symbols again: > > ila:/tmp/python-ldap-2.0.7 root# /usr/local/bin/python > Python 2.4.1 (#1, May 17 2005, 11:58:55) > [GCC 3.3 20030304 (Apple Computer, Inc. build 1809)] on darwin > Type "help", "copyright", "credits" or "license" for more information. > >>> import ldap > Traceback (most recent call last): > File "", line 1, in ? > File "/usr/local/lib/python2.4/site-packages/ldap/__init__.py", > line 21, in ? > from _ldap import * > ImportError: Failure linking new module: /usr/local/lib/python2.4/ > site-packages/_ldap.so: Symbol not found: _ldap_matchingrule_free > Referenced from: /usr/local/lib/python2.4/site-packages/_ldap.so > Expected in: dynamic lookup I did not see these problems after compiling Python 2.4.1 and python- ldap HEAD from CVS anymore, there's not much I can say - it worked for me. jens From michael at stroeder.com Tue May 17 22:36:12 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 17 May 2005 22:36:12 +0200 Subject: python-ldap and mac os x tiger, missing symbols In-Reply-To: <9C294A81-F8AD-43C5-9FC8-A3DC4147419C@dataflake.org> References: <149c89b56238fa2ba2b699da9341da60@pixar.com> <8DB641DE-31F8-4433-BD44-26ED6F9F8E64@dataflake.org> <9C294A81-F8AD-43C5-9FC8-A3DC4147419C@dataflake.org> Message-ID: <428A55BC.9010300@stroeder.com> Jens Vagelpohl wrote: > > On May 17, 2005, at 21:58, Bethany Jane Hanson wrote: > >> Hi Jens! I tried building python 2.4.1 and python-ldap 2.0.7 last >> night. Both of them built and installed without errors, but when I >> ran Python and tried to use the ldap module it complained about >> missing symbols again: >> [..] >> ImportError: Failure linking new module: /usr/local/lib/python2.4/ >> site-packages/_ldap.so: Symbol not found: _ldap_matchingrule_free >> Referenced from: /usr/local/lib/python2.4/site-packages/_ldap.so >> Expected in: dynamic lookup > > I did not see these problems after compiling Python 2.4.1 and python- > ldap HEAD from CVS anymore, there's not much I can say - it worked > for me. Well, then it should also work with python-ldap 2.0.7 compiled from source since at the moment there's no new code in CVS HEAD. Ciao, Michael. From oconnell at soe.ucsd.edu Fri May 20 00:24:13 2005 From: oconnell at soe.ucsd.edu (Sean O'Connell) Date: Thu, 19 May 2005 15:24:13 -0700 Subject: python-ldap vs. Active directory Message-ID: <1116541454.16488.27.camel@oecpc27.ucsd.edu> Folks- I am trying to get a trivial python-ldap script to work talking to our campus active directory from a Linux machine (Fedora Core 3 or Centos 4), but I am being thwarted. I have successfully used python-ldap (same versions) to talk to an openldap server quite happily; however, the AD servers are proving to be quite stubborn. The client side software versions are: openldap (openldap-2.2.13-2 RPM) python-ldap (python-ldap-2.0.1-2 RPM) python (python-2.3.4-13.1) The simple script is as follows, with some silly info tossed in for the usual reasons. ---------------------------------- snip -------------------------------- import sys import ldap myLdapURI="ldap://ad.ucsd.edu" myBaseDN="dc=ad,dc=ucsd,dc=edu" myBindDN="cn=AdAccount,ou=foo,ou=bar,dc=ad,dc=ucsd,dc=edu" myPassWD="LetMeIn" # Open the LDAP connection print "initializing .." try: l = ldap.initialize(myLdapURI) except ldap.LDAPError,e: print e sys.exit(1) # Set protocol version to LDAPv3 l.protocol_version = ldap.VERSION3 # Bind to AD print "binding .." try: l.bind_s(myBindDN,myPasswd) except ldap.LDAPError, e: print e sys.exit(1) else: print 'Sucessfully bound to AD' #myFilter='(objectclass=*)' myFilter='(sAMAccountName=AKnownUserInAD)' myRetrieveAttrs = None myScope=ldap.SCOPE_SUBTREE # Do a search print "searching .." try: myResults = l.search_s(myBaseDN,myScope,myFilter,myRetrieveAttrs) except ldap.LDAPError, e: print e else: print myResults # Close down the connection l.unbind() ------------------------------- snip ---------------------------------- The results are invariably: initializing .. binding .. Sucessfully bound to AD searching .. {'info': '00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'} It appears to do the bind properly, but seems to forget about it when it goes to do the search. Whereas, the following returns the desired results: ldapsearch -x -w 'LetMeIn' -D 'cn=AdAccount,ou=foo,ou=bar,dc=ad,dc=ucsd,dc=edu' -b 'dc=ad,dc=ucsd,dc=edu' -H ldap://ad.ucsd.edu '(sAMAccountName=AKnownUserInAD)' Any ideas what's going on here? Am I missing something obvious? The command line search also works using kinit (and dropping the -x flag). The python-ldap doesn't appear to work with SASL at all. Thanks -- Sean From jason at tishler.net Fri May 20 18:20:44 2005 From: jason at tishler.net (Jason Tishler) Date: Fri, 20 May 2005 12:20:44 -0400 Subject: python-ldap vs. Active directory In-Reply-To: <1116541454.16488.27.camel@oecpc27.ucsd.edu> References: <1116541454.16488.27.camel@oecpc27.ucsd.edu> Message-ID: <20050520162043.GA2380@tishler.net> Sean, On Thu, May 19, 2005 at 03:24:13PM -0700, Sean O'Connell wrote: > I am trying to get a trivial python-ldap script to work talking to our > campus active directory from a Linux machine (Fedora Core 3 or Centos > 4), but I am being thwarted. I have successfully used python-ldap > (same versions) to talk to an openldap server quite happily; however, > the AD servers are proving to be quite stubborn. I had trouble when my company switched to AD (i.e., MS Exchange 2000) from MS Exchange 5.5 too. Hopefully, the attached script will give you some ideas to try. FWIW, it works for me from mutt. Jason -- PGP/GPG Key: http://www.tishler.net/jason/pubkey.asc or key servers Fingerprint: 7A73 1405 7F2B E669 C19D 8784 1AFD E4CC ECF4 8EF6 -------------- next part -------------- #!/usr/bin/env python # $Id: MuttLdapQuery.py,v 1.10 2005/04/13 20:24:18 jtishler Exp $ import sys, ldap, string, re, os.path def MakeAlias(anEntry): aName, aOu = FixName(anEntry[1]['displayName'][0]) aMail = 'unavailable' if anEntry[1].has_key('mail') and anEntry[1]['mail']: aMail = GetMailAddress(anEntry[1]['mail']) anAlias = '%(aMail)s\t%(aName)s\t%(aOu)s' % vars() return anAlias def GetMailAddress(aMails): anAddress = aMails[0] for aMail in aMails: if string.find(aMail, '_') == -1: anAddress = aMail break return anAddress def FixName(name): full = r'([^,]+), (.+) \((.+)\)' full2 = r'([^,]+), (.+)\((.+)\)' partial = r'([^,]+), (.+)' m = re.match(full, name) if not m: m = re.match(full2, name) if not m: m = re.match(partial, name) if m and len(m.groups()) >= 2: first = string.strip(m.group(2)) last = string.strip(m.group(1)) name = first + ' ' + last org = '' if m and len(m.groups()) == 3: org = m.group(3) return name, org theLdapHost = 'ad.foo.com' # *** CHANGE ME *** theLdapPort = 3268 theLdapUser = 'domain\user' # *** CHANGE ME *** theLdapPassword = file(os.path.expanduser('~/.passwd')).read()[:-1] theBase = 'dc=foo,dc=com' # *** CHANGE ME *** theScope = ldap.SCOPE_SUBTREE theFilter = '(&(displayName=%(aQuery)s*)(mailNickname=*))' theAttributes = ('displayName', 'mail', 'ou') theFoundMessage = 'Found %(aNumEntries)d matching entries on %(theLdapHost)s:' theNotFoundMessage = 'Found no matching entries on %(theLdapHost)s' theErrorMessage = 'LDAP search to %(theLdapHost)s failed' aQuery = sys.argv[1] aFilter = theFilter % vars() try: aLdapHost = ldap.open(theLdapHost, theLdapPort) aLdapHost.simple_bind(theLdapUser, theLdapPassword) anEntries = aLdapHost.search_s(theBase, theScope, aFilter, theAttributes) if anEntries: aNumEntries = len(anEntries) print theFoundMessage % vars() for anEntry in anEntries: print MakeAlias(anEntry) aStatus = 0 else: print theNotFoundMessage % vars() aStatus = 1 except: print theErrorMessage % vars() aStatus = 2 sys.exit(aStatus) From deepak at arlut.utexas.edu Sat May 21 00:09:22 2005 From: deepak at arlut.utexas.edu (Deepak Giridharagopal) Date: Fri, 20 May 2005 17:09:22 -0500 Subject: python-ldap vs. Active directory In-Reply-To: <1116541454.16488.27.camel@oecpc27.ucsd.edu> References: <1116541454.16488.27.camel@oecpc27.ucsd.edu> Message-ID: <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> On Thu, 2005-05-19 at 15:24 -0700, Sean O'Connell wrote: > The results are invariably: > > initializing .. > binding .. > Sucessfully bound to AD > searching .. > {'info': '00000000: LdapErr: DSID-0C0905FF, comment: In order to perform > this operation a successful bind must be completed on the connection., > data 0, vece', 'desc': 'Operations error'} I was getting the exact same error. I fixed the problem by explicitly disabling referral chasing in the OpenLDAP client libraries (for my purposes, I didn't care about referrals). Before you call ldap.initialize, try: ldap.set_option(ldap.OPT_REFERRALS, 0) Cheers! deepak -- Deepak Giridharagopal From oconnell at soe.ucsd.edu Sat May 21 01:46:02 2005 From: oconnell at soe.ucsd.edu (Sean O'Connell) Date: Fri, 20 May 2005 16:46:02 -0700 Subject: python-ldap vs. Active directory In-Reply-To: <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> References: <1116541454.16488.27.camel@oecpc27.ucsd.edu> <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> Message-ID: <1116632762.21337.2.camel@oecpc27.ucsd.edu> On Fri, 2005-05-20 at 17:09 -0500, Deepak Giridharagopal wrote: > On Thu, 2005-05-19 at 15:24 -0700, Sean O'Connell wrote: > > The results are invariably: > > > > initializing .. > > binding .. > > Sucessfully bound to AD > > searching .. > > {'info': '00000000: LdapErr: DSID-0C0905FF, comment: In order to perform > > this operation a successful bind must be completed on the connection., > > data 0, vece', 'desc': 'Operations error'} > > I was getting the exact same error. I fixed the problem by explicitly > disabling referral chasing in the OpenLDAP client libraries (for my > purposes, I didn't care about referrals). > > Before you call ldap.initialize, try: > > ldap.set_option(ldap.OPT_REFERRALS, 0) > > Cheers! > deepak > > -- > Deepak Giridharagopal Deepak- You rock! That definitely solved the problem (of course, it now means I have more work to do :). -- Sean From michael at stroeder.com Sun May 22 00:26:00 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 22 May 2005 00:26:00 +0200 Subject: python-ldap vs. Active directory In-Reply-To: <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> References: <1116541454.16488.27.camel@oecpc27.ucsd.edu> <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> Message-ID: <428FB578.3000909@stroeder.com> Deepak Giridharagopal wrote: > On Thu, 2005-05-19 at 15:24 -0700, Sean O'Connell wrote: > >>The results are invariably: >> >>initializing .. >>binding .. >>Sucessfully bound to AD >>searching .. >>{'info': '00000000: LdapErr: DSID-0C0905FF, comment: In order to perform >>this operation a successful bind must be completed on the connection., >>data 0, vece', 'desc': 'Operations error'} > > > I was getting the exact same error. I fixed the problem by explicitly > disabling referral chasing in the OpenLDAP client libraries (for my > purposes, I didn't care about referrals). > > Before you call ldap.initialize, try: > > ldap.set_option(ldap.OPT_REFERRALS, 0) This is good advice since IIRC the OpenLDAP libs chase referrals doing an anonymous bind. Therefore it's definitely better to get the search references (check the result type). Sort them out or chase the referrals in your Python application. Ciao, Michael. From michael at stroeder.com Sun May 22 15:11:23 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 22 May 2005 15:11:23 +0200 Subject: python-ldap vs. Active directory In-Reply-To: References: <1116541454.16488.27.camel@oecpc27.ucsd.edu> <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> <428FB578.3000909@stroeder.com> Message-ID: <429084FB.8080106@stroeder.com> Jens Vagelpohl wrote: > > > For what it's worth, a long time ago I had the same problems with the > LDAPUserFolder Zope product against AD. Among the resultset returned by > a query there would always be one record that made everything barf. The > (not very clean) workaround has been to special-case that record and > discard it. It is a AD-specific referral. How did you sort out this special case? IMO the appropriate way is to sort out the search references. Having to deal with referrals / search references is *not* AD-specific! Ciao, Michael. From jens at dataflake.org Sun May 22 14:16:21 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Sun, 22 May 2005 13:16:21 +0100 Subject: python-ldap vs. Active directory In-Reply-To: <428FB578.3000909@stroeder.com> References: <1116541454.16488.27.camel@oecpc27.ucsd.edu> <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> <428FB578.3000909@stroeder.com> Message-ID: On May 21, 2005, at 23:26, Michael Str?der wrote: >> I was getting the exact same error. I fixed the problem by explicitly >> disabling referral chasing in the OpenLDAP client libraries (for my >> purposes, I didn't care about referrals). >> >> Before you call ldap.initialize, try: >> >> ldap.set_option(ldap.OPT_REFERRALS, 0) >> > > This is good advice since IIRC the OpenLDAP libs chase referrals doing > an anonymous bind. Therefore it's definitely better to get the search > references (check the result type). Sort them out or chase the > referrals > in your Python application. For what it's worth, a long time ago I had the same problems with the LDAPUserFolder Zope product against AD. Among the resultset returned by a query there would always be one record that made everything barf. The (not very clean) workaround has been to special-case that record and discard it. It is a AD-specific referral. Another solution has been to connect to the "Global Catalog" port or somesuch thing. This port apparently gives you a view on the data contained in a forest of AD server instances as one single entity, as opposed to single AD instances handing back references to other AD instances where a record may be found. jens From daniel1337 at gmail.com Mon May 23 13:06:05 2005 From: daniel1337 at gmail.com (Daniel LB) Date: Mon, 23 May 2005 13:06:05 +0200 Subject: Setting password Message-ID: Hi Is it possible to set a user's password without knowing the old password with python-ldap? I have only come across the passwd(user,oldpw,newpw) function, which requires the old password, but if you are logged in as Administrator you should be able to *set* the users' password directly, no? //daniel From bjorn.grotan at itea.ntnu.no Mon May 23 13:14:25 2005 From: bjorn.grotan at itea.ntnu.no (Bjorn Ove Grotan) Date: Mon, 23 May 2005 13:14:25 +0200 Subject: Setting password In-Reply-To: References: Message-ID: <20050523111425.GA8675@itea.ntnu.no> Daniel LB: > Hi > > Is it possible to set a user's password without knowing the old > password with python-ldap? > > I have only come across the passwd(user,oldpw,newpw) function, which > requires the old password, but if you are logged in as Administrator > you should be able to *set* the users' password directly, no? Just use the function modify_s to do such modifications. import ldap import ldap.modlist as modlist newattrs = {'userPassword': '1337secret'} old = l.search_s(base,ldap.SCOPE_SUBTREE,"uid=someuser",[])[0][1]['userPassword'][0] # Given that you're binding with a user with read-priv to userPassword. attrs = modlist.modifyModlist(old,newattrs) l.modify_s(dn,attrs) # Alternatively, make a list of change-commands. I think its documented # in the module, so just play along with help(ldap.modify_s) or # something. -- Regards Bj?rn Ove Gr?tan From jens at dataflake.org Mon May 23 14:46:15 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Mon, 23 May 2005 13:46:15 +0100 Subject: python-ldap vs. Active directory In-Reply-To: <429084FB.8080106@stroeder.com> References: <1116541454.16488.27.camel@oecpc27.ucsd.edu> <1116626962.30539.321.camel@csdpc10.arlut.utexas.edu> <428FB578.3000909@stroeder.com> <429084FB.8080106@stroeder.com> Message-ID: <87F6648F-DA42-4F4F-85E3-0A5C731CA936@dataflake.org> On May 22, 2005, at 14:11, Michael Str?der wrote: > Jens Vagelpohl wrote: > >> For what it's worth, a long time ago I had the same problems with the >> LDAPUserFolder Zope product against AD. Among the resultset >> returned by >> a query there would always be one record that made everything >> barf. The >> (not very clean) workaround has been to special-case that record and >> discard it. It is a AD-specific referral. >> > > How did you sort out this special case? > > IMO the appropriate way is to sort out the search references. > Having to deal with referrals / search references is *not* AD- > specific! I know that references need to be dealt with, however, I have no AD instance to test anything and thus the only goal was to make things work somehow. I personally do not support AD, it's only on the basis of "if it works for you, great. if not, sorry, can't help". Besides, these "invalid" records come back as part of a normal set of search results - leaving them out hasn't made anyone complain yet. The specific case here is the return value from ldap_connection.search_s, which I assume to be a sequence of two-item sequences consisting of a string (the DN) and a dictionary (the attributes and their values). However, with AD you can get stuff like this as part f the results sequence: (None, ['ldap://ForestDnsZones.PORTAL.LOCAL/ DC=ForestDnsZones,DC=PORTAL,DC=LOCAL']) I simply discard anything where the second element is not a dictionary. jens From deepak at arlut.utexas.edu Mon May 23 20:06:38 2005 From: deepak at arlut.utexas.edu (Deepak Giridharagopal) Date: Mon, 23 May 2005 13:06:38 -0500 Subject: Setting password In-Reply-To: References: Message-ID: <1116871598.30539.351.camel@csdpc10.arlut.utexas.edu> On Mon, 2005-05-23 at 13:06 +0200, Daniel LB wrote: > I have only come across the passwd(user,oldpw,newpw) function, which > requires the old password, but if you are logged in as Administrator > you should be able to *set* the users' password directly, no? Are you doing this with Active Directory (I ask because you mention "Administrator" in your email)? If not, then ignore the rest of this message. :) But if so, then here's some code that I use: userdn = "cn=foo,cn=users,dc=blah,dc=org" pw = "1337secret" # AD requires that passwords be enclosed in quotes # and properly encoded adpw = unicode('"' + pw + '"', "iso-8859-1") adpw = adpw.encode("utf-16-le") # conn is an established LDAP connection conn.modify_s(userdn, [(ldap.MOD_REPLACE, "unicodePwd", adpw)]) Also, this snippet requires that your LDAP connection to the AD server is encrypted. AD won't let you modify certain attributes over an unencrypted connection. Cheers! deepak -- Deepak Giridharagopal From daniel1337 at gmail.com Tue May 24 14:21:40 2005 From: daniel1337 at gmail.com (Daniel LB) Date: Tue, 24 May 2005 14:21:40 +0200 Subject: Setting password In-Reply-To: <1116871598.30539.351.camel@csdpc10.arlut.utexas.edu> References: <1116871598.30539.351.camel@csdpc10.arlut.utexas.edu> Message-ID: Yes, I am doing this with AD. I tried what you said and the error message I got back was WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's because I don't use any encryption on my connection. But, since I'm only connecting to localhost, is encryption really necessary? Anyway.. could you give me an example of how you establish your encrypted connection? thanks //daniel On 5/23/05, Deepak Giridharagopal wrote: > On Mon, 2005-05-23 at 13:06 +0200, Daniel LB wrote: > > I have only come across the passwd(user,oldpw,newpw) function, which > > requires the old password, but if you are logged in as Administrator > > you should be able to *set* the users' password directly, no? > > Are you doing this with Active Directory (I ask because you mention > "Administrator" in your email)? If not, then ignore the rest of this > message. :) > > But if so, then here's some code that I use: > > userdn = "cn=foo,cn=users,dc=blah,dc=org" > pw = "1337secret" > > # AD requires that passwords be enclosed in quotes > # and properly encoded > adpw = unicode('"' + pw + '"', "iso-8859-1") > adpw = adpw.encode("utf-16-le") > > # conn is an established LDAP connection > conn.modify_s(userdn, [(ldap.MOD_REPLACE, "unicodePwd", adpw)]) > > Also, this snippet requires that your LDAP connection to the AD server > is encrypted. AD won't let you modify certain attributes over an > unencrypted connection. > > Cheers! > deepak > > -- > Deepak Giridharagopal > > From bjorn.grotan at itea.ntnu.no Tue May 24 14:31:19 2005 From: bjorn.grotan at itea.ntnu.no (Bjorn Ove Grotan) Date: Tue, 24 May 2005 14:31:19 +0200 Subject: Setting password In-Reply-To: References: <1116871598.30539.351.camel@csdpc10.arlut.utexas.edu> Message-ID: <20050524123119.GC5979@itea.ntnu.no> Daniel LB: > Yes, I am doing this with AD. > I tried what you said and the error message I got back was > WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's > because I don't use any encryption on my connection. > > But, since I'm only connecting to localhost, is encryption really necessary? Depends on wether your server allows non-encrypted authentication or not. In general, I wouldn't to non-anonumous non-encrypted authenticaion. > Anyway.. could you give me an example of how you establish your > encrypted connection? TLS: l = ldap.open("localhost") l.start_tls_s() # Now we've got tls over port 389 l.simple_bind("someuser","secret") SSL: l = ldap.initialize("localhost") # use fqdn and/or cn in the certificate here # That's it.. we've got ldap using SSL -> Secure socket layer l.simple_bind("someuser","secret") -- Regards Bj?rn Ove Gr?tan From deepak at arlut.utexas.edu Tue May 24 22:56:14 2005 From: deepak at arlut.utexas.edu (Deepak Giridharagopal) Date: Tue, 24 May 2005 15:56:14 -0500 Subject: Setting password In-Reply-To: References: <1116871598.30539.351.camel@csdpc10.arlut.utexas.edu> Message-ID: <1116968175.30539.381.camel@csdpc10.arlut.utexas.edu> On Tue, 2005-05-24 at 14:21 +0200, Daniel LB wrote: > Yes, I am doing this with AD. > I tried what you said and the error message I got back was > WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's > because I don't use any encryption on my connection. Perhaps. AD has the habit of throwing the WILL_NOT_PERFORM error in all kinds of weird situations. :) > But, since I'm only connecting to localhost, is encryption really necessary? The short answer is "yes". :) The long answer is that this is a restriction that AD imposes upon us: "The password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption." This is from: http://support.microsoft.com/default.aspx?scid=kb;en-us;269190 > Anyway.. could you give me an example of how you establish your > encrypted connection? What Bj?rn says is largely correct, except that with AD you have to go through some pain to get it to do LDAP/SSL. It's much more painful than with OpenLDAP, unfortunately (my kingdom for a simple config file!). Here's what you do: 1) Install an "Enterprise Certificate Authority" onto your AD server. You can do this through the Control Panel -> "Add/Remove Windows Components" 2) You'll need to create 2 new "Automatic Certificate Requests", one for "Computer" and one for "Domain Controller". Do this via "Domain Controller Security Policy" -> "Computer Configuration" -> "Windows Settings" -> "Security Settings" -> "Public Key Policies" -> (right-click on "Automatic Certificate Request Settings) -> (choose "New") -> (choose "Automatic Certificate Request). Do this step twice, once to make a "Computer" cert, and once for a "Domain Controller" cert. 3) At this point, you should be able to connect via SSL (I'm not sure if the AD server requires a reboot or not...) 4) Here's how I establish an SSL connection in Python: import ldap # Disable strict certificate checking, since you've made up your # own certificate for SSL ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) # Disable OpenLDAP referral chasing, which can cause trouble with # AD ldap.set_option(ldap.OPT_REFERRALS, 0) # Create the connection conn = ldap.initialize("ldaps://localhost") conn.simple_bind_s("username", "password") Ta da! I know it's a lot of work, but that's the only way I know of to get AD to do LDAP/SSL. Here is a (pretty worthless) article from MSDN about it: http://support.microsoft.com/default.aspx?scid=kb;en-us;247078 Hope this helps! :) Cheers, deepak -- Deepak Giridharagopal From michael at stroeder.com Tue May 31 09:33:06 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 31 May 2005 09:33:06 +0200 Subject: [Patch] RFC 2696 and reception of server controls In-Reply-To: References: Message-ID: <429C1332.6020802@stroeder.com> Ames Andreas wrote: > > the attached patch tries to implement what subject says. Many thanks for your patch submission. I'll review and test it. This will take a couple of days before I can follow-up. I'd like to encourage other list members to test and comment too. Ciao, Michael. From fabio.marcone at duet.it Fri Jun 3 11:30:06 2005 From: fabio.marcone at duet.it (Fabio Marcone) Date: Fri, 3 Jun 2005 11:30:06 +0200 Subject: LDIFWriter Message-ID: <200506031130.07083.fabio.marcone@duet.it> Hi! I need to backup an ldap directory from python. I try to follow example in docs about LDIFWriter but I have this problem: I want to have the ldif output in a file, not in standard output, and so: how can I do? what paramenter I have to pass to LDIFWriter in place of sys.stdout ? Thanks in advance, Fabio Marcone -- Dott. Fabio Marcone 2T srl Telefono +39 - 0871- 540154 Fax +39 - 0871- 571594 Indirizzo Viale B. Croce 573, 66013 Chieti Scalo (CH) From michael at stroeder.com Fri Jun 3 11:36:51 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 03 Jun 2005 11:36:51 +0200 Subject: LDIFWriter In-Reply-To: <200506031130.07083.fabio.marcone@duet.it> References: <200506031130.07083.fabio.marcone@duet.it> Message-ID: <42A024B3.4070602@stroeder.com> Fabio Marcone wrote: > I need to backup an ldap directory from python. I try to follow example in > docs about LDIFWriter but I have this problem: I want to have the ldif output > in a file, not in standard output, and so: how can I do? what paramenter I > have to pass to LDIFWriter in place of sys.stdout ? Simply pass a file object as argument: f = open('/tmp/dirbackup.ldif','wb') ldif_writer=ldif.LDIFWriter(f) Ciao, Michael. From fabio.marcone at duet.it Fri Jun 3 12:17:15 2005 From: fabio.marcone at duet.it (Fabio Marcone) Date: Fri, 3 Jun 2005 12:17:15 +0200 Subject: LDIFWriter In-Reply-To: <42A024B3.4070602@stroeder.com> References: <200506031130.07083.fabio.marcone@duet.it> <42A024B3.4070602@stroeder.com> Message-ID: <200506031217.15886.fabio.marcone@duet.it> Thanks very much! Where I can find other docs about LDIFWriter (and ldif parser)? Thanks, Fabio Alle 11:36, venerd? 03 giugno 2005, Michael Str?der ha scritto: > Fabio Marcone wrote: > > I need to backup an ldap directory from python. I try to follow example > > in docs about LDIFWriter but I have this problem: I want to have the ldif > > output in a file, not in standard output, and so: how can I do? what > > paramenter I have to pass to LDIFWriter in place of sys.stdout ? > > Simply pass a file object as argument: > > f = open('/tmp/dirbackup.ldif','wb') > ldif_writer=ldif.LDIFWriter(f) > > Ciao, Michael. > > > From michael at stroeder.com Fri Jun 3 12:42:47 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 03 Jun 2005 12:42:47 +0200 Subject: LDIFWriter In-Reply-To: <200506031217.15886.fabio.marcone@duet.it> References: <200506031130.07083.fabio.marcone@duet.it> <42A024B3.4070602@stroeder.com> <200506031217.15886.fabio.marcone@duet.it> Message-ID: <42A03427.6020108@stroeder.com> Fabio Marcone wrote: > Where I can find other docs about LDIFWriter (and ldif parser)? Sorry, no decent documentation for module 'ldif' yet. Use the source and the example in Demo/Lib/ldif/. Also there are some __doc__ strings which you could view with pydoc. Urrgs! I did not include the classes in ldif.__all__ which prevents pydoc from including them in the output. Anyway I've attached a correct pydoc-generated ldif.html (gzipped). Ciao, Michael. -------------- next part -------------- A non-text attachment was scrubbed... Name: ldif.html.gz Type: application/x-gzip Size: 2613 bytes Desc: not available URL: From michael at stroeder.com Thu Jun 9 01:09:03 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 09 Jun 2005 01:09:03 +0200 Subject: FYI: python-ldap and web2ldap at OpenLDAP booth, Linuxtag 2005 Message-ID: <42A77A8F.9020005@stroeder.com> HI! once again OpenLDAP will be presented by a team of volunteers at Linuxtag 2005 in Karlsruhe, Germany from Wednesday, 2005-06-22 until Saturday, 2005-06-25 http://www.linuxtag.de/2005/ Several deployment scenarios based on OpenLDAP will be demonstrated with various LDAP clients. I will also present web2ldap and answer questions about python-ldap too. I'd be glad to meet members of the community personally there. See you at booth F87! Ciao, Michael. -- Michael Str?der E-Mail: michael at stroeder.com http://www.stroeder.com From fabio.marcone at duet.it Fri Jun 10 11:58:56 2005 From: fabio.marcone at duet.it (Fabio Marcone) Date: Fri, 10 Jun 2005 11:58:56 +0200 Subject: password bind Message-ID: <200506101158.57605.fabio.marcone@duet.it> Hi! I would know if there is a way to pass to bind() method an encrypted password. I read this password from a configuration file and would not write password in it in clear text. Thanks in advance, Fabio -- Dott. Fabio Marcone 2T srl Telefono +39 - 0871- 540154 Fax +39 - 0871- 571594 Indirizzo Viale B. Croce 573, 66013 Chieti Scalo (CH) From michael at stroeder.com Fri Jun 10 13:40:09 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Fri, 10 Jun 2005 13:40:09 +0200 Subject: password bind In-Reply-To: <200506101158.57605.fabio.marcone@duet.it> References: <200506101158.57605.fabio.marcone@duet.it> Message-ID: <42A97C19.7070601@stroeder.com> Fabio Marcone wrote: > I would know if there is a way to pass to bind() method an encrypted password. Which entity do you want to decrypt this password and with which key? LDAPv3 requires a clear-text password to be passed with simple bind request. If you want to protect the password from being sniffed you have to protect your LDAP connection with SSL or TLS. Another option is to use SASL bind with reasonable strong challenge-response mechanism (e.g. DIGEST-MD5). > I read this password from a configuration file and would not write password > in it in clear text. This has nothing to do with python-ldap or LDAPv3. The only thing which helps is to avoid having to store a password in your configuration. It's impossible to give better advice without any background information about what your LDAP client looks like. Ciao, Michael. From francois.beretti at free.fr Fri Jun 10 13:44:44 2005 From: francois.beretti at free.fr (=?ISO-8859-1?Q?Fran=E7ois_Beretti?=) Date: Fri, 10 Jun 2005 13:44:44 +0200 Subject: password bind In-Reply-To: <200506101158.57605.fabio.marcone@duet.it> References: <200506101158.57605.fabio.marcone@duet.it> Message-ID: <42A97D2C.7040808@free.fr> Fabio Marcone wrote: >Hi! >I would know if there is a way to pass to bind() method an encrypted password. >I read this password from a configuration file and would not write password >in it in clear text. > > Hi Fabio If it was possible to bind with an encrypted password, and someone read your encrypted password, then it can authenticate. So it is useless to encrypt it, because it does not prevent someone to use it :-) Anyway, it is not possible. The LDAP API needs the clear text password. This is not a problem, considering the explanation above. Fran?ois >Thanks in advance, >Fabio > > > From Andreas.Ames at comergo.com Mon May 30 13:08:45 2005 From: Andreas.Ames at comergo.com (Ames Andreas) Date: Mon, 30 May 2005 13:08:45 +0200 Subject: [Patch] RFC 2696 and reception of server controls Message-ID: Hi all, the attached patch tries to implement what subject says. It is barely tested (only against Active Directory) and it is diffed against stock 2.0.7 release (because I need it this way and because I have no CVS access by courtesy of a corp. firewall). It is actually a small add-on to Deepak Giridharagopal's control patch. Here is a minimalistic usage example. You might want to edit the four constants at the very beginning of the sample code, to make it behave meaningful in your environment: ------------ ---------------- url = "ldap://your.ldap.server/" base = "ou=your,dc=base,dc=dn" search_flt = r'(sn=a*)' page_size = 100 import ldap from ldap.controls import LDAPControl ldap.set_option(ldap.OPT_REFERRALS, 0) l = ldap.initialize(url) l.bind_s(r"tnbk1\ts62fr", "webti", ldap.AUTH_SIMPLE) pctrl_val = ldap.encode_page_control(page_size, '') msgid = l.search_ext(base, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[LDAPControl(ldap.LDAP_CONTROL_PAGE_OID, True, pctrl_val)]) pages = 0 while True: pages += 1 print "Getting page %d" % (pages,) rtype, rdata, rmsgid, serverctrls = l.result3(msgid) pctrls = [c for c in serverctrls if c[0] == ldap.LDAP_CONTROL_PAGE_OID] if pctrls: # l.result3 returns raw tuples, no LDAPControl instances # this is just a matter of taste and can be easily changed est, cookie = ldap.decode_page_control(pctrls[0][2]) if cookie: pctrl_val = ldap.encode_page_control(page_size, cookie) msgid = l.search_ext(base, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[LDAPControl(ldap.LDAP_CONTROL_PAGE_OID, True, pctrl_val)]) else: break else: print "Warning: Server ignores RFC 2696 control." break ------------ ---------------- HTH, aa -- Andreas Ames | Programmer | Comergo GmbH | Voice: +49 69 7505 3213 | andreas . ames AT comergo . com -------------- next part -------------- A non-text attachment was scrubbed... Name: python-ldap_page-control.patch Type: text/x-patch Size: 10014 bytes Desc: enable rfc 2696 controls URL: From michael at stroeder.com Tue Jun 14 19:53:59 2005 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Tue, 14 Jun 2005 19:53:59 +0200 Subject: [Patch] RFC 2696 and reception of server controls In-Reply-To: References: Message-ID: <42AF19B7.207@stroeder.com> Andreas, Ames Andreas wrote: > > the attached patch tries to implement what subject says. It is barely > tested (only against Active Directory) and it is diffed against stock > 2.0.7 release (because I need it this way and because I have no CVS > access by courtesy of a corp. firewall). It is actually a small > add-on to Deepak Giridharagopal's control patch. Thanks for your contribution. It also seems to work with OpenLDAP 2.3. I've committed the changes under Modules/ and cleaned up things for Lib/ a little bit. The new file Demo/page_control.py demonstrates the use of ldap.controls.SimplePagedResultsControl. Please sync with CVS and test. If you don't have access to CVS e-mail me personally and I'll send a tar.gz snapshot. Ciao, Michael. From Andreas.Ames at comergo.com Wed Jun 15 12:19:44 2005 From: Andreas.Ames at comergo.com (Ames Andreas) Date: Wed, 15 Jun 2005 12:19:44 +0200 Subject: [Patch] RFC 2696 and reception of server controls Message-ID: Hello Michael, Michael Str?der wrote: > Thanks for your contribution. It also seems to work with OpenLDAP > 2.3. Thank you much more for all the work and energy that you invest into python-ldap to make it as useful as it is. > I've committed the changes under Modules/ and cleaned up things for > Lib/ a little bit. The new file Demo/page_control.py demonstrates > the use of ldap.controls.SimplePagedResultsControl. Thanks again. > Please sync with CVS and test. If you don't have access to CVS > e-mail me personally and I'll send a tar.gz snapshot. I just had a cursory glance at it and it looks good to me. One very minor issue is that the comment about returning plain tuples in the page control demo is no longer prevailing because of your enhancements of the result3 method. When I get around it (and that may very well take some time) I will just use http://cvs.sourceforge.net/cvstarballs/python-ldap-cvsroot.tar.bz2 to get a cvs snapshot. cheers, aa -- Andreas Ames | Programmer | Comergo GmbH | Voice: +49 69 7505 3213 | andreas . ames AT comergo . com From jens at dataflake.org Tue Jun 28 15:51:03 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Tue, 28 Jun 2005 14:51:03 +0100 Subject: python-ldap under OS X 10.4 Message-ID: <444FE8BA-2D3A-4681-A02E-E37A3D449936@dataflake.org> Hi guys, I find myself unable to use python-ldap compiled under OS X 10.4. It compiles, but loading it leads to unresolved symbols. Environment: - OS X 10.4.1 - Python 2.4.1, compiled separately from the system's own python, no special options - in setup.cfg, I set "libs = ldap_r lber" _ldap.so ends up being linked against the following: _ldap.so: /System/Library/Frameworks/LDAP.framework/Versions/A/LDAP (compatibility version 1.0.0, current version 2.2.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 88.0.0) When I load it in the interpreter I see this: Python 2.4.1 (#1, Jun 9 2005, 13:53:37) [GCC 4.0.0 20041026 (Apple Computer, Inc. build 4061)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import _ldap Traceback (most recent call last): File "", line 1, in ? ImportError: Failure linking new module: _ldap.so: Symbol not found: _ldap_matchingrule_free Referenced from: _ldap.so Expected in: dynamic lookup Has anyone found a way around this? jens From jens at dataflake.org Wed Jun 29 09:24:11 2005 From: jens at dataflake.org (Jens Vagelpohl) Date: Wed, 29 Jun 2005 08:24:11 +0100 Subject: python-ldap under OS X 10.4 In-Reply-To: <444FE8BA-2D3A-4681-A02E-E37A3D449936@dataflake.org> References: <444FE8BA-2D3A-4681-A02E-E37A3D449936@dataflake.org> Message-ID: <1948BB9B-AA8E-40E8-8F0F-B427455F0FD8@dataflake.org> On 28 Jun 2005, at 14:51, Jens Vagelpohl wrote: > Hi guys, > > I find myself unable to use python-ldap compiled under OS X 10.4. > It compiles, but loading it leads to unresolved symbols. Just to close out this thread, if you compile python-ldap against you own hand-rolled OpenLDAP instead of the system-provided libraries/ headers it works fine. So basically the fault lies with the crummy OL libraries shipped with OS X 10.4. This is a recent breakage, it did not occur on any 10.3 version. So now I'm happily running python-ldap 2.0.8 on both Python 2.4.1 and 2.3.5 built against OL 2.2.26/BDB 4.52.4 on OS X. For those who have tried to build Python 2.3.5 on OS X 10.4 and failed (such as me until yesterday) here's a howto: http://blogs.nuxeo.com/sections/blogs/florent_guillaume/ 2005_05_21_compiling_python_2_3_5 jens