From ygormutti at dcc.ufba.br Sat Apr 17 17:39:44 2010 From: ygormutti at dcc.ufba.br (ygormutti at dcc.ufba.br) Date: Sat, 17 Apr 2010 12:39:44 -0300 Subject: ldap.open() SSL patch Message-ID: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> Hi, I'm a member of GrudeSL (Free Software Development Group) at UFBA (Federal University of Bahia). We were trying to integrate our new Django site authentication with the existing LDAP server, so we ran for python-ldap and I can say it does its job very well (thank you very much! :D). But, we are unable to connect using ldap.open() because our server use the non-standardized LDAP over SSL scheme "ldaps", along with LDAPv3. Although it worked when we used ldap.initialize(). So I wrote a patch [1] that fix this tiny little issue, while mantaining backward compatibility. I hope you find it useful. [1] - http://pastebin.com/HxtgRAzg Best regards, -- Ygor Mutti (http://icaju.com - @Mamutti) From michael at stroeder.com Sat Apr 17 18:02:56 2010 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sat, 17 Apr 2010 18:02:56 +0200 Subject: ldap.open() SSL patch In-Reply-To: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> References: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> Message-ID: <4BC9DBB0.2010804@stroeder.com> ygormutti at dcc.ufba.br wrote: > I'm a member of GrudeSL (Free Software Development Group) at UFBA > (Federal University of Bahia). We were trying to integrate our new > Django site authentication with the existing LDAP server, so we ran > for python-ldap and I can say it does its job very well (thank you > very much! :D). > > But, we are unable to connect using ldap.open() because our server use > the non-standardized LDAP over SSL scheme "ldaps", along with LDAPv3. > Although it worked when we used ldap.initialize(). So I wrote a patch > [1] that fix this tiny little issue, while mantaining backward > compatibility. Using ldap.open() is deprecated for quite a while now. python-ldap applications still using this function should be fixed. Frankly I fail to see the benefit of avoiding the use of ldap.initialize(). In both cases you have to change the application (Django in your case) to make proper use of either ldap.open(...,ssl=True) or ldap.initialize('ldaps://...'). In the first case it won't work with unpatched python-ldap. => I reject this patch. Maybe I've overlooked something though. (Hopefully this does not discourage to submit patches in the future though.) > [1] - http://pastebin.com/HxtgRAzg Feel free to submit patches as attachments to the mailing list next time. Since then they get properly archived. Ciao, Michael. From ygormutti at dcc.ufba.br Sat Apr 17 18:57:40 2010 From: ygormutti at dcc.ufba.br (ygormutti at dcc.ufba.br) Date: Sat, 17 Apr 2010 13:57:40 -0300 Subject: ldap.open() SSL patch In-Reply-To: <4BC9DBB0.2010804@stroeder.com> References: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> <4BC9DBB0.2010804@stroeder.com> Message-ID: <20100417135740.74251mkhxv43w8zo@webmail.dcc.ufba.br> Michael Str?der : > Using ldap.open() is deprecated for quite a while now. python-ldap > applications still using this function should be fixed. In this case, I think ldap.open() must raise a DeprecationWarning. Don't you? -- Ygor Mutti (http://icaju.com - @Mamutti) From michael at stroeder.com Sat Apr 17 19:28:29 2010 From: michael at stroeder.com (=?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?=) Date: Sat, 17 Apr 2010 19:28:29 +0200 Subject: ldap.open() SSL patch In-Reply-To: <20100417135740.74251mkhxv43w8zo@webmail.dcc.ufba.br> References: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> <4BC9DBB0.2010804@stroeder.com> <20100417135740.74251mkhxv43w8zo@webmail.dcc.ufba.br> Message-ID: <4BC9EFBD.2020801@stroeder.com> ygormutti at dcc.ufba.br wrote: > Michael Str?der : > >> Using ldap.open() is deprecated for quite a while now. python-ldap >> applications still using this function should be fixed. > > In this case, I think ldap.open() must raise a DeprecationWarning. Don't > you? Yes, you're right. I would accept such a patch. ;-) At least it's documented: http://www.python-ldap.org/doc/html/ldap.html#ldap.open Ciao, Michael. From ygormutti at dcc.ufba.br Sat Apr 17 22:04:26 2010 From: ygormutti at dcc.ufba.br (ygormutti at dcc.ufba.br) Date: Sat, 17 Apr 2010 17:04:26 -0300 Subject: ldap.open() SSL patch In-Reply-To: <4BC9EFBD.2020801@stroeder.com> References: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> <4BC9DBB0.2010804@stroeder.com> <20100417135740.74251mkhxv43w8zo@webmail.dcc.ufba.br> <4BC9EFBD.2020801@stroeder.com> Message-ID: <20100417170426.16814u5xwd5lr3nu@webmail.dcc.ufba.br> Michael Str?der : > Yes, you're right. I would accept such a patch. ;-) > > At least it's documented: > > http://www.python-ldap.org/doc/html/ldap.html#ldap.open I was using ldap.open because there are many code samples where it's still used, in the tubes. The new patch is attached. I hope to contribute with bigger patches in future. :) Thank you for the attention. -- Ygor Mutti (http://icaju.com - @Mamutti) -------------- next part -------------- A non-text attachment was scrubbed... Name: functions.patch Type: text/x-patch Size: 409 bytes Desc: not available URL: From michael at stroeder.com Sun Apr 18 14:23:33 2010 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Sun, 18 Apr 2010 14:23:33 +0200 Subject: ldap.open() SSL patch In-Reply-To: <20100417170426.16814u5xwd5lr3nu@webmail.dcc.ufba.br> References: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> <4BC9DBB0.2010804@stroeder.com> <20100417135740.74251mkhxv43w8zo@webmail.dcc.ufba.br> <4BC9EFBD.2020801@stroeder.com> <20100417170426.16814u5xwd5lr3nu@webmail.dcc.ufba.br> Message-ID: <4BCAF9C5.2090308@stroeder.com> ygormutti at dcc.ufba.br wrote: > Michael Str?der : > >> Yes, you're right. I would accept such a patch. ;-) >> >> At least it's documented: >> >> http://www.python-ldap.org/doc/html/ldap.html#ldap.open > > I was using ldap.open because there are many code samples where it's > still used, in the tubes. > > The new patch is attached. Just raising DeprecationWarning exception breaks existing code. I have to reject your patch. ;-) I've checked in a solution which only outputs a warning (just like md5.py does in recent Python releases). So old code should still work. Ciao, Michael. From jean-sebastien.mansart at bayard-service.com Fri Apr 30 09:00:14 2010 From: jean-sebastien.mansart at bayard-service.com (=?ISO-8859-1?Q?Jean-S=E9bastien_Mansart?=) Date: Fri, 30 Apr 2010 09:00:14 +0200 Subject: _ldap.so: undefined symbol: gnutls_alert_send Message-ID: <4BDA7FFE.1040409@bayard-service.com> Hi. I've got this error with a Zope/Plone site : Traceback (most recent call last): File "/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py", line 56, in ? run() File "/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py", line 21, in run starter.prepare() File "/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py", line 102, in prepare self.startZope() File "/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py", line 278, in startZope Zope2.startup() File "/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/__init__.py", line 47, in startup _startup() File "/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/App/startup.py", line 45, in startup OFS.Application.import_products() File "/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py", line 686, in import_products import_product(product_dir, product_name, raise_exc=debug_mode) File "/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py", line 709, in import_product product=__import__(pname, global_dict, global_dict, silly) File "/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/__init__.py", line 22, in ? from Products.LDAPMultiPlugins.LDAPMultiPlugin import addLDAPMultiPluginForm File "/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/LDAPMultiPlugin.py", line 29, in ? from Products.LDAPUserFolder import manage_addLDAPUserFolder File "/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/__init__.py", line 20, in ? from Products.LDAPUserFolder.LDAPUserFolder import LDAPUserFolder File "/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPUserFolder.py", line 47, in ? from Products.LDAPUserFolder.LDAPDelegate import filter_format File "/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPDelegate.py", line 19, in ? import ldap File "/home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/ldap/__init__.py", line 22, in ? from _ldap import * ImportError: /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so: undefined symbol: gnutls_alert_send I have install gnutls1.3, recompiled openldap, python-ldap, and so on, but nothing works. Anyone could help me ? Thanks. -- *Jean-S?bastien Mansart *- D?veloppeur Web Email : jean-sebastien.mansart at bayard-service.com Tel : 04 79 26 28 29 *Bayard Service Edition * Savoie Technolac - House Boat BP308 - 73377 Le Bourget du Lac Cedex www.bayardserviceweb.com -- *Jean-S?bastien Mansart *- D?veloppeur Web Email : jean-sebastien.mansart at bayard-service.com Tel : 04 79 26 28 29 *Bayard Service Edition * Savoie Technolac - House Boat BP308 - 73377 Le Bourget du Lac Cedex www.bayardserviceweb.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Mon May 3 13:11:51 2010 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Mon, 03 May 2010 13:11:51 +0200 Subject: _ldap.so: undefined symbol: gnutls_alert_send In-Reply-To: <4BDA7FFE.1040409@bayard-service.com> References: <4BDA7FFE.1040409@bayard-service.com> Message-ID: <4BDEAF77.3070808@stroeder.com> Jean-S?bastien Mansart wrote: > > I've got this error with a Zope/Plone site : > Traceback (most recent call last): > [..] > ImportError: > /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so: > undefined symbol: gnutls_alert_send > > I have install gnutls1.3, recompiled openldap, python-ldap, and so on, > but nothing works. What does this command say? ldd /home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so: Note that there are various ways to install python-ldap: 1. Use pre-built packages from your Linux distributor. 2. Pre-built .egg-files which might be pulled in by dependencies of other installed .egg files. (Personally I'm not in favour of this since most people won't receive regular updates.) 3. Compile yourself and install. Which SSL/TLS libs are used (OpenSSL or GNUtls) is determined by your OpenLDAP build. For 1. and 2. you have to generally ask the distributor of the packages which other software packages are needed. If you tried 1.,2. and 3. you have likely a non-functional mixture of the above. E.g. it seems your Zope/Plone installation (partially) pulls in a pre-built .egg-file. My recommendation is to remove all occurences of python-ldap on your system and try to cleanly do only one of the above. For 3. you have to exactly use the Python interpreter your Zope/Plone installation will run with. Ciao, Michael. From michael at stroeder.com Thu Jun 3 14:53:57 2010 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 03 Jun 2010 14:53:57 +0200 Subject: Changed locking for function calls into _ldap Message-ID: <4C07A5E5.8090507@stroeder.com> HI! After Howard's answer http://www.openldap.org/lists/openldap-software/201005/msg00054.html I've relaxed the locking when calling functions of _ldap. Solely _ldap.initialize() is now protected by a lock. Also there's now debug logging for the locks if trace_level is 2 or higher. Please review and test the code in HEAD especially with OpenLDAP 2.3 libs and in heavily threaded environment. Ciao, Michael. From ygormutti at dcc.ufba.br Mon Apr 19 17:12:15 2010 From: ygormutti at dcc.ufba.br (ygormutti at dcc.ufba.br) Date: Mon, 19 Apr 2010 12:12:15 -0300 Subject: ldap.open() SSL patch In-Reply-To: <4BCAF9C5.2090308@stroeder.com> References: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> <4BC9DBB0.2010804@stroeder.com> <20100417135740.74251mkhxv43w8zo@webmail.dcc.ufba.br> <4BC9EFBD.2020801@stroeder.com> <20100417170426.16814u5xwd5lr3nu@webmail.dcc.ufba.br> <4BCAF9C5.2090308@stroeder.com> Message-ID: <20100419121215.136557gpbazl6rpr@webmail.dcc.ufba.br> Michael Str?der : > Just raising DeprecationWarning exception breaks existing code. I have to > reject your patch. ;-) I understand. > I've checked in a solution which only outputs a warning (just like > md5.py does > in recent Python releases). So old code should still work. I agree that this is a better solution for now. BTW, python-ldap looks a little bit complicated to use. I wonder if it has other functions just like ldap.open, making the API look more complicated than it actually is. I think it would be nice for python-ldap to have a major release with a simpler API. I'll write a smaller API on top of python-ldap to ease the most frequent use cases (simple authentication, searching, etc). If you like the idea, maybe we can work together on it. Thank you! PS: Sorry for the bad english. -- Ygor Mutti (http://icaju.com - @Mamutti) From awilliam at opengroupware.us Mon Apr 19 19:56:56 2010 From: awilliam at opengroupware.us (Adam Tauno Williams) Date: Mon, 19 Apr 2010 13:56:56 -0400 Subject: ldap.open() SSL patch In-Reply-To: <20100419121215.136557gpbazl6rpr@webmail.dcc.ufba.br> References: <20100417123944.10607ehzke5q8qio@webmail.dcc.ufba.br> <4BC9DBB0.2010804@stroeder.com> <20100417135740.74251mkhxv43w8zo@webmail.dcc.ufba.br> <4BC9EFBD.2020801@stroeder.com> <20100417170426.16814u5xwd5lr3nu@webmail.dcc.ufba.br> <4BCAF9C5.2090308@stroeder.com> <20100419121215.136557gpbazl6rpr@webmail.dcc.ufba.br> Message-ID: <1271699816.7089.17.camel@linux-yu4c.site> On Mon, 2010-04-19 at 12:12 -0300, ygormutti at dcc.ufba.br wrote: > Michael Str?der : > > Just raising DeprecationWarning exception breaks existing code. I have to > > reject your patch. ;-) > I understand. > > I've checked in a solution which only outputs a warning (just like > > md5.py does > > in recent Python releases). So old code should still work. > I agree that this is a better solution for now. > BTW, python-ldap looks a little bit complicated to use. I wonder if it > has other functions just like ldap.open, making the API look more > complicated than it actually is. I think it would be nice for > python-ldap to have a major release with a simpler API. > I'll write a smaller API on top of python-ldap to ease the most > frequent use cases (simple authentication, searching, etc). If you > like the idea, maybe we can work together on it. As an LDAP admin for more than a decade.... this is nearly impossible to do without loosing generality [especially authentication; and I expect most applications implement an 'authentication' class anyway]. A search is a single method call, which seems pretty simple to me. Perhaps you should look at the ldaphelper module created by Butcher. It simplifies a few things, at minimal expense. > PS: Sorry for the bad english.