[python-ldap] Yet another Python3 port (Rapha?l Barrois)

python3ldap python3ldap at gmail.com
Sat Nov 23 20:22:54 CET 2013 

Hello Michael,
I've tried to keep the library simple and consistent with the RFCs. To
start an LDAP connection you create a Server object and one (or more)
Connection object.
In the Server object you specify the communication parameters:

from ldap3 import Server, Connection, Tls
server = Server('servername')  # define an unsecure LDAP server with
default parameters (port 389)

If you want a SSL connection just add useSsl=True and port=portNnumber
and a Tls object to the server definition:
server = Server('servername', port = 636, useSsl = True, tls = Tls())
# define a secure (over SSL) LDAP server with default Tls

then create the connection object specifying the authentication parameters:
connection = Connection(server, user = 'test-user', password =
'test-password')  # create a connection to the server (default to
simple authentication and synchronous communication strategy)

then use the connection as usual:
connection.open()
connection.bind()
results = connection.search(...)
connection.close()

To start a TLS connection with the StartTLS extension (on an already
created unsecure connection) you need a Tls object, if not already
passed to the server object:

connection.tls = Tls()

RFCs specify that Tls can be started either before or after bind:

before bind:
connection.open()
connection.startTls()
connection.bind()

after bind:
connection.open()
connection.bind()
connection.startTls()

The same Tls object is used in SSL connection and startTls operation.
It's quite complex because you have to define the needed tls
parameters to have a validated connection:
localPrivateKeyFile = None, localCertificateFile = None, validate =
ssl.CERT_NONE, version = ssl.PROTOCOL_TLSv1, caCertsFile = None

Internally, in the Tls object, I use the ssl package of the Python
standard library (present in Python2.6, 2.7, and 3.x). I wrap and
unwrap the network socket to add and remove the secure layer as needed
by the connection:

    def wrapSocket(self, sock, doHandshake = False):
        """
        Add TLS to a plain socket and return the SSL socket
        """
        return ssl.wrap_socket(sock, keyfile = self.privateKeyFile,
certfile = self.certificateFile, server_side = False, cert_reqs =
self.validate,
                               ssl_version = self.version, ca_certs =
self.caCertsFile, do_handshake_on_connect = doHandshake)

    @staticmethod
    def unwrapSocket(sock):
        """
        Remove TLS from an SSL socket and return the plain socket
        """
        return sock.unwrap()

For SASL I've developed a ldap3.protocol.sasl package that follow the
SaslPrep alghoritm as per RFC 4013 and a generic implementation for
EXTERNAL. Now I'm working on MD5 (even if this is deprecated in
RFC6331) and I'm not sure what other mechanism should be implemented.
That's all.

Ciao,
Giovanni

2013/11/23 Michael Ströder <michael at stroeder.com>:
> python3ldap wrote:
>> I've developed a pure python3 ldap client (can be used with python2
>> too) that doesn't need the openldap client extension. You can find it
>> on https://pypi.python.org/pypi/python3-ldap.
>
> Looks interesting. But I wonder how you deal with SSL/TLS and SASL.
>
> Ciao, Michael.
>

More information about the python-ldap mailing list