From peptekmail at gmail.com  Thu Jan 21 15:25:47 2021
From: peptekmail at gmail.com (Per-Erik Persson)
Date: Thu, 21 Jan 2021 21:25:47 +0100
Subject: [python-ldap] Updating binary data with python-ldap
Message-ID: <CAE+W7rkzjcvKhyqSB89sT1_FW_7u9gWeYvXgozyo7z=dDqtCjg@mail.gmail.com>

After siphoning the internet without any luck on how to insert a
DERformated certificate into the userCertificate field I turn to this
mailinglist.

Python-ldap complains even if 'userCertificte;binary' is used.

Using the openldap client with a ldif file works.
Does anyone have a working code example in python?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-ldap/attachments/20210121/99eeaa43/attachment.html>

From william at blackhats.net.au  Sun Jan 24 23:55:10 2021
From: william at blackhats.net.au (William Brown)
Date: Mon, 25 Jan 2021 14:55:10 +1000
Subject: [python-ldap] Updating binary data with python-ldap
In-Reply-To: <CAE+W7rkzjcvKhyqSB89sT1_FW_7u9gWeYvXgozyo7z=dDqtCjg@mail.gmail.com>
References: <CAE+W7rkzjcvKhyqSB89sT1_FW_7u9gWeYvXgozyo7z=dDqtCjg@mail.gmail.com>
Message-ID: <8D32D029-EDB3-41EB-8075-AF1BACA32336@blackhats.net.au>



> On 22 Jan 2021, at 06:25, Per-Erik Persson <peptekmail at gmail.com> wrote:
> 
> After siphoning the internet without any luck on how to insert a DERformated certificate into the userCertificate field I turn to this mailinglist.
> 
> Python-ldap complains even if 'userCertificte;binary' is used.

The ';binary' tag is just a hint that it contains binary data, it doesn't tell the server to accept it.

During the python2 to 3 migration, this caused a lot of "pain" in this area, as pythons utf8 strings *aren't* the same as a binary buffer. We ended up with an "ensure_bytes" function for trying to support this bridged between python2/3

> 
> Using the openldap client with a ldif file works.
> Does anyone have a working code example in python?
> 

with open(der_path, 'rb') as f:
    val = f.read()

if val is not None and type(val) != bytes:
    val = val.encode()

conn.modify_s(dn, [(ldap.MOD_ADD, 'usercertificate;binary', val)], ...)


Maybe try this? We have this in lib389 as part of 389-ds and it works for us. Remember the userCertificate field expects a DER cert, not PEM, but this could end up with some implementation specifics. 


> 
> _______________________________________________
> python-ldap mailing list
> python-ldap at python.org
> https://mail.python.org/mailman/listinfo/python-ldap

--
Sincerely,

William


From peptekmail at gmail.com  Tue Jan 26 13:56:45 2021
From: peptekmail at gmail.com (Per-Erik Persson)
Date: Tue, 26 Jan 2021 19:56:45 +0100
Subject: [python-ldap] Updating binary data with python-ldap
In-Reply-To: <8D32D029-EDB3-41EB-8075-AF1BACA32336@blackhats.net.au>
References: <CAE+W7rkzjcvKhyqSB89sT1_FW_7u9gWeYvXgozyo7z=dDqtCjg@mail.gmail.com>
 <8D32D029-EDB3-41EB-8075-AF1BACA32336@blackhats.net.au>
Message-ID: <CAE+W7rnga6XpTJN+URRJ2COz32FEe3FL+MsgNovHEHGpLCbBbA@mail.gmail.com>

Thanks, it works!

There was a newline in the DER-file!
The openldapclient can handle that but not python-ldap.
But the errormessage was not obvious to me.


Den m?n 25 jan. 2021 05:55William Brown <william at blackhats.net.au> skrev:

>
>
> > On 22 Jan 2021, at 06:25, Per-Erik Persson <peptekmail at gmail.com> wrote:
> >
> > After siphoning the internet without any luck on how to insert a
> DERformated certificate into the userCertificate field I turn to this
> mailinglist.
> >
> > Python-ldap complains even if 'userCertificte;binary' is used.
>
> The ';binary' tag is just a hint that it contains binary data, it doesn't
> tell the server to accept it.
>
> During the python2 to 3 migration, this caused a lot of "pain" in this
> area, as pythons utf8 strings *aren't* the same as a binary buffer. We
> ended up with an "ensure_bytes" function for trying to support this bridged
> between python2/3
>
> >
> > Using the openldap client with a ldif file works.
> > Does anyone have a working code example in python?
> >
>
> with open(der_path, 'rb') as f:
>     val = f.read()
>
> if val is not None and type(val) != bytes:
>     val = val.encode()
>
> conn.modify_s(dn, [(ldap.MOD_ADD, 'usercertificate;binary', val)], ...)
>
>
> Maybe try this? We have this in lib389 as part of 389-ds and it works for
> us. Remember the userCertificate field expects a DER cert, not PEM, but
> this could end up with some implementation specifics.
>
>
> >
> > _______________________________________________
> > python-ldap mailing list
> > python-ldap at python.org
> > https://mail.python.org/mailman/listinfo/python-ldap
>
> --
> Sincerely,
>
> William
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-ldap/attachments/20210126/aa8a1631/attachment.html>

From william at blackhats.net.au  Tue Jan 26 20:00:01 2021
From: william at blackhats.net.au (William Brown)
Date: Wed, 27 Jan 2021 11:00:01 +1000
Subject: [python-ldap] Updating binary data with python-ldap
In-Reply-To: <CAE+W7rnga6XpTJN+URRJ2COz32FEe3FL+MsgNovHEHGpLCbBbA@mail.gmail.com>
References: <CAE+W7rkzjcvKhyqSB89sT1_FW_7u9gWeYvXgozyo7z=dDqtCjg@mail.gmail.com>
 <8D32D029-EDB3-41EB-8075-AF1BACA32336@blackhats.net.au>
 <CAE+W7rnga6XpTJN+URRJ2COz32FEe3FL+MsgNovHEHGpLCbBbA@mail.gmail.com>
Message-ID: <448F32CA-B41B-4D2D-8120-4FA6D1FE5C5F@blackhats.net.au>

No problem mate, happy to have helped,

> On 27 Jan 2021, at 04:56, Per-Erik Persson <peptekmail at gmail.com> wrote:
> 
> Thanks, it works!
> 
> There was a newline in the DER-file!
> The openldapclient can handle that but not python-ldap.
> But the errormessage was not obvious to me.
> 
> 
> Den m?n 25 jan. 2021 05:55William Brown <william at blackhats.net.au> skrev:
> 
> 
> > On 22 Jan 2021, at 06:25, Per-Erik Persson <peptekmail at gmail.com> wrote:
> > 
> > After siphoning the internet without any luck on how to insert a DERformated certificate into the userCertificate field I turn to this mailinglist.
> > 
> > Python-ldap complains even if 'userCertificte;binary' is used.
> 
> The ';binary' tag is just a hint that it contains binary data, it doesn't tell the server to accept it.
> 
> During the python2 to 3 migration, this caused a lot of "pain" in this area, as pythons utf8 strings *aren't* the same as a binary buffer. We ended up with an "ensure_bytes" function for trying to support this bridged between python2/3
> 
> > 
> > Using the openldap client with a ldif file works.
> > Does anyone have a working code example in python?
> > 
> 
> with open(der_path, 'rb') as f:
>     val = f.read()
> 
> if val is not None and type(val) != bytes:
>     val = val.encode()
> 
> conn.modify_s(dn, [(ldap.MOD_ADD, 'usercertificate;binary', val)], ...)
> 
> 
> Maybe try this? We have this in lib389 as part of 389-ds and it works for us. Remember the userCertificate field expects a DER cert, not PEM, but this could end up with some implementation specifics. 
> 
> 
> > 
> > _______________________________________________
> > python-ldap mailing list
> > python-ldap at python.org
> > https://mail.python.org/mailman/listinfo/python-ldap
> 
> --
> Sincerely,
> 
> William
> 

--
Sincerely,

William


From john+python_org at daaave.org  Wed Feb 10 17:44:17 2021
From: john+python_org at daaave.org (John)
Date: Wed, 10 Feb 2021 16:44:17 -0600 (CST)
Subject: [python-ldap] =?utf-8?q?Searching_with_paged_results=3F?=
Message-ID: <1612997057.89039667@apps.rackspace.com>

  I can't seem to get paged results working with a search; I think I did manage to partially get it, 'cause I set the paging to 1,000 results and I got 1,000 results back (out of a total of ~800K), but I'm stuck and all the stuff I can find online is either for the 2.x version of this package, or the "ldap3" package.

  In any case, what I would like is to run a search like this:

----- 8< 8< 8< -----
result = self.directory_connection.search_ext_s(
    base_dn,
    scope,  
    filterstr = search_filter,
    attrlist  = attributes,
    sizelimit = size_limit,
    timeout   = time_limit,
)

for dn, entry in result:
    ## do stuff
----- >8 >8 >8 -----

...and get _all_ the results, using paged search to work with the LDAP server's resource limits.

  Basically, I want to reproduce the behaviour of "ldapsearch -E pr=10000/noprompt", which does work against this server to return the entire result set.

  This is what I have now, that only gives me 1,000 results (out of ~800K):

----- 8< 8< 8< -----
ldap_controls = ldap.controls.libldap.SimplePagedResultsControl(
    #criticality = False,
    size = 1000, 
    cookie = b'',
)

## Release the hounds! 
result = self.directory_connection.search_ext_s(
    base_dn,
    scope,  
    filterstr   = search_filter,
    attrlist    = attributes,
    sizelimit   = 900000,
    timeout     = -1,
    serverctrls = [ldap_controls,],
)

for dn, entry in result:
    ## do stuff
----- >8 >8 >8 -----

  Any pointers on what I'm doing wrong (or directions to documentation, but not just to the below page (I need a little more handholding, apparently)?  The "search_filter" and "attributes" variables are good, 'cause I _am_ getting the right results...just not _all_ the results.

  I got as far as https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-controls.html#ldap.controls.libldap.SimplePagedResultsControl but what I tried above isn't quite what I'm after.


From christian at python.org  Thu Feb 11 16:42:51 2021
From: christian at python.org (Christian Heimes)
Date: Thu, 11 Feb 2021 22:42:51 +0100
Subject: [python-ldap] Searching with paged results?
In-Reply-To: <1612997057.89039667@apps.rackspace.com>
References: <1612997057.89039667@apps.rackspace.com>
Message-ID: <s048cr$sj2$1@ciao.gmane.io>

On 10/02/2021 23.44, John wrote:
>   Any pointers on what I'm doing wrong (or directions to documentation, but not just to the below page (I need a little more handholding, apparently)?  The "search_filter" and "attributes" variables are good, 'cause I _am_ getting the right results...just not _all_ the results.
> 
>   I got as far as https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-controls.html#ldap.controls.libldap.SimplePagedResultsControl but what I tried above isn't quite what I'm after.
> 

Hi,

you have to use the asynchronous method with
SimplePagedResultsControl(). search_ext_s() doesn't give you the
controls to access the next page cookie.

The conn.search_ext() methods returns a result id.
conn.result3(result_id) gives you a bunch of extra data including result
type and server controls. One of the server controls will be a page
control entry with a new cookie. You have to use that cookie in your
next search_ext() call

You can find an example in the LDAP library of FreeIPA,
https://github.com/freeipa/freeipa/blob/master/ipapython/ipaldap.py

Christian


From vmittal05 at gmail.com  Thu Mar 18 04:26:29 2021
From: vmittal05 at gmail.com (varun mittal)
Date: Thu, 18 Mar 2021 13:56:29 +0530
Subject: [python-ldap] Multiple timeout values in python-ldap,
 which ones are applicable
In-Reply-To: <CA+RDaRByvGq_=ED312f=ay=8wCrKJarayaYGc+ZbCQcOD1FPxQ@mail.gmail.com>
References: <CA+RDaRByvGq_=ED312f=ay=8wCrKJarayaYGc+ZbCQcOD1FPxQ@mail.gmail.com>
Message-ID: <CA+RDaRD3A0Y2kAnJJQayB05b3dvmxKHj7huovjTt9kboQWinTg@mail.gmail.com>

I am using python-ldap==3.1.0 with python3 to query my AD server.

With the following timeout values:

ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, 30)
ldap.set_option(ldap.OPT_TIMEOUT, 120)
conn = ldap.initialize(ldap://server-ip)

Using 3 types of queries - synchronous search_s(), asynchronous with and
without paging search_ext()

I am not using any timeout in the _ext method.

One of my LDAP searches(asynchronous with paging) took about 14 minutes to
complete, in the customer environment. Eventually, the search was
successful.

Looking at the documentation, I am not sure which timeout value would be
applicable here.

I thought setting OPT_TIMEOUT should suffice for all kinds of searches.

What am I missing here?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/python-ldap/attachments/20210318/130d6559/attachment.html>