[Tutor] python-ldap

Tue Nov 22 22:18:29 CET 2005

On Nov 22, 2005, at 2:08 PM, Pat Martin wrote:

> I am new to python and fairly new to programming. I have written some
> ldap scripts in perl and am trying to learn how to do that in  
> python. I
> found some code on the net using the python-ldap module (the unaltered
> code is at the bottom of this email) and have adapted it to my needs,
> the code works fine. I want to learn what some of the things in the  
> code
> are. The two things I don't understand are
> ldap.SCOPE_SUBTREE and
> ldap.RES_SEARCH_ENTRY
> when I print those out I get integers 2 and 100 respectively, I am not
> sure if they change but that is what they start out at. I am figuring
> other modules use similar things (variables?), can someone point me to
> where I can understand what more about what these are.

SCOPE_SUBTREE is one of three possible scopes you can use. Remember  
that LDAP is a tree-based heirarchy (arranged much like the old  
Windows Explorer file tree view). So that tree is divided into  
branches, sub branches, etc. How you limit your search depends on two  
things:

1. The starting branch point (the base)

2. The scope (which is applied to the base).

So say you have ou=foo,ou=bar,o=root. There are three bases you could  
choose to start from.

o=root
ou=bar,o=root
ou=foo,ou=bar,o=root

If you used base o=root with a scope of SCOPE_BASE, the only possible  
entry that could be returned is o=root itself. SCOPE_BASE indicates  
that the scope of the search should be limited to the base itself -  
not to any of its sub branches or sub entries. Just itself.

If you used base o=root with a scope of SCOPE_ONE, you would be able  
to obtain entries like this:

ou=bar,o=root
cn=something,o=root
cn=another,o=root
cn=third,o=root

In other words, given a base, you can get entries one level below;  
the entries immediately subordinate to your base (but not the base  
itself). You could not get back ou=foo,ou=bar,o=root because that is  
not immediately beneath o=root.

If you used base o=root with a scope of SCOPE_SUBTREE, you would be  
able to obtain any entry anywhere in the tree, including the base.  
This translates to: start the base, anything further down the line is  
okay.

Therefore, if you used a base of ou=bar,o=root, you could get these  
entries:

ou=bar,o=root
cn=something,ou=bar,o=root
cn=something-else,ou=foo,ou=bar,o=root

But you could not get:

o=root

Because that is outside the scope (at a higher level than the base).

Behind the scenes, the scopes have different numbers, which is why  
you get the integer value when you printed SCOPE_SUBTREE. These  
numbers don't really matter; they're just values used by the  
libraries. Just ignore them and use the constants SCOPE_BASE,  
SCOPE_ONE, SCOPE_SUBTREE.

Unless you have a specific reason to use another scope, subtree is  
usually the default choice. I've had plenty of occasion to use the  
other two scopes, though.

RES_SEARCH_ENTRY is, as far as I know, just a way to test if  
something is an LDAP entry object. So if you are iterating through a  
set of results, you can say

if result_type == ldap.RES_SEARCH_ENTRY:
   result_set.append(result_data)

Which means, append the entry to the result set only if it actually  
is an entry object.

More information here:

http://python-ldap.sourceforge.net/doc/python-ldap/ldap-objects.html

  -dan

-- 
Television is one of the Six Fundamental Forces of the Universe; with
the other five being Gravity, Duct Tape, Whining, Remote Control, and
the Force That Pulls Dogs Toward the Groins of Stranges. -Dave Barry