python-ldap, Zope, and NDS

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi everyone,

I've just posted a bug report at the python-ldap Sourceforge site, but I
thought I would give some more information here.

I'm building a Zope-powered Web site for my school and I'd like to leverage
all the data that we've currently got in our NDS (v7.45) directory. I
discovered a problem with python-ldap that manifested itself when I was
implementing the ZLDAP product.

I installed ZLDAP (Zope 2.1.6) and created a connection to our NDS tree. No
problem there. However, when I tried to browse the tree from the ZLDAP
'Browse' tab, I got an INVALID_DN_SYNTAX error. After hacking around with
some little Python programs I created to query NDS, I discovered that the
problem lies in searching with SCOPE_ONELEVEL. Here's an example using our
NDS server. The part of the tree represented by "ou=do, o=ISD_197" contains
some bindery objects.

Bindery objects are often found in NDS trees where the underlying Netware
software has been upgraded from previous, non-NDS versions. These bindery
objects seem to be the cause of the problem. Browsing subtrees that don't
contain any bindery objects works perfectly.

wilsont@gershwin:~$ python
Python 1.5.2 (#0, Apr  3 2000, 14:46:48)  [GCC 2.95.2 20000313 (Debian
GNU/Linux)] on linux2
Copyright 1991-1995 Stichting Mathematisch Centrum, Amsterdam
>>> import ldap
>>> l = ldap.open("10.3.6.1", 389)
>>> l.simple_bind_s("o=ISD_197", "")
>>> test1 = l.search_s("ou=do, o=ISD_197", ldap.SCOPE_SUBTREE,
"objectclass=*")
>>> test2 = l.search_s("ou=do, o=ISD_197", ldap.SCOPE_ONELEVEL,
"objectclass=*")
Traceback (innermost last):
  File "<stdin>", line 1, in ?
ldap.INVALID_DN_SYNTAX: {'desc': 'Invalid DN syntax'}

Because the ZLDAP product uses the SCOPE_ONELEVEL option to get the ldap
records, browsing a tree that contains bindery objects using ZLDAP fails.

I changed the reference in ZLDAP.py to SCOPE_SUBTREE and ZLDAP works fine.
Except, and this is a big 'except,' when I try to browse our entire tree. I
think that using SCOPE_SUBTREE is causing the search to retrieve the same
data over and over again. When I tried it, all the available RAM (128 MB) 
and swap (128 MB) on my Linux server was eventually used up, the python
process was killed off, and our NDS/ldap server sat spinning its wheels
until we restarted the ldap process. Browsing a subtree of our NDS directory
seems to work fine with the modification in ZLDAP.py and returns what
appears to be the correct information. Obviously, there's a lot less data in
the subtrees.

Is this helpful? I can provide more information if anyone needs it. I look
forward to hearing any comments that any of you might have.

-Tim

--
Tim Wilson      | Visit Sibley online:         | Check out:
Henry Sibley HS | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN |                              | http://slashdot.org/
wi...@vi... |   <dtml-var pithy_quote>     | http://linux.com/