Re: [rcardenes@debian.org: Re: Bug#179108: ldap_initialize patch]

[<mi...@st...>]

Peter Hawkins wrote:
>>
> Q: "Why you want to pass a NULL argument to ldap_initialize?"
> 
> Short answer: Because you _can_ do it (at least in C)

I have to admit that I'm not in favour of following everything that is 
possible with the OpenLDAP C API. Note that the C API is considered to be 
highly flawed (see postings on OpenLDAP lists). Especially this particular 
feature could cause some FAQs. Before accepting a patch I would really like 
to understand the background issues.

> Long answer:
> 
> Passing a NULL argument to ldap_initialize, you prevent this code from
> running (excerpt from ldap_initialize/OpenLDAP 2.0.27):
> 
>         if (url != NULL) {
>                 rc = ldap_set_option(ld, LDAP_OPT_URI, url);
>                 if ( rc != LDAP_SUCCESS ) {
>                         ldap_ld_free(ld, 1, NULL, NULL);
>                         return rc;
>                 }
>         }
> 
> I haven't checked deeply, but it seems to deactivate further URI
> checkins, making the LDAP library assume that you want to connect to a
> local LDAP server.

What does local exactly mean? I guess the LDAP URI is taken from ldap.conf 
if uri is NULL. Is that right? If yes, I have to admit that I have some 
objections to introduce (implicit) support for ldap.conf in python-ldap.

I posted a message to ope...@Op... to find out......

> It seems to help on some scenarios involving broken
> DNS configs, and it probably (again, I haven't checked) speeds up
> initial bindings even at good configured DNS places, as you don't need to
> make lookups

Well, at some point you have to make a DNS lookup. Where does the speed up 
come from?

> It makes difference for me
> (severals seconds waiting for the lookup to timeout -> 0 seconds passing
> NULL), since I cannot modify those (possibly) broken DNS records.

Maybe it's me but I still don't get it. If you have a DNS name of an LDAP 
server you're trying to connect the lookup for the IP address has to be 
done. If DNS entries are completely broken and you already know the IP 
address you can pass this to ldap.initialize().

Or do you suspect the OpenLDAP libs to do reverse lookups in the URL checking?

Did you compile your OpenLDAP with --enable-wrappers (TCP wrapper support)? 
This could cause reverse lookups on the server's side. Not sure if it also 
has an effect on the client libs.

> Anyway, there's no reason to not been able to send a NULL as URL
> argument to ldap_initialize, since the API _does_ recognize it as a
> valid argument

I have some plans to let python-ldap be just a wrapper above other APIs 
(e.g. ADSI on Win32 or maybe a pure Python version). Therefore there MUST be 
a good rationale to change semantics of the uri argument of 
ldap.initialize() or introduce a dependency on OpenLDAP's ldap.conf.

>(in fact OpenLDAP's client
> tools use NULL as the default argument to ldap_initialize if you don't
> specify -h or -H).

I guess that's where ldap.conf is used.

> Of course, if Michael has a more deep view of OpenLDAP internals than I

No, I don't have more insight. In fact I'm not very familiar with the C part 
of python-ldap which is hard to maintain for me since David Leonard does not 
have time to spent anymore. Contributions welcome (e.g. support for extended 
controls).

> I can keep applying patches.

Instead you could derive from ldap.ldapobject.LDAPObject and do the host 
lookup once(!) in the __init__() method passing an IP address to underlying 
_ldap.initialize(). Or better rewrite your LDAP applications to keep 
persistent connections. See ldap.ldapobject.ReconnectLDAPObject for a 
pickable version of LDAPObject.

Ciao, Michael.