python-ldap-dev — discussion among developers

Re: Any example of Server/Client Side Sorting?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> Michael Ströder wrote:
>> 100+ entries are not so many. So you could try sorting the list of
>> search results retrieved with LDAPObject.ldap_search_ext_s() by invoking
>> list method .sort(). Make sure you understand how to control the
>> comparisons.
>>
>> See item 8. here:
>> http://docs.python.org/library/stdtypes.html#index-591
>>   
> 
> No idea yet. Any example? 

Bear in mind search results returned by synchronous search methods are
in a list of 2-tuples each consisting of the DN string and the entry
dictionary like this:

[(dn,entry)]

Without testing just as food for thought:

Compare function for case-insensitive comparison of the DN:

cmp=lambda x,y: cmp(x[0].lower(), y[0}.lower())

Compare function for case-insensitive comparison of the first attribute
value of 'cn' (this would choke with KeyError exception if there's no
attribute 'cn' in the entry):

cmp=lambda x,y: cmp(x[1]['cn'][0].lower(), y[1]['cn'][0].lower())

And then results.sort(cmp). I don't know how fast this is though.

The rest of the homework is up to you. For various list sorting aspects
you should ask in news:comp.lang.python

Ciao, Michael.

Re: Any example of Server/Client Side Sorting?

[Zhang H. <zhb...@gm...>]

Michael Ströder wrote:
>
> 100+ entries are not so many. So you could try sorting the list of
> search results retrieved with LDAPObject.ldap_search_ext_s() by invoking
> list method .sort(). Make sure you understand how to control the
> comparisons.
>
> See item 8. here:
> http://docs.python.org/library/stdtypes.html#index-591
>   

No idea yet. Any example? Thanks :)


-- 
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL, CentOS, Debian:
  http://code.google.com/p/iredmail/

Re: Any example of Server/Client Side Sorting?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> Michael Ströder wrote:
>> Zhang Huangbin wrote:
>>   
>>> Any exist python module/function to sort ldap search results?
>> Well, why do you really need that? I don't have client-side sorting in
>> web2ldap because it won't scale with large search results. Some of my
>> customers have more than 100k person/user entries in their directories.
>>   
> 
> I have 100+ accounts in LDAP, but they are not listed orderly.

100+ entries are not so many. So you could try sorting the list of
search results retrieved with LDAPObject.ldap_search_ext_s() by invoking
list method .sort(). Make sure you understand how to control the
comparisons.

See item 8. here:
http://docs.python.org/library/stdtypes.html#index-591

Ciao, Michael.

Re: Any example of Server/Client Side Sorting?

[Zhang H. <zhb...@gm...>]

Michael Ströder wrote:
> Zhang Huangbin wrote:
>   
>> Any exist python module/function to sort ldap search results?
>
> Well, why do you really need that? I don't have client-side sorting in
> web2ldap because it won't scale with large search results. Some of my
> customers have more than 100k person/user entries in their directories.
>   

I have 100+ accounts in LDAP, but they are not listed orderly. like this:

dn: mail=www2@xxx,----
dn: mail=www5@xxx,----
dn: mail=www3@xxx,----
dn: mail=www@xxx,----

I just want to make them listed orderly like this:

dn: mail=www@xxx,----
dn: mail=www2@xxx,----
dn: mail=www3@xxx,----
dn: mail=www5@xxx,----

Do you make them listed in the original order?


>> Tring to learn ldap programing from web2ldap now. Thanks for your great
>> program. :)
>>     
>
> Bear in mind that I started learning Python when the first code was
> written almost 11 years ago. So I have to admit that many parts are
> really ugly code and not really good programming examples.
Got it. thanks for your remind :)



-- 
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL, CentOS, Debian:
  http://code.google.com/p/iredmail/

Re: Any example of Server/Client Side Sorting?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> Michael Ströder wrote:
>> 1. Client-side sorting is done within the client libs if supported. So
>> it wouldn't be listed in the attribute 'supportedControl' of the DSA's
>> rootDSE anyway. Not sure whether client controls are used in OpenLDAP's
>> libldap at all.
> 
> Any exist python module/function to sort ldap search results?

Well, why do you really need that? I don't have client-side sorting in
web2ldap because it won't scale with large search results. Some of my
customers have more than 100k person/user entries in their directories.

>> 2. One should always try out whether a DSA supports a particular control
>> within a certain naming context. E.g. former versions of OpenLDAP
>> supported the Tree Deletion Control only for naming contexts served by
>> back-sql.
>>
>> Feature detection is not that easy.
> 
> I also need function to delete ldap tree too, and reading your
> web2ldap/pylib/ldapsession.py now.

The function DelTree() is in pylib/w2lapp/delete.py. If the tree
deletion control cannot or shall not be used it also makes use of some
operational attributes (e.g. hasSubordinates etc.) to determine whether
a found entry is a leaf-entry.

> Tring to learn ldap programing from web2ldap now. Thanks for your great
> program. :)

Bear in mind that I started learning Python when the first code was
written almost 11 years ago. So I have to admit that many parts are
really ugly code and not really good programming examples.

Ciao, Michael.

Re: Any example of Server/Client Side Sorting?

[Zhang H. <zhb...@gm...>]

Michael Ströder wrote:
>
> 1. Client-side sorting is done within the client libs if supported. So
> it wouldn't be listed in the attribute 'supportedControl' of the DSA's
> rootDSE anyway. Not sure whether client controls are used in OpenLDAP's
> libldap at all.
>   

Any exist python module/function to sort ldap search results?

> 2. One should always try out whether a DSA supports a particular control
> within a certain naming context. E.g. former versions of OpenLDAP
> supported the Tree Deletion Control only for naming contexts served by
> back-sql.
>
> Feature detection is not that easy.
>   

I also need function to delete ldap tree too, and reading your
web2ldap/pylib/ldapsession.py now.

> Everyone tired of looking up the OIDs should use my http://web2ldap.de
> since it contains a registry of OIDs with descriptions of the meaning
> which are displayed when displaying the rootDSE.

I found it moment ago. :)

Tring to learn ldap programing from web2ldap now. Thanks for your great
program. :)


-- 
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL, CentOS, Debian:
  http://code.google.com/p/iredmail/

Re: Any example of Server/Client Side Sorting?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> Michael Ströder wrote:
>> The error message is pretty clear: This particular LDAP server does not
>> support server-side sorting.
> 
> I checked the rootdse, neither server side sort nor client side sort is 
> supported:

1. Client-side sorting is done within the client libs if supported. So
it wouldn't be listed in the attribute 'supportedControl' of the DSA's
rootDSE anyway. Not sure whether client controls are used in OpenLDAP's
libldap at all.

2. One should always try out whether a DSA supports a particular control
within a certain naming context. E.g. former versions of OpenLDAP
supported the Tree Deletion Control only for naming contexts served by
back-sql.

Feature detection is not that easy.

> supportedControl: 2.16.840.1.113730.3.4.18
> supportedControl: 2.16.840.1.113730.3.4.2
> supportedControl: 1.3.6.1.4.1.4203.1.10.1
> supportedControl: 1.2.840.113556.1.4.319
> supportedControl: 1.2.826.0.1.3344810.2.3
> supportedControl: 1.3.6.1.1.13.2
> supportedControl: 1.3.6.1.1.13.1
> supportedControl: 1.3.6.1.1.12
> supportedExtension: 1.3.6.1.4.1.1466.20037
> supportedExtension: 1.3.6.1.4.1.4203.1.11.1
> supportedExtension: 1.3.6.1.4.1.4203.1.11.3
> supportedExtension: 1.3.6.1.1.8

Everyone tired of looking up the OIDs should use my http://web2ldap.de
since it contains a registry of OIDs with descriptions of the meaning
which are displayed when displaying the rootDSE.

Ciao, Michael.

Re: Any example of Server/Client Side Sorting?

[Zhang H. <zhb...@gm...>]

Michael Ströder wrote:
>
> The error message is pretty clear: This particular LDAP server does not
> support server-side sorting.
>   

I checked the rootdse, neither server side sort nor client side sort is 
supported:

----
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
----

> Besides that you should read RFC 2891 to learn how to generate the
> controlValue which specifies which attribute and matching rule
> (optional) is used for sorting and whether you want reverse order
> (optional). You could try to generate the controlValue with module pyasn1.

Got it. Thanks Michael :)


-- 
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL, CentOS, Debian:
  http://code.google.com/p/iredmail/

Re: Any example of Server/Client Side Sorting?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> 
> Does anyone has working code snippet of server/client side sorting?
> 
> I use serverctrls in search_ext_s() like this:
> 
>   search_ext_s(xxxx, serverctrls = [ 
> ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],)
> 
> got error msg:
> 
>   UNAVAILABLE_CRITICAL_EXTENSION: {'info': 'critical extension is not 
> recognized', 'desc': 'Critical extension is unavailable'}
> 
> * Use clientctrls:
> 
>   search_ext_s(xxxx, clientctrls = [ 
> ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],)
> 
> got error msg:
> 
>   NOT_SUPPORTED: {'info': '', 'desc': 'Not Supported'}
> 
> My os is Ubuntu 9.04, OpenLDAP-2.4.15-1ubuntu3.

The error message is pretty clear: This particular LDAP server does not
support server-side sorting.

Besides that you should read RFC 2891 to learn how to generate the
controlValue which specifies which attribute and matching rule
(optional) is used for sorting and whether you want reverse order
(optional). You could try to generate the controlValue with module pyasn1.

Ciao, Michael.

Any example of Server/Client Side Sorting?

[Zhang H. <zhb...@gm...>]

Hi, all.

Does anyone has working code snippet of server/client side sorting?

I use serverctrls in search_ext_s() like this:

  search_ext_s(xxxx, serverctrls = [ 
ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],)

got error msg:

  UNAVAILABLE_CRITICAL_EXTENSION: {'info': 'critical extension is not 
recognized', 'desc': 'Critical extension is unavailable'}

* Use clientctrls:

  search_ext_s(xxxx, clientctrls = [ 
ldap.controls.LDAPControl('1.2.840.113556.1.4.473',1,None) ],)

got error msg:

  NOT_SUPPORTED: {'info': '', 'desc': 'Not Supported'}

My os is Ubuntu 9.04, OpenLDAP-2.4.15-1ubuntu3.

-- 
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL, CentOS, Debian:
  http://code.google.com/p/iredmail/

Re: ldap.OPT_X_SASL_NOCANON (was: ANN: python-ldap-2.3.8)

[Geert J. <ge...@bo...>]

2009/5/4 Michael Ströder <mi...@st...>:

> Ok, committed in HEAD. Please test.

I've tested current HEAD and it works for me.

> Is it urgent to have that in a generally available release?

Not really urgent but it would be good if a new release was made in
the next 2-3 months or so. This would ensure that the next wave of
distribution releases (Fedora 12, Ubuntu 9.10) pick this up.

Regards,
Geert

ldap.OPT_X_SASL_NOCANON (was: ANN: python-ldap-2.3.8)

[Michael S. <mi...@st...>]

Geert Jansen wrote:
> 2009/5/3 Michael Ströder <mi...@st...>:
>> Why didn't you patch LDAP_get_option()?
> 
> That is an oversight. It should be updated as well. New patch attached.
> 
>> If I also extend LDAP_get_option() l.get_option(ldap.OPT_X_SASL_NOCANON)
>> will always return -1 if set to any value instead of 0. Is that correct?
> 
> Yes, that should be fine.

Ok, committed in HEAD. Please test.
Is it urgent to have that in a generally available release?

Ciao, Michael.

Re: ANN: python-ldap-2.3.8

[Geert J. <ge...@bo...>]

2009/5/3 Michael Ströder <mi...@st...>:
>
> Why didn't you patch LDAP_get_option()?

That is an oversight. It should be updated as well. New patch attached.

> If I also extend LDAP_get_option() l.get_option(ldap.OPT_X_SASL_NOCANON)
> will always return -1 if set to any value instead of 0. Is that correct?

Yes, that should be fine.

Thanks,
Geert

Re: ANN: python-ldap-2.3.8

[Michael S. <mi...@st...>]

Geert Jansen wrote:
> 
> could you have a look at the patch that i submitted a while ago to
> expose LDAP_OPT_X_SASL_NOCANON? This option is a new LDAP option that
> disables SASL host name canonicalization. It is very useful in Windows
> AD environments.

Sorry, this was still in the pipe.

Questions:

Why didn't you patch LDAP_get_option()?

If I also extend LDAP_get_option() l.get_option(ldap.OPT_X_SASL_NOCANON)
will always return -1 if set to any value instead of 0. Is that correct?

Ciao, Michael.

Re: ANN: python-ldap-2.3.8

[Geert J. <ge...@bo...>]

Hi Michael,

could you have a look at the patch that i submitted a while ago to
expose LDAP_OPT_X_SASL_NOCANON? This option is a new LDAP option that
disables SASL host name canonicalization. It is very useful in Windows
AD environments.

Patch attached. References:

 - http://sourceforge.net/mailarchive/message.php?msg_name=648242720811211518k726c54b9y1c8357255477ae5a%40mail.gmail.com
 - http://www.openldap.org/lists/openldap-bugs/200811/msg00116.html

Regards,
Geert

Re: ANN: python-ldap-2.3.8

[Zhang H. <zhb...@gm...>]

Michael Ströder wrote:
> Find a new release of python-ldap:
>
>   http://www.python-ldap.org/
>   

Thanks for your great work, Michael. ^_^


-- 
Best regards.

Zhang Huangbin

- Open Source Mail Server Solution for RHEL/CentOS 5.x:
  http://code.google.com/p/iredmail/

ANN: python-ldap-2.3.8

[Michael S. <mi...@st...>]

Find a new release of python-ldap:

  http://www.python-ldap.org/

python-ldap provides an object-oriented API to access LDAP directory
servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for
that purpose. Additionally it contains modules for other LDAP-related
stuff (e.g. processing LDIF, LDAPURLs and LDAPv3 schema).

Ciao, Michael.

-- 
Michael Ströder
E-Mail: mi...@st...
http://www.stroeder.com

----------------------------------------------------------------
Released 2.3.8 2009-04-30

Changes since 2.3.7:

Lib/
* ldap.schema.models: More fault-tolerant parsing of SYNTAX in
  AttributeTypeDescription
* ldap.schema.tokenizer.split_tokens():
  More tolerant parsing of items separated only with a DOLLAR without
  surrounding white-spaces (because WSP is declared as zero or more
  spaces in RFC 4512)

Re: how can LDAP injection blocked?

[Michael S. <mi...@st...>]

Yancey Yeargan wrote:
> 
> I believe he is asking how to defend against potential web-based LDAP
> filter injection attacks (similar to SQL injection attacks),

Ah ok. To prevent someone to pass in special filter chars these have to
be escaped before the user's input is used as (partial) value in the
LDAP filter string representation.

One should use the functions in module ldap.filter for that:

http://www.python-ldap.org/doc/html/ldap-filter.html

> or generally how to validate user input.

This depends on the application's context and could be handled in the
web app library.

Ciao, Michael.

Re: how can LDAP injection blocked?

[Yancey Y. <ya...@un...>]

I believe he is asking how to defend against potential web-based LDAP  
filter injection attacks (similar to SQL injection attacks), or  
generally how to validate user input. I think there are better forums  
elsewhere (OpenLDAP perhaps) for asking this question.

There is a potential for abuse with some filters, but I do not see any  
way to abuse the "(&(objectClass=inetOrgPerson)(uid=$input))" filter.  
As mete wrote, it's easy to enter something that makes the filter  
invalid. I just can't think of anything extra a person could type that  
would be a valid filter and return unwanted data.

Unlike SQL, the returned attributes are not specified in the LDAP  
filter string, so there is limited potential for abuse.

Yancey


On Apr 28, 2009, at 10:08 AM, mete wrote:

>
>>
>> i guess what he means is something like this: imagine the following  
>> filter:
>>
>> (&(objectClass=inetOrgPerson)(uid=$input))
>>
>> where $input comes from a web form, or similar. if $input==')' you  
>> get
>>
>> (&(objectClass=inetOrgPerson)(uid=)))
>>
>> which is invalid.
>>
>> so some form of input validation must be used.
>>
>> please correct me if i'm wrong
>>
>> best regards
>> burak
> It's have a login window. You can write your dn and password, after  
> login you
> can search, list etc. But it's not to be too security. How can i  
> stop them?
>
> Sorry for my english. It's not good at all. good day.
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code  
> vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: how can LDAP injection blocked?

[mete <met...@gm...>]

>
> i guess what he means is something like this: imagine the following filter:
>
> (&(objectClass=inetOrgPerson)(uid=$input))
>
> where $input comes from a web form, or similar. if $input==')' you get
>
> (&(objectClass=inetOrgPerson)(uid=)))
>
> which is invalid.
>
> so some form of input validation must be used.
>
> please correct me if i'm wrong
>
> best regards
> burak
It's have a login window. You can write your dn and password, after login you 
can search, list etc. But it's not to be too security. How can i stop them? 

Sorry for my english. It's not good at all. good day.

Re: how can LDAP injection blocked?

[Burak A. <bu...@ar...>]

Michael Ströder yazmış:
> mete bilgin wrote:
>   
>> I'm developing a web-based ldap gui with python ( with python-ldap ).
>> And i miss something about security. How can i blocked ldap injection?
>>     
>
> Could you please elaborate on what you mean with "ldap injection"?
>
>   


i guess what he means is something like this: imagine the following filter:

(&(objectClass=inetOrgPerson)(uid=$input))

where $input comes from a web form, or similar. if $input==')' you get

(&(objectClass=inetOrgPerson)(uid=)))

which is invalid.

so some form of input validation must be used.

please correct me if i'm wrong

best regards
burak

Re: how can LDAP injection blocked?

[Michael S. <mi...@st...>]

mete bilgin wrote:
> I'm developing a web-based ldap gui with python ( with python-ldap ).
> And i miss something about security. How can i blocked ldap injection?

Could you please elaborate on what you mean with "ldap injection"?

Most security issues with attacking the connection can be cured with
SSL/TLS. So your client should support LDAPS and StartTLS ext.op. and
defining the trusted root CA certs.

Ciao, Michael.

how can LDAP injection blocked?

[mete b. <met...@gm...>]

Hi all,
I'm developing a web-based ldap gui with python ( with python-ldap ). And i
miss something about security. How can i blocked ldap injection? thanks all.
Good days.

ps: http://freshmeat.net/projects/pyldapadmin - pyldapadmin

Re: Recursive ldap lookups

[Fredrik M. <mel...@df...>]

Hi,
first of all thanks for the answer, and sorry that I haven't replied
earlier. Lots of reasons not really interesting for anybody and a bit of
good ol' laziness, of course ;)

>> Which ldapsearch tool are you talking about? OpenLDAP's command-line
>> tool ldapsearch does not have an option -C. Do you have several
>> implementations of ldapsearch on your system?

That's true, if you consider the latest version(s?) of ldapsearch. There
used to be a -C option for client-chasing referals. I'm not sure exactly
when or why this was taken out, but even after it was removed from the
documentation it lingered as an "undocumented feature" for while,
meaning you could use it if you happened to know about it. The guys here
at work also tells me that before it got removed completely it remained
in some broken kind of way, that is, you could still use the option, but
it wouldn't quite work. I've never seen this myself though.

By the way (looking now), where I sit, "man ldapsearch" gives me, among
other things:
-C     Chase referrals (anonymously)

This is OpenLDAP 2.3.37.


>>Are you talking about client-chasing of LDAPv3 referrals? Yes, you can

>>do it by processing the LDAP URLs returned in search continuations
>>yourself. You have to check the result type to be
>>ldap.RES_SEARCH_REFERENCE. You can then use module 'ldapurl' to parse
>>the referral URL in the result.

Yes, that's what I'm talking about. Since my question we've also decided
to do things this way, and parse the replies manually instead of trying
to make the server do anything for us.


>>Note that the concept of client-chasing referral chasing is seriously
>>broken since the LDAPv3 standard does not specify which credentials to
>>use when connecting to the server specified in the referral URL. My
>>web2ldap therefore raises a bind form to interactively ask the user >>what
>>to do in this case. So I'd rather recommend to configure your LDAP
>>server to chase the referral with well-defined credentials if it
>>supports chaining or however it's called in your LDAP server (which
>>one?).

That's some useful information. Our server is OpenLDAP. Not sure which
version right now, though.

Think I've got the hang of it now. I will simply check the type of the
reply manually and keep requesting around 'til I don't get another
reference. Thanks again!

Greetings,
Fredrik

Re: using Kerberos to authenticate to Active Directory from python ldap

[Geert J. <ge...@bo...>]

On Fri, Apr 10, 2009 at 11:24 AM, Olivier Sessink
<oli...@gm...> wrote:

> I noticed that there is some C code related to Kerberos in python-ad.
> Is this code required to initialize a kerberos authentication, or is
> this just to change passwords and things like that?

Actually, both. The C code exposes a small subset of the Kerberos API
to Python. I use it for credential management so things like acquire a
ticket using a password or a keytab, and to set or change a password.

Regards,
Geert