python-ldap-dev — discussion among developers

configure: error: BDB/HDB: BerkeleyDB not available

[Andre B. <and...@gm...>]

When trying to install OpenLDAP , I get the above error.

How do I install  BerkeleyDB, or make it available?

-- 
André
(h) +64 9 444 3228
(w) +64 9 488 3755
(c) +64 27 335 0955

www.baselmania.com

Re: python-ldap wrong auth. after server down

[Michael S. <mi...@st...>]

Please don't e-mail me personally. Stay on the mailing list!

mete bilgin wrote:
> 2008/9/26 Michael Ströder <mi...@st...
> <mailto:mi...@st...>>
> 
>     mete bilgin wrote:
>     > i'm trying to connect ldap into python. when i give it to true
>     username
>     > and password, nothing going wrong...But i try to wrong password ,the
>     > server shutdown...How can i pass that.
> 
>     What does "the server shutdown" mean exactly. Is it stopped?
> 
> yes it's stopped
> [..]
> Sep 26 14:12:27 localhost klogd: slapd[24032]: segfault at 1f ip
> b7c61790 sp b6cf9a40 error 4 in libdb-4.6.so
> <http://libdb-4.6.so>[b7bcc000+13a000]

This looks like a bug in OpenLDAP. It has nothing to with python-ldap. I
already saw this myself yesterday when doing SASL/EXTERNAL bind. It's on
my to-do-list to track this down and report to OpenLDAP's ITS if I find
some spare time. You could help if you clarify this on openldap-software
mailing and file an ITS.

Ciao, Michael.

Re: python-ldap wrong auth. after server down

[Michael S. <mi...@st...>]

mete bilgin wrote:
> i'm trying to connect ldap into python. when i give it to true username
> and password, nothing going wrong...But i try to wrong password ,the
> server shutdown...How can i pass that.

What does "the server shutdown" mean exactly. Is it stopped?

> ps:
> ldap_server=ldap.open('localhost')
> ldap_server.protocol_version = ldap.VERSION3
> try:
>     ldap_server.simple_bind_s(word,password)
>     return 'bind yapıldı'
>     ldap_server.unbind()
> except ldap.LDAPError, e:
>     return e

Frankly you did not provide enough information.

I'd set client-side logging options in python-ldap (see
Demo/initialize.py) and examine the server logs. Which server vendor and
version is that?

Ciao, Michael.

python-ldap wrong auth. after server down

[mete b. <met...@gm...>]

Hi all,
i'm trying to connect ldap into python. when i give it to true username and
password, nothing going wrong...But i try to wrong password ,the server
shutdown...How can i pass that.

ps:
ldap_server=ldap.open('localhost')
ldap_server.protocol_version = ldap.VERSION3
try:
    ldap_server.simple_bind_s(word,password)
    return 'bind yapıldı'
    ldap_server.unbind()
except ldap.LDAPError, e:
    return e

Re: ldap.modlist.modifyModlist() (resent to list)

[Michael S. <mi...@st...>]

Paul Wankadia wrote:
> On Fri, Sep 19, 2008 at 6:12 PM, Michael Ströder <mi...@st...> wrote:
> 
>>> The current implementation of modifyModlist() clashed with some ACLs
>>> because it touches too many values. :/
>> I don't fully understand. Do you have ACLs based on certain attribute
>> values? It would be probably a good idea to mention these issues in the
>> docs.
> 
> Access to objectClass is restricted, for example, so it's necessary to
> be surgical.

Is access to attribute 'objectClass' restricted as a whole? Or do you
have ACLs based on certain attribute values (object class names in this
case)? Only the latter case seems to be a problem to me.

>>>       if old_values != new_values:
>>>         modify.append((ldap.MOD_REPLACE, attr, list(new_values)))
>> The problem with MOD_REPLACE or with only deleting/adding certain
>> attribute values is that it needs EQUALITY matching rules to be
>> implemented at the server-side for all syntaxes of attributes to be
>> modified. That's not the case for e.g. jpegPhoto (or even attribute
>> postalAddress on some servers).
> 
> Do you happen to know whether OpenLDAP has any problems in this regard?

Actually I started with an implementation of modifyModlist() in web2ldap
which did almost exactly what you propose. But in general it turned out
not to be usable. It always depends on the attributes you're dealing
with. Check the subschema on your server.

>> In web2ldap I have a modified function modifyModlist() which examines
>> the subschema for determining whether the attribute type has an EQUALITY
>> matching rules assigned and whether this particular matching rule is
>> really listed in the subschema.
> 
> What does it do then?

It falls back to applying MOD_DELETE/MOD_ADD to the whole attribute.

Ciao, Michael.

Re: ldap.modlist.modifyModlist()

[Michael S. <mi...@st...>]

Paul Wankadia wrote:
> The current implementation of modifyModlist() clashed with some ACLs
> because it touches too many values. :/

I don't fully understand. Do you have ACLs based on certain attribute
values? It would be probably a good idea to mention these issues in the
docs.

> Here's a replacement that I hacked together:
> 
>       if old_values != new_values:
>         modify.append((ldap.MOD_REPLACE, attr, list(new_values)))

The problem with MOD_REPLACE or with only deleting/adding certain
attribute values is that it needs EQUALITY matching rules to be
implemented at the server-side for all syntaxes of attributes to be
modified. That's not the case for e.g. jpegPhoto (or even attribute
postalAddress on some servers).

In web2ldap I have a modified function modifyModlist() which examines
the subschema for determining whether the attribute type has an EQUALITY
matching rules assigned and whether this particular matching rule is
really listed in the subschema.

=> So for general use I won't accept your version since it will choke in
many more cases.

Ciao, Michael.

Re: Change password

[Michael S. <mi...@st...>]

Jonathan Hansen wrote:
> Does anyone have a working password change script for active directory  
> server that will run on Linux?

My web2ldap implements it. But it's not a small script. Depending on
your use-case you might consider deploying web2ldap though. At least for
learning how the data looks like it would be useful.

I see three issues here:

> *** ldap://my.ldap.server:389 - SimpleLDAPObject.search_ext  
> (('cn=Users,my.dc', 2, '(objectClass=user)(mail=*)', ['*'], 0, None,  
              ^^^^^
1. This is not a valid DN. With AD it should rather look like

cn=Users,dc=my,dc=domain

> *** ldap://my.ldap.server:389 - SimpleLDAPObject.result3 ((2, 1, -1),{})
> => LDAPError - SERVER_DOWN: {'info': '', 'desc': "Can't contact LDAP  
> server"}

2. This error code means the LDAP server wasn't reachable at all.

3. Also note that for chaning the AD password (attribute unicodePwd) you
have to use SSL. So your connection URI has to look like this:

ldaps://my.ldap.server:636

See Demo/initialize.py how to set the SSL/TLS-related options.

Ciao, Michael.

Change password

[Jonathan H. <jon...@23...>]

Does anyone have a working password change script for active directory  
server that will run on Linux? We try and run as little as possible on  
windows.

I have found several but none actually run. I know I am committing  
list pho pa by asking this but I am an IT guy not a programmer so  
although am working on it do not yet have the skill to sort out stuff  
like this.

My attempt at a script authenticated fine but then when I tried to do  
a search or anything else claimed it was not able to talk to the  
server it had just authenticated against *sighs* I hate microsoft.

Thanks,

Jonathan

PS: my error in case anyone wants to help with that instead:

=> result: (97, [], 1, [])
Bind result: (97, [])
Running search: (objectClass=user)(mail=*)
*** ldap://my.ldap.server:389 - SimpleLDAPObject.search_ext  
(('cn=Users,my.dc', 2, '(objectClass=user)(mail=*)', ['*'], 0, None,  
None, -1, 0),{})
=> result: 2
*** ldap://my.ldap.server:389 - SimpleLDAPObject.result3 ((2, 1, -1),{})
=> LDAPError - SERVER_DOWN: {'info': '', 'desc': "Can't contact LDAP  
server"}
Can't contact LDAP server

Re: Problem using ldaps with two different CA cert files

[Rich M. <ric...@gm...>]

Michael Ströder wrote:
> Rich Megginson wrote:
>   
>> Is it possible to use two different CA certs in a single python-ldap 
>> app?
>>     
>
> There are two options:
>
> 1. Stuff all trusted CA certs into one "PEM" file and use
> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/allcacerts.pem')
>
> 2. Copy all CA certs in a directory and use
> ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/path/to/cacerts')
>
> For faster look up with option . you should generate symbolic links like
> described here:
> http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl
>
> ln -s my_ca.crt `openssl x509 -hash -noout -in my_ca.crt`.0
>
> I think you can find pretty much docs about how OpenSSL handles multiple
> CA certs.
>   
Ok.  Thanks Michael.  I'll look into it.
> BTW: With OpenLDAP 2.4 client libs you can also set
> ldap.OPT_X_TLS_CACERTDIR connection-specific.
>
> Ciao, Michael.
>
>
>   

Re: Problem using ldaps with two different CA cert files

[Michael S. <mi...@st...>]

Rich Megginson wrote:
> Is it possible to use two different CA certs in a single python-ldap 
> app?

There are two options:

1. Stuff all trusted CA certs into one "PEM" file and use
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/allcacerts.pem')

2. Copy all CA certs in a directory and use
ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, '/path/to/cacerts')

For faster look up with option . you should generate symbolic links like
described here:
http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl

ln -s my_ca.crt `openssl x509 -hash -noout -in my_ca.crt`.0

I think you can find pretty much docs about how OpenSSL handles multiple
CA certs.

BTW: With OpenLDAP 2.4 client libs you can also set
ldap.OPT_X_TLS_CACERTDIR connection-specific.

Ciao, Michael.

Problem using ldaps with two different CA cert files

[Rich M. <ric...@gm...>]

The following code does not work in a couple of different places:

import sys
import ldap, ldap.ldapobject
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 255)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem')
conn1 = ldap.ldapobject.LDAPObject('ldaps://server1.domain:636')
#conn1.set_option(ldap.OPT_DEBUG_LEVEL, 255)
# NOTE: 1 - setting conn specific cacertfile doesn't work - only the
# module level setting seems to work
#conn1.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca1.pem')
conn1.simple_bind('mybinddn','password')
print "conn1 set up correctly"
conn1.unbind_s()
# NOTE: 2 - although this appears to work i.e. get_option returns the new
# one, the code never attempts to open /path/to/ca2.pem - I've validated 
this via strace
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem')
print "cacert file =", ldap.get_option(ldap.OPT_X_TLS_CACERTFILE)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 0) # this works
conn2 = ldap.initialize('ldaps://server2.domain:636')
#conn2.set_option(ldap.OPT_DEBUG_LEVEL, 255)
# again, conn specific setting does not work
conn2.set_option(ldap.OPT_X_TLS_CACERTFILE, '/path/to/ca2.pem')
print "conn2 cacertfile=", conn2.get_option(ldap.OPT_X_TLS_CACERTFILE)
conn2.simple_bind("binddn2","password2") # errors here - cannot verify 
peer server ssl cert
print "conn2 set up correctly"

Is it possible to use two different CA certs in a single python-ldap 
app?  I've tried using both version 2.2.0 on rhel5 and version 2.3.1 on 
fedora 9

Re: How to get a user's OUs

[Gustavo N. <me...@gu...>]

Hello,

On Wednesday September 10, 2008 09:21:24 Michael Ströder wrote:
> > I need this because I'm using group-based authentication in my
> > application.
>
>                                             ^^^^^^^^^^^^^^
> Authorization I guess.

Right, sorry.

> Please make yourself familiar with group entries and how they differ
> from ou entries (which are probably not what you want).

Thanks, I will.

Cheers!
-- 
Gustavo Narea.
http://gustavonarea.net/

Get rid of unethical constraints! Switch to Freedomware:
http://softwareliberty.com/

Re: How to get a user's OUs

[Michael S. <mi...@st...>]

Gustavo Narea wrote:
> 
> On Monday September 8, 2008 23:47:19 you wrote:
>> This question is not very clear. Do you mean the attribute 'ou' of the
>> user's entry or the ou-Container the user's entry is in? If you're
>> working with AD it's probably the latter. Then it's the DN of the user's
>> entry parent entry.
> 
> Thanks for your answer, and sorry for not being clear.
> 
> Say I (dn: uid=gnarea,ou=directors,dc=example,dc=org)

So this is on AD?

> also belong to 
> ou=sysadmins,dc=example,dc=org and ou=betatesters,dc=example,dc=org. How can I 
> get the set of all the Organizational Units I belong to?

What does "also belong to" mean? The user entry
uid=gnarea,ou=directors,dc=example,dc=org being a member of a group
entry? Note that groups are independent from AD's ou-structure.

Regarding the ou-structure gnarea is simply in
ou=directors,dc=example,dc=org.

> I'm looking for something that if I give the  
> "uid=gnarea,ou=directors,dc=example,dc=org" DN, it returns a tuple/list made 
> up of the items: 'directors', 'sysadmins' and 'betatesters'.

I don't know how your entries ou=sysadmins,dc=example,dc=org and
ou=betatesters,dc=example,dc=org look like.

> I need this because I'm using group-based authentication in my application.
                                            ^^^^^^^^^^^^^^
Authorization I guess.

Please make yourself familiar with group entries and how they differ
from ou entries (which are probably not what you want).

Ciao, Michael.

Re: How to get a user's OUs

[Gustavo N. <me...@gu...>]

Hello,

On Monday September 8, 2008 23:47:19 you wrote:
> This question is not very clear. Do you mean the attribute 'ou' of the
> user's entry or the ou-Container the user's entry is in? If you're
> working with AD it's probably the latter. Then it's the DN of the user's
> entry parent entry.

Thanks for your answer, and sorry for not being clear.

Say I (dn: uid=gnarea,ou=directors,dc=example,dc=org) also belong to 
ou=sysadmins,dc=example,dc=org and ou=betatesters,dc=example,dc=org. How can I 
get the set of all the Organizational Units I belong to?

I'm looking for something that if I give the  
"uid=gnarea,ou=directors,dc=example,dc=org" DN, it returns a tuple/list made 
up of the items: 'directors', 'sysadmins' and 'betatesters'.

I need this because I'm using group-based authentication in my application.

Thanks in advance.
-- 
Gustavo Narea.
http://gustavonarea.net/

Get rid of unethical constraints! Switch to Freedomware:
http://softwareliberty.com/

Re: How to get a user's OUs

[Michael S. <mi...@st...>]

Gustavo Narea wrote:
> 
> How can I retrieve the Organizational Units a user belongs to via python-ldap?

This question is not very clear. Do you mean the attribute 'ou' of the
user's entry or the ou-Container the user's entry is in? If you're
working with AD it's probably the latter. Then it's the DN of the user's
entry parent entry.

Ciao, Michael.

How to get a user's OUs

[Gustavo N. <me...@gu...>]

Hello,

How can I retrieve the Organizational Units a user belongs to via python-ldap?

I couldn't find this information in the docs, and search_s() doesn't seem to 
work for this.

Thanks in advance.
-- 
Gustavo Narea.
http://gustavonarea.net/

Get rid of unethical constraints! Switch to Freedomware:
http://softwareliberty.com/

Can you please add repoze.who.plugins.ldap?

[Gustavo N. <me...@gu...>]

Hello,

I'm going to release the first stable version of repoze.who.plugins.ldap very 
soon, which is a plugin for the repoze.who that enables LDAP authentication 
via python-ldap.

So I wonder if you could add it to this listing http://python-
ldap.sourceforge.net/apps.shtml ?

Its URL is http://code.gustavonarea.net/repoze.who.plugins.ldap/

Thanks in advance.
-- 
Gustavo Narea.
http://gustavonarea.net/

Get rid of unethical constraints! Switch to Freedomware:
http://softwareliberty.com/

Re: Query on finding the members inside a nested group inside Active Directory

[Michael S. <mi...@st...>]

Alex Davies wrote:
> 
> I am trying to query an AD Domain Controller for some information, and
> i'd like to do this without having to install the win32 and AD libraries
> for Python.

So you want to use python-ldap on Win32. Ok.

> I am using the following code to obtain a list of users inside a group
> (test). This works well, but i'd like to be able to add groups that
> contain users into the "test" group, and return them too.

In general with LDAP you have to deal with nested groups at the client side.

Especially with AD explictly requesting the attribute tokenGroups on a
user's entry could be an option since AD then computes all the groups a
user is member of including nested groups. Note that the attribute
values are not DNs. See description here:

http://msdn.microsoft.com/en-us/library/ms680275(VS.85).aspx

> searchFilter = "(memberOf=CN=test,OU=Machines,OU=Linux
> Auth,DC=xxx,DC=local)"

I'm not sure whether memberOf only indicates the directory group membership.

>   ldap_result_id = l.search(baseDN, searchScope, searchFilter,
> retrieveAttributes)

I'd recommend to use the synchronous method l.search_s() first to avoid
programming errors. This is handy when you don't expect large result sets.

If you want to do stream processing of large result sets ldap.resiter is
more handy.

Ciao, Michael.

Query on finding the members inside a nested group inside Active Directory

[Alex D. <al...@da...>]

Hi Everyone,

I am trying to query an AD Domain Controller for some information, and i'd
like to do this without having to install the win32 and AD libraries for
Python.

I am using the following code to obtain a list of users inside a group
(test). This works well, but i'd like to be able to add groups that contain
users into the "test" group, and return them too. If I do this, the code
below returns nothing at all - not even the names of the groups in the test
group. Can anyone advise me how to do this?

--

import ldap
ldap.set_option(ldap.OPT_REFERRALS, 0)

l = ldap.initialize("ldap://10.3.x.x")
l.simple_bind_s('alexd@XXX.LOCAL', 'xxx')

baseDN = "OU=Location, DC=xxx, DC=local"
searchScope = ldap.SCOPE_SUBTREE
retrieveAttributes = ['sn'] # Surename
searchFilter = "(memberOf=CN=test,OU=Machines,OU=Linux
Auth,DC=xxx,DC=local)"

try:
  ldap_result_id = l.search(baseDN, searchScope, searchFilter,
retrieveAttributes)
  result_set = []
  while 1:
    result_type, result_data = l.result(ldap_result_id, 0)
    if (result_data == []):
      break
    else:
      if result_type == ldap.RES_SEARCH_ENTRY:
        print result_set
except ldap.LDAPError, e:
        print e

--

Any help gratefully received.

Many thanks for your time!

Alex

Re: Creating Active Directory Objects

[Mike M. <mm...@wy...>]

Hi Randy,

My apologies for not getting back to you sooner.  Here is a crude  
example of the code I used to create/modify a password using Python  
LDAP.  The trick to modifying the password is encoding in unicode.  I  
am still trying to find my bookmark to a discussion board that  
explains how this works.  Once I find it I will post it here as well.   
Unfortunately I have not had anytime over the past few months to work  
on my code so I do not have a whole lot more that I can give you at  
the moment.  I plan to begin work again this fall and any changes or  
advancements I make I will be sure to post.  If you find a better way  
to achieve AD account manipulation please let me know.
Thanks,
Mike

import ldap
import ldap.modlist as modlist


server = "ldaps://jebediah.springfield.org:636"
who = "adm...@sp..."
cred = "password"
path = "ou=Students,ou=Accounts,dc=springfield,dc=org"
keyword = "simpson"

dn = 'cn=jjones,ou=Accounts,dc=springfield,dc=org'
attrs = {}
attrs['objectclass'] = ['top', 'person', 'organizationalPerson','user']
attrs['cn'] = 'jjones'
attrs['userPassword'] = 'jimbo'
attrs['userPrincipalName'] = 'jjones'
attrs['sAMAccountName'] = 'jjones'
attrs['givenName'] = 'Jimbo'
attrs['sn'] = 'Jones'
attrs['DisplayName'] = 'Jimbo Jones'
attrs['description'] = 'A brief description'
attrs['userAccountControl'] = '512'

password = "jimbo"
password_attr = "unicodePwd"
unicode1 = unicode("\"" + password + "\"", "iso-8859-1")
unicode2 = unicode1.encode("utf-16-le")
password_value = unicode2
mods = [(ldap.MOD_REPLACE, password_attr, [password_value])]


ldif = modlist.addModlist(attrs)

l = ldap.initialize(server)
l.simple_bind_s(who, cred)

l.add_s(dn, ldif)

l.modify(dn, mods)

l.unbind_s()

On Sep 2, 2008, at 6:27 PM, <wis...@gm...> <wis...@gm... 
 > wrote:

> On 8/30/08, Michael Ströder <mi...@st...> wrote:
>> Randy wrote:
>>> Mike (or anyone else who has successfully changed an Active  
>>> Directory
>>> password using python-ldap over SSL),
>>>
>>> I have not found an update in the archives to your last message on
>>> this subject (below).  Can you perhaps share some Python code  
>>> showing
>>> how to add or change the password for an Active Directory user via
>>> LDAP over SSL?
>>
>> Recent web2ldap changes unicodePwd in AD. You could set  
>> trace_level=2 in
>> etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap.
>>
>> For the SSL part see Demo/initialize.py in python-ldap's source
>> distribution. Off course you have to check back with your admin  
>> whether
>> SSL is enabled in your AD DCs and which CA cert to install on the  
>> client
>> side.
>>
>> Ciao, Michael.
>>
>
> Thanks for the quick reply Michael.
>
> I installed web2ldap 0.16.41, but have not been able to connect via
> SSL and Bind to my Active Directory test machine (running Microsoft's
> ADAM server on WinXP, which I have successfully
> connected/authenticated with over SSL using MS's ldp.exe utility).  I
> am not completely sure I need to do a simple bind, in order to change
> a user password in Active Directory, when I have both the old and new
> passwords, given the other comments by Mike in this thread.
>
> Does web2ldap have a public SVN or CVS repository where I might view
> the changes that allow web2ldap to change the unicodePwd in AD, and
> hence get some hint as to where in the code this magic is happening?
>
> This task may be easy for someone with LDAP experience, but I have
> virtually no experience with LDAP (or AD either).
>
> Thanks again,
>
> - Randy
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Creating Active Directory Objects

[<wis...@gm...>]

On 8/30/08, Michael Ströder <mi...@st...> wrote:
> Randy wrote:
>> Mike (or anyone else who has successfully changed an Active Directory
>> password using python-ldap over SSL),
>>
>> I have not found an update in the archives to your last message on
>> this subject (below).  Can you perhaps share some Python code showing
>> how to add or change the password for an Active Directory user via
>> LDAP over SSL?
>
> Recent web2ldap changes unicodePwd in AD. You could set trace_level=2 in
> etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap.
>
> For the SSL part see Demo/initialize.py in python-ldap's source
> distribution. Off course you have to check back with your admin whether
> SSL is enabled in your AD DCs and which CA cert to install on the client
> side.
>
> Ciao, Michael.
>

Thanks for the quick reply Michael.

I installed web2ldap 0.16.41, but have not been able to connect via
SSL and Bind to my Active Directory test machine (running Microsoft's
ADAM server on WinXP, which I have successfully
connected/authenticated with over SSL using MS's ldp.exe utility).  I
am not completely sure I need to do a simple bind, in order to change
a user password in Active Directory, when I have both the old and new
passwords, given the other comments by Mike in this thread.

Does web2ldap have a public SVN or CVS repository where I might view
the changes that allow web2ldap to change the unicodePwd in AD, and
hence get some hint as to where in the code this magic is happening?

This task may be easy for someone with LDAP experience, but I have
virtually no experience with LDAP (or AD either).

Thanks again,

- Randy

Re: Creating Active Directory Objects

[Michael S. <mi...@st...>]

Randy wrote:
> Mike (or anyone else who has successfully changed an Active Directory
> password using python-ldap over SSL),
> 
> I have not found an update in the archives to your last message on
> this subject (below).  Can you perhaps share some Python code showing
> how to add or change the password for an Active Directory user via
> LDAP over SSL?

Recent web2ldap changes unicodePwd in AD. You could set trace_level=2 in 
etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap.

For the SSL part see Demo/initialize.py in python-ldap's source 
distribution. Off course you have to check back with your admin whether 
SSL is enabled in your AD DCs and which CA cert to install on the client 
side.

Ciao, Michael.

Re: Creating Active Directory Objects

[Randy <wis...@gm...>]

Mike (or anyone else who has successfully changed an Active Directory
password using python-ldap over SSL),

I have not found an update in the archives to your last message on
this subject (below).  Can you perhaps share some Python code showing
how to add or change the password for an Active Directory user via
LDAP over SSL?

Thanks!

- Randy Wiser

> From: Mike Matz <mmatz@wy...> - 2007-11-09 13:36
> Thank you to all who responded to my queries. I have been able to
> successfully create an account and set the password for an AD user on
> my test server. For those who are interested here is the breakdown of
> what I did. As I continue to debug and test I will post updates to
> this topic.

> Connected via SSL to the server. There is no need to manage
> certificates on the client since I am not binding, only establishing
> an LDAP connection. Certificate Services do need to be installed on
> the server. In the future I plan to try to implement the sasl_bind
> code that Michael mentioned. To create the account I performed an
> ldap add and to set the password I performed a modify on the
> unicodePwd attribute. This has appeared to work successfully. I am
> able to authenticate as the newly created user, map a home directory,
> etc. I will need to do further testing to ensure that this is a valid
> method for creating an account.

> Once again, thanks to all who provided input!
> Regards,
> Mike

Re: problem using python-ldap under fcgi

[Michael S. <mi...@st...>]

Matt Bartolome wrote:
> I'll take a stab at this. I'll give you fair warning though that I
> don't know much about C. It looks like the modifications would be
> fairly straight forward though given I can find the recommended usage
> and documentation. I left off at the type cast build warnings so I
> just need to figure that in plus make sure it is backwards compatible
> (I saw an example showing how to do that).

Given Matej's answer and the fact that your problem is fixed it seems to 
me nothing has to be done.

Ciao, Michael.

Re: problem using python-ldap under fcgi

[Matt B. <mat...@gm...>]

On Wed, Aug 27, 2008 at 1:30 PM, Michael Ströder <mi...@st...> wrote:
> Matt Bartolome wrote:
>> My apologies on the wild goose chase but after using valgrind on my
>> fcgi process it is python cx_Oracle (would have never guessed that!)
>> which triggers the segmentation fault when ldap.initialize() is
>> called. Why it does this is beyond me but a simple alteration of my
>> code makes the problem go away completely. I was creating a global
>> oracle db cursor which I'm now creating inside the functions that use
>> it.
>>
>> I'm not sure about the glib c error and patch now. Using the original
>> release without modification works so I will leave it at that.
>
> Glad you figured out what the issue was. It's good if you don't run a
> patched version of python-ldap. In general and thanks to the
> contributors who provided patches in the past python-ldap seems fairly
> stable.

I'll take a stab at this. I'll give you fair warning though that I
don't know much about C. It looks like the modifications would be
fairly straight forward though given I can find the recommended usage
and documentation. I left off at the type cast build warnings so I
just need to figure that in plus make sure it is backwards compatible
(I saw an example showing how to do that).

>
> But let's look at the blog entry which convinced you to try patching
> python-ldap (see
> http://www.notes.xythian.net/2007/10/24/python-cdb-032-52ubuntu2-with-python-25-causes-double-free-corruption-crash-on-dealloc/):
>
> "Some other searching suggests that python-cdb's use of PyMem_DEL is no
> longer recommended."
>
> That's pretty unprecise, not even a single URL.
>
> But if somebody can add more detailed information to this it could be
> helpful to dive into this. IMO an admirable goal of python-ldap is not
> to fall back behind what's considered current best practice when writing
> extension modules for CPython.
>
> Ciao, Michael.
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
>