Menu
▾
▴
python-ldap-dev — discussion among developers
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
(34) |
Mar
(9) |
Apr
|
May
(2) |
Jun
(14) |
Jul
(67) |
Aug
(34) |
Sep
(5) |
Oct
(20) |
Nov
(22) |
Dec
(31) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(15) |
Feb
(16) |
Mar
(20) |
Apr
(13) |
May
(72) |
Jun
(42) |
Jul
(41) |
Aug
(11) |
Sep
(19) |
Oct
(67) |
Nov
(59) |
Dec
(57) |
| 2002 |
Jan
(74) |
Feb
(69) |
Mar
(34) |
Apr
(55) |
May
(47) |
Jun
(74) |
Jul
(116) |
Aug
(68) |
Sep
(25) |
Oct
(42) |
Nov
(28) |
Dec
(52) |
| 2003 |
Jan
(19) |
Feb
(18) |
Mar
(35) |
Apr
(49) |
May
(73) |
Jun
(39) |
Jul
(26) |
Aug
(59) |
Sep
(33) |
Oct
(56) |
Nov
(69) |
Dec
(137) |
| 2004 |
Jan
(276) |
Feb
(15) |
Mar
(18) |
Apr
(27) |
May
(25) |
Jun
(7) |
Jul
(13) |
Aug
(2) |
Sep
(2) |
Oct
(10) |
Nov
(27) |
Dec
(28) |
| 2005 |
Jan
(22) |
Feb
(25) |
Mar
(41) |
Apr
(17) |
May
(36) |
Jun
(13) |
Jul
(22) |
Aug
(12) |
Sep
(23) |
Oct
(6) |
Nov
(4) |
Dec
|
| 2006 |
Jan
(11) |
Feb
(3) |
Mar
(5) |
Apr
(22) |
May
(1) |
Jun
(10) |
Jul
(19) |
Aug
(7) |
Sep
(25) |
Oct
(23) |
Nov
(5) |
Dec
(27) |
| 2007 |
Jan
(25) |
Feb
(17) |
Mar
(44) |
Apr
(8) |
May
(33) |
Jun
(31) |
Jul
(42) |
Aug
(16) |
Sep
(12) |
Oct
(16) |
Nov
(23) |
Dec
(73) |
| 2008 |
Jan
(26) |
Feb
(6) |
Mar
(46) |
Apr
(17) |
May
(1) |
Jun
(44) |
Jul
(9) |
Aug
(34) |
Sep
(20) |
Oct
(2) |
Nov
(4) |
Dec
(16) |
| 2009 |
Jan
(14) |
Feb
(3) |
Mar
(45) |
Apr
(52) |
May
(34) |
Jun
(32) |
Jul
(24) |
Aug
(52) |
Sep
(22) |
Oct
(23) |
Nov
(19) |
Dec
(10) |
| 2010 |
Jan
(10) |
Feb
(13) |
Mar
(22) |
Apr
(9) |
May
(1) |
Jun
(1) |
Jul
(8) |
Aug
(9) |
Sep
(10) |
Oct
(1) |
Nov
(2) |
Dec
(3) |
| 2011 |
Jan
|
Feb
(18) |
Mar
(39) |
Apr
(5) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: deepti j. <dja...@gm...> - 2008-08-03 20:00:20
|
well these are my 2 cases :
*with python-ldap *: so in this case it works even though the object i am
passing has unicode characters in it's distinguished name
eg: CN=Sen-po 胡æ£(R)å?š
(senpo),OU=Users,OU=TPE,OU=Offices,DC=corp,DC=google,DC=com
i can print the distinguished name without encoding it in utf-8 format and
also remove or add this user to a group.
import ldap
ldap.set_option(ldap.OPT_REFERRALS, 0)
group_dn = "CN=sysops,OU=LDAPGroups,DC=corp,DC=google,DC=com"
user = 'CN=goadmin sgadekal,OU=Users,OU=Administration,DC=corp,DC=
google,DC=com'
l = ldap.open("192.168.100.1")
l.protocol_version = ldap.VERSION3
l.simple_bind_s(who=user,cred=r'*****')
baseDN = 'dc=corp,dc=google,dc=com'
searchScope = ldap.SCOPE_SUBTREE
retrieveAttributes = ['cn','samaccountname','distinguishedname']
searchFilter = "(&(objectclass=*)(samaccountname=senpo))"
ldap_result_id = l.search_ext(baseDN, searchScope, searchFilter,
retrieveAttributes,sizelimit=1000)
result_type, result_data = l.result(ldap_result_id, 0)
if (result_type == ldap.RES_SEARCH_ENTRY):
user_dn = result_data[0][1]['distinguishedName'][0]
modlist = []
modlist.append((ldap.MOD_ADD,"member",user_dn))
try:
l.modify_s(group_dn,modlist)
except:
print "user not added"
*with Win32com.client:*
The Same thing when i try to do it with "win32com.client module" using
"adsi" i cannot print the distinguished name of the user without first
encoding in utf-8 format and even if i do this i cannot add or remove user
from a group it throws a error .
import win32com.client
from win32com.client import *
conn = Dispatch('ADODB.Connection')
conn.Open("Provider=ADSDSOObject")
search =
"<LDAP://dc=corp,dc=google,dc=com>;(&(ObjectClass=*)(sAMAccountName=senpo));cn,distinguishedname;subtree"
record_set = conn.Execute(search)[0]
dn = record_set.Fields("distinguishedName").value
dn = dn.encode('utf-8')
adsi = win32com.client.Dispatch('AdsNameSpaces')
ldap = adsi.getobject("","LDAP:")
logon_ex = "CN=goadmin
sgadekal,OU=Users,OU=Administration,DC=corp,DC=google,DC=com"
passwd = "*******"
ex_path = "LDAP://
192.168.100.1/CN=sysops,OU=LDAPGroups,DC=corp,DC=google,DC=com"
myDSObject = ldap.OpenDSObject(ex_path,logon_ex,passwd,0)
myDSObject.Getinfo()
list_member = dn
print dn
append_list=[list_member]
myDSObject.putEx(3,'Member',append_list)
myDSObject.Setinfo()
Can you let me know how exactly is this happening in python ldap and how is
it able to add and remove accounts with unicode characters.
It will be really helpfull for me to know it.
|
|
From: Michael S. <mi...@st...> - 2008-08-02 08:12:44
|
Jonathan, please stay on the mailing list. Jonathan Hansen wrote: > Turned that on and it's a little more confusing because I can SEE > results returned... The output '=> LDAPError' in the trace log shows that an exception was raised derived from an error code returned by the underlying OpenLDAP client libs. > PS: Here is the befuddling output in case it tells you more than it does > me. Note that the LDAP URL behind *** shows for which connection the operation was invoked. So let's see... > *** ldap://dc1.mv.corp.23andme.com:389 - SimpleLDAPObject.simple_bind > (('user@Domain', 'password', None, None),{}) > [..] > *** ldap://ad-dc.my.company.example.com:389 - > SimpleLDAPObject.search_ext Obviously the servers differ. Check your code. Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-08-01 23:03:34
|
Michael Ströder wrote: > Jonathan Hansen wrote: >> When I run the script below it binds successfully, but then when I >> try and run the search says it cannot contact the server. I have >> verified the service is running, ports are open, it binds without >> error so I am quite confused. > > You could use tracelevel=2 when calling ldap.initialize() Sorry, it's argument trace_level like documented here: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.initialize Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-08-01 22:49:41
|
Jonathan Hansen wrote: > When I run the script below it binds successfully, but then when I try > and run the search says it cannot contact the server. I have verified > the service is running, ports are open, it binds without error so I am > quite confused. You could use tracelevel=2 when calling ldap.initialize() to track things down. This generates debug output of the parameters passed to the LDAPObject methods and the results returned. > This may seem overly complicated but I am trying to build a framework > with which I can run queries against the active directory domain. Something like this? http://www.boskant.nl/trac/python-ad/ Ciao, Michael. |
|
From: Jonathan H. <jh...@23...> - 2008-08-01 22:19:49
|
Ok I am only mediocre at python so maybe this is a stupid mistake on my part, but I have exhausted my options from Google searches. When I run the script below it binds successfully, but then when I try and run the search says it cannot contact the server. I have verified the service is running, ports are open, it binds without error so I am quite confused. If someone could point at what I am doing wrong I would greatly appreciate it. This may seem overly complicated but I am trying to build a framework with which I can run queries against the active directory domain. Thanks in advance, -Jonathan Here is the output: In [18]: run ldap-ad.py ldap://my.company.example.com:389 Bind result: (97, []) <-- obviously a successful connection Running search: (objectClass=user)(mail=*) Can't contact LDAP server <-- now it can't connect And here is the script: #!/usr/bin/env python import ldap, ldapurl, sys # AD Hack ldap.set_option(ldap.OPT_REFERRALS, 0) ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) def handle_ldap_exception(e): if type(e.message) == dict and e.message.has_key('info'): if e.message['info'] != '': print e.message['info'] if type(e.message) == dict and e.message.has_key('desc'): if e.message['desc'] != '': print e.message['desc'] else: print e def get_ldap_url(dns_name, proto = 'ldap', port=0): if proto == 'ldap' and port == 0: port = 389 elif proto =='ldaps' and port == 0: port = 636 server = ldapurl.LDAPUrl(urlscheme=proto, hostport="%s:%s" % (dns_name, str(port))).initializeUrl() return server base_dn = "cn=Users,dc=my,dc=company,dc=example,dc=com" dn = 'User@Domain' pw = "itsasecret" ad_conn = ldap.initialize(get_ldap_url("ad-dc.my.company.example.com", proto = 'ldap')) try: ad_conn.protocol_version = ldap.VERSION3 bind = ad_conn.simple_bind_s(dn, pw) print "Bind result: " + str(bind) except ldap.LDAPError, e: handle_ldap_exception(e) ad_conn.unbind_s() sys.exit() search_email='(objectClass=user)(mail=*)' res_attrs = ['*'] print "Running search: %s" % search_email try: res = ad_conn.search_s(base_dn, ldap.SCOPE_SUBTREE, search_email, res_attrs) result_set = [] while True: result_type, result_data = ad_conn.result(res, 0) if (result_data == []): break else: if result_type == ldap.RES_SEARCH_ENTRY: result_set.append(result_data) print result_set except ldap.LDAPError, e: handle_ldap_exception(e) ad_conn.unbind_s() sys.exit() ad_conn.unbind_s() |
|
From: Michael S. <mi...@st...> - 2008-07-27 15:37:58
|
deepti jawalkar wrote: > > I have been working with python ldap and ADSI modules to get my tasks > done in AD and i have noticed that python ldap is able to handle unicode > characters when we try to add/remove a particular user from a group who > has unicode characters in his DN but the sam eis not possible in ADSI > can you gime an insight as to how Python ldap is able to handle this ? I'm not sure I fully understand your question. Up to now python-ldap does not have any Unicode handling. That's because the root of the API is still in pre-Unicode-Python-times. So the code using python-ldap is responsible for doing anything related to Unicode encoding/decoding and pass valid strings to python-ldap's functions and object methods. It would help if you show a concrete case maybe with data and Python code where python-ldap works and ADSI does not. (Anyway I'd recommend to use python-ldap since you can then even tweak your AD from a Linux box. ;-) Ciao, Michael. |
|
From: deepti j. <dja...@gm...> - 2008-07-26 18:26:23
|
Hi, I have been working with python ldap and ADSI modules to get my tasks done in AD and i have noticed that python ldap is able to handle unicode characters when we try to add/remove a particular user from a group who has unicode characters in his DN but the sam eis not possible in ADSI can you gime an insight as to how Python ldap is able to handle this ? -- Cheers, Deepti Jawalkar. -- Cheers, DJ. |
|
From: <som...@hs...> - 2008-07-23 12:34:56
|
Hi Michael, I just compiled the latest stable python-ldap version by hand and now authentication works - seems to have been a bug in that old version shipped with Debian Etch. Thanks, B. > -----Ursprüngliche Nachricht----- > Von: Michael Ströder [mailto:mi...@st...] > Gesendet: Mittwoch, 23. Juli 2008 13:24 > An: som...@hs... > Cc: pyt...@li... > Betreff: Re: Python-LDAP doesn't like crypt-passwords with 41bit? > > som...@hs... wrote: > > > > Our passwords in the LDAP server are encrypted with crypt and stored > > as 41bit binary values. The problem is that python-ldap doesnt seem to > > like 41bit passwords but only 20bit. When I try to authenticate by > > Plone-LDAP / python-LDAP, it doesnt work, cause the password doesnt > > match. (Our LDAP server stores the LDAP passwords as 41bit values by > > standard) > > 1. I think you're saying bits but probably mean bytes. > > 2. If you're talking about using simple_bind_s() to bind to the server > then you simply have to use the clear-text password and not the hashed > one. > > 3. Actually there's no length limit in the API for any parameter. > > > If I re-set the password then from Plone-LDAP / python-LDAP, the new > > password is stored as 20bit binary and authentication works. > > How do you set the password? You probably should get familiar with > hashed passwords and how they are generated, stored and validated. > > See: http://www.openldap.org/faq/data/cache/419.html > > Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-07-23 11:25:16
|
som...@hs... wrote: > > Our passwords in the LDAP server are encrypted with “crypt” and stored > as 41bit binary values. The problem is that python-ldap doesn’t seem to > like 41bit passwords but only 20bit. When I try to authenticate by > Plone-LDAP / python-LDAP, it doesn’t work, cause the password doesn’t > match. (Our LDAP server stores the LDAP passwords as 41bit values by > standard) 1. I think you're saying bits but probably mean bytes. 2. If you're talking about using simple_bind_s() to bind to the server then you simply have to use the clear-text password and not the hashed one. 3. Actually there's no length limit in the API for any parameter. > If I re-set the password then from Plone-LDAP / python-LDAP, the new > password is stored as 20bit binary and authentication works. How do you set the password? You probably should get familiar with hashed passwords and how they are generated, stored and validated. See: http://www.openldap.org/faq/data/cache/419.html Ciao, Michael. |
|
From: <som...@hs...> - 2008-07-23 08:38:39
|
Hi altogether, I have a little problem with python-ldap, version 2.2.0 (shipped with debian etch). I'm using python-ldap with Plone 3.1 (with PloneLDAP module), Slapd 2.3.3 and LibLDAP 2.1.3. Our passwords in the LDAP server are encrypted with "crypt" and stored as 41bit binary values. The problem is that python-ldap doesn't seem to like 41bit passwords but only 20bit. When I try to authenticate by Plone-LDAP / python-LDAP, it doesn't work, cause the password doesn't match. (Our LDAP server stores the LDAP passwords as 41bit values by standard) If I re-set the password then from Plone-LDAP / python-LDAP, the new password is stored as 20bit binary and authentication works. Is there any way to get python-LDAP 2.2.0 to "eat" 41bit binary crypt passwords? Or do I have to upgrade python-ldap in order to get this working? Thanks in advance, B. |
|
From: Michael S. <mi...@st...> - 2008-07-06 18:04:23
|
Find a new release of python-ldap: http://python-ldap.sourceforge.net/ python-ldap provides an object-oriented API to access LDAP directory servers from Python programs. It mainly wraps the OpenLDAP 2.x libs for that purpose. Additionally it contains modules for other LDAP-related stuff (e.g. processing LDIF, LDAPURLs and LDAPv3 schema). ---------------------------------------------------------------- Released 2.3.5 2008-07-06 Changes since 2.3.4: Lib/ * Fixed methods ldap.cidict.__contains__() and ldap.schema.models.Entry.__contains__() * FWIW method LDAPObject.cancel_s() returns a result now * Fixed ldap.schema.models.NameForm: Class attribute oc is now of type string, not tuple to be compliant with RFC 4512 |
|
From: Rahul A. <ra...@sy...> - 2008-07-03 12:23:23
|
Hi Michael, Thanks for the response. I think you have pointed to the correct problem. ldapwhoami seems to be using ldap library version 2.3.30 whereas python-ldap is probably using 2.1.30. And from this post http://www.openldap.org/lists/openldap-software/200504/msg00304.html it is evident that support for wildcart certificates has been incorporated in a version in between these two. Thanks a ton for the immediate response. Regards, Rahul. Michael Ströder wrote: > Rahul Amaram wrote: >> I have set up a ldap server with a wildcard certificate. Upon trying >> to establish a TLS connection using python ldap, I get the error >> "TLS: hostname does not match CN in peer certificate". This works >> fine if I use a certificate with the exact domain name. Is this a >> bug? Are there any known solutions to this? Looking forward to a >> response. > > Well, personally I'd recommend not to use wildcard certs at all > => I never tested anything like this. > > python-ldap simply relies on OpenLDAP libs which in turn rely on > OpenSSL. Hmm, so this should be probably raised on the > openldap-software mailing list. > >> P.S: "ldapwhoami" command establishes a TLS connection properly even >> when using a wild-card certificate. So I am assuming it might be a >> problem with python-ldap library. > > You might wanna dive into the source of ldapwhoami and look up which > options they set. BTW: Are you sure that your local python-ldap > installation uses the same OpenLDAP client libs like the ldapwhoami > command-line tool? > > Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-07-03 10:29:44
|
Rahul Amaram wrote: > I have set up a ldap server with a wildcard certificate. Upon trying to > establish a TLS connection using python ldap, I get the error "TLS: > hostname does not match CN in peer certificate". This works fine if I > use a certificate with the exact domain name. Is this a bug? Are there > any known solutions to this? Looking forward to a response. Well, personally I'd recommend not to use wildcard certs at all => I never tested anything like this. python-ldap simply relies on OpenLDAP libs which in turn rely on OpenSSL. Hmm, so this should be probably raised on the openldap-software mailing list. > P.S: "ldapwhoami" command establishes a TLS connection properly even > when using a wild-card certificate. So I am assuming it might be a > problem with python-ldap library. You might wanna dive into the source of ldapwhoami and look up which options they set. BTW: Are you sure that your local python-ldap installation uses the same OpenLDAP client libs like the ldapwhoami command-line tool? Ciao, Michael. |
|
From: Rahul A. <ra...@sy...> - 2008-07-03 10:17:22
|
Hi, I have set up a ldap server with a wildcard certificate. Upon trying to establish a TLS connection using python ldap, I get the error "TLS: hostname does not match CN in peer certificate". This works fine if I use a certificate with the exact domain name. Is this a bug? Are there any known solutions to this? Looking forward to a response. Thanks, Rahul. P.S: "ldapwhoami" command establishes a TLS connection properly even when using a wild-card certificate. So I am assuming it might be a problem with python-ldap library. |
|
From: Michael S. <mi...@st...> - 2008-06-19 14:23:31
|
Melita Mihaljevic wrote: > > > On Wed, Jun 18, 2008 at 7:17 PM, Michael Ströder <mi...@st... > <mailto:mi...@st...>> wrote: > > Michael Ströder wrote: > > The user enters some user name. During login you have to use a > configurable search filter for searching the user's entry. > > Something like: > user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' > > An then replace %s with what the user entered as user name. > > > Furthermore: > > 1. You have to check whether exactly *one* entry is returned in the > search results. search_ext_s(..,sizelimit=2) > 2. You MUST only accept non-empty passwords when checking the user's > password with a bind request. If you send a simple bind request with > an empty password the bind is ok because it's only treated as > anonymous bind by most LDAP servers. > > Ok, > Probably we didn't understand.I will use uid=userid_name ( %s = > userid_name). Did you actually read what I wrote before? > I have a test that I want to succeed: > [..] > search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for > checking if this works > search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, > search_filter) > > (yes this works but I don't want to need to know all those stuff after > the uid=usera) You have to deal with all those "stuff after the uid=usera". Hint: In MS AD the DN of the user's entry does not even start with uid=! If you don't follow the concepts I described you will fail finishing this project correctly. Period. > I know you said it's a bad thing to search for substring nut this is the > only way how I can say something is a grop -> for me in ma definition, Nope. Rethink! Period. > something is a group if has a member (or a type containing word member- > there is wher it will be grat to use substrings) and in the member part > of the record it has uid, the rest of the groups I don't want to know > about them. Again: There may be user entries which do not have attribute 'uid' at all! Believe me, you're oversimplifying things. > And I have a part of record record: > 'member': ['cn=dummy', 'uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org'] Don't request attribute 'member' during group lookup. Your application just have to know in which groups a user is member of. It should not retrieve all members since that can be many! > And I only want to search for uid=usera, not the rest of the record. Explicitly set the requested attributes with argument attrlist. See also: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.search Ciao, Michael. |
|
From: Melita M. <mel...@gm...> - 2008-06-19 12:24:29
|
On Wed, Jun 18, 2008 at 7:17 PM, Michael Ströder <mi...@st...>
wrote:
> Michael Ströder wrote:
>
>> The user enters some user name. During login you have to use a
>> configurable search filter for searching the user's entry.
>>
>> Something like:
>> user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))'
>>
>> An then replace %s with what the user entered as user name.
>>
>
> Furthermore:
>
> 1. You have to check whether exactly *one* entry is returned in the search
> results. search_ext_s(..,sizelimit=2)
> 2. You MUST only accept non-empty passwords when checking the user's
> password with a bind request. If you send a simple bind request with an
> empty password the bind is ok because it's only treated as anonymous bind by
> most LDAP servers.
>
> Ciao, Michael.
Ok,
Probably we didn't understand.I will use uid=userid_name ( %s =
userid_name).
I have a test that I want to succeed:
def testMemberOfGroup(self):
"""Authenticate to LDAP and read all groups that user with uid usera
is a member of.
"""
server_uri = self.ldap_env.slapd.url
base_dn = self.ldap_env.basedn
lo = ldap.initialize(server_uri)
ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
lo.simple_bind_s('', '')
search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit
A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for checking
if this works
search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE,
search_filter)
(yes this works but I don't want to need to know all those stuff after the
uid=usera)
I know you said it's a bad thing to search for substring nut this is the
only way how I can say something is a grop -> for me in ma definition,
something is a group if has a member (or a type containing word member-
there is wher it will be grat to use substrings) and in the member part of
the record it has uid, the rest of the groups I don't want to know about
them.
And I have a part of record record:
'member': ['cn=dummy', 'uid=usera,ou=Unit
A,ou=Users,ou=testing,dc=example,dc=org']
And I only want to search for uid=usera, not the rest of the record. This is
only for test and for the real search I will use it more configurable.
--
Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at
fer.hr
ICQ: 201278527 | Gtalk: melita.mihaljevic |
http://mihaljevicmelita.blogspot.com/
PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo
http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic
|
|
From: Michael S. <mi...@st...> - 2008-06-18 17:17:28
|
Michael Ströder wrote: > The user enters some user name. During login you have to use a > configurable search filter for searching the user's entry. > > Something like: > user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' > > An then replace %s with what the user entered as user name. Furthermore: 1. You have to check whether exactly *one* entry is returned in the search results. search_ext_s(..,sizelimit=2) 2. You MUST only accept non-empty passwords when checking the user's password with a bind request. If you send a simple bind request with an empty password the bind is ok because it's only treated as anonymous bind by most LDAP servers. Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-06-18 16:47:16
|
Melita Mihaljevic wrote: > On Wed, Jun 18, 2008 at 5:58 PM, Michael Ströder <mi...@st... > <mailto:mi...@st...>> wrote: > Michael Ströder wrote: > Melita Mihaljevic wrote: > My search filter is (it's all in one line): > search_filter = > '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) > (&(objectClass=groupOfNames)(member=uid=usera*)) > (&(objectClass=posixGroup)(memberUid=usera*)))' > > Why do you want to do wildcard searches? This is not guaranteed > to work since some of the member attributes might not even have > a SUBSTR matching rule assigned. > > Because I know only uid and don't now the other user informations The user enters some user name. During login you have to use a configurable search filter for searching the user's entry. Something like: user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' An then replace %s with what the user entered as user name. Then you have the DN and some more eventually needed attributes for conducting a exact search for the group entries a user is member of like I described in my former posting. > Because in the MoinMoin I search only groups with uid in it,only those > are important for me. LDAP directories can have user entries which do not have attribute 'uid' at all! Ciao, Michael. |
|
From: Melita M. <mel...@gm...> - 2008-06-18 16:06:10
|
On Wed, Jun 18, 2008 at 5:58 PM, Michael Ströder <mi...@st...> wrote: > Michael Ströder wrote: > >> Melita Mihaljevic wrote: >> >>> >>> My search filter is (it's all in one line): >>> search_filter = >>> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) >>> (&(objectClass=groupOfNames)(member=uid=usera*)) >>> (&(objectClass=posixGroup)(memberUid=usera*)))' >>> >> >> Why do you want to do wildcard searches? This is not guaranteed to work >> since some of the member attributes might not even have a SUBSTR matching >> rule assigned. > > Because I know only uid and don't now the other user informations > >> > And note that user-IDs might not always be in the attribute 'uid'. It's > perfectly valid that a user enters his e-mail address into the login form > and you first have to search for the user's entry which might not have > attribute 'uid' set at all. Because in the MoinMoin I search only groups with uid in it,only those are important for me. Mel -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic |
|
From: Michael S. <mi...@st...> - 2008-06-18 15:58:50
|
Michael Ströder wrote: > Melita Mihaljevic wrote: >> >> My search filter is (it's all in one line): >> search_filter = >> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) >> (&(objectClass=groupOfNames)(member=uid=usera*)) >> (&(objectClass=posixGroup)(memberUid=usera*)))' > > Why do you want to do wildcard searches? This is not guaranteed to work > since some of the member attributes might not even have a SUBSTR > matching rule assigned. And note that user-IDs might not always be in the attribute 'uid'. It's perfectly valid that a user enters his e-mail address into the login form and you first have to search for the user's entry which might not have attribute 'uid' set at all. Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-06-18 15:53:00
|
Melita Mihaljevic wrote: > > My search filter is (it's all in one line): > search_filter = > '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) > (&(objectClass=groupOfNames)(member=uid=usera*)) > (&(objectClass=posixGroup)(memberUid=usera*)))' Why do you want to do wildcard searches? This is not guaranteed to work since some of the member attributes might not even have a SUBSTR matching rule assigned. > Also the other thing I want to do is to search > (objectClass=*)&(*member*=uid=usera*). Is that possible ? No it's not. And for security reasons you should really stay away from wildcard searches when doing group evaluation! That's a security mechanism and therefore your code MUST be as exact as possible! Ciao, Michael. |
|
From: Melita M. <mel...@gm...> - 2008-06-18 15:39:35
|
On Wed, Jun 18, 2008 at 11:15 AM, Michael Ströder <mi...@st...> wrote: > > Example of a filter generated by web2ldap (normally everything in one line, > broke up here for readability): > > (| > (&(objectClass=organizationalRole)(roleOccupant=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > (&(objectClass=rfc822MailGroup)(mail=mi...@st...)) > (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > (&(objectClass=mailGroup)(mgrpRFC822MailMember=mi...@st...)) > (&(objectClass=posixGroup)(memberUid=michael)) > (&(objectClass=nisMailAlias)(rfc822MailMember=mi...@st...)) > (&(objectClass=groupOfNames)(member=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > )) > > Ciao, Michael. Thank you all for everything, but I have some more problems: My current LDAP situation is: dn: cn=Group A,ou=Groups,ou=testing,dc=example,dc=org cn: Group A member: cn=dummy member: uid=usera,ou=Unit A,ou=Users,ou=testing,dc=example,dc=org objectClass: groupOfNames dn: cn=Group B,ou=Groups,ou=testing,dc=example,dc=org cn: Group B objectClass: groupOfUniqueNames uniqueMember: cn=dummy uniqueMember: uid=userb,ou=Unit B,ou=Users,ou=testing,dc=example,dc=org And I tried to do a generic search for all groups usera is a member of. (I searched for all objectClass that could be groupOfUniqueNames, groupOfNames or posixGroup at the momen). My search filter is (it's all in one line): search_filter = '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) (&(objectClass=groupOfNames)(member=uid=usera*)) (&(objectClass=posixGroup)(memberUid=usera*)))' and when I do a search: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, search_filter) I got an empty list. Could someon explain me why is that so and how to fix it. I only want to search for uid. Also the other thing I want to do is to search (objectClass=*)&(*member*=uid=usera*). Is that possible ? Thank you a lot. Mel -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic |
|
From: Michael S. <mi...@st...> - 2008-06-18 09:15:38
|
Melita Mihaljevic wrote: > Hi, > I'm wondering which is the generic way to search for groups in LDAP. > I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, > '(ou=Group)') The filter (ou=Group) does not make sense to me. You're probably mixing this with the search root. 1. Bear in mind that there are many different types of group entries out in the wild. LDAP entries are typed by object class. So your filter has to specifically search for group entries by object class. 2. Additionally for determining whether a certain user is member of a group you have to compare a certain member attribute within the group entry with an attribute within the user's entry or the DN of the entry. 3. You should never ever (accidently) request the member attribute within the group entry to be returned in the search results since some groups can be big leading to a large amount of data to be returned. The user entry: dn: cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de uid: michael mail: mi...@st... Example of a filter generated by web2ldap (normally everything in one line, broke up here for readability): (| (&(objectClass=organizationalRole)(roleOccupant=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) (&(objectClass=rfc822MailGroup)(mail=mi...@st...)) (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) (&(objectClass=mailGroup)(mgrpRFC822MailMember=mi...@st...)) (&(objectClass=posixGroup)(memberUid=michael)) (&(objectClass=nisMailAlias)(rfc822MailMember=mi...@st...)) (&(objectClass=groupOfNames)(member=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) )) Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-06-18 08:19:58
|
Melita, I'd kindly ask you to come over to the python-ldap-dev mailing list (See To:, Bcc: to you to protect your e-mail address) to further discuss things like this because others are surely interested in this too. http://lists.sourceforge.net/lists/listinfo/python-ldap-dev Melita Mihaljevic wrote: > > I'm developing extending MoinMoin groups to LDAP, and I need to read all > groups from LDAP dir and map then with users that are members of certain > group. Hmm, you probably should not read all groups since group entries can be very large. One of my customers has entries 'groupOfNames' containing over 100.000 DNs in the attribute 'member'! Rather after the user's login you should determine the groups the user is a direct member of. > I looked at your web2ldap application and thought maybe you have > some ideas. Did you have a look at the filters sent by web2ldap? The [groupadm] feature sends two search request (not requesting the member attribute!): - search (different types of) groups the user is a member of - search all groups > I tried to search with ou=Groups but this is only one case. Do you know/ > have idea how to do it generaly. Hmm, I'm not sure I fully understand what you're after. Ciao, Michael. |
|
From: Melita M. <mel...@gm...> - 2008-06-18 07:24:10
|
Hi, I'm wondering which is the generic way to search for groups in LDAP. I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, '(ou=Group)') Is there a better way? Also I need to get a groups that a certain user is a member of. Any ideas how to read it? Thank you very much for all ideas -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic |
627 messages has been excluded from this view by a project administrator.
