python-ldap-dev — discussion among developers

Re: Changing password as administrator

[Michael S. <mi...@st...>]

Avinash Sultanpur wrote:
> 
> What is the equivalent of running the below command in python-ldap?
> 
>     ldappasswd -x -D <root_dn> -w <root_pw> -s secret_password \
>         uid=user000,ou=People,dc=example,dc=com

ldap_conn = ldap.initialize(...)
ldap_conn.simple_bind_s('<rootdn>,'<rootpw>')
ldap_conn.passwd_s('uid=user000,ou=People,dc=example,dc=com',None,'<newpassword>')

Ciao, Michael.

Changing password as administrator

[Avinash S. <av...@su...>]

Hi,

What is the equivalent of running the below command in python-ldap?

    ldappasswd -x -D <root_dn> -w <root_pw> -s secret_password \
        uid=user000,ou=People,dc=example,dc=com


Thus far I had been manipulating the userPassword attribute with the 
encrypted password. Now I would like to send the plain password to the 
server so that it can do the encryption according to the password-hash 
configuration in slapd.conf.

-thanks
Avinash

KeyError while performing 'ldapsearch' operation and processing the result data

[Guruprasad <lgp...@gm...>]

Hi,
I have been trying to write a function to search a LDAP directory by
using the python-ldap APIs.
Here is the code I have written:

<snip>
def getNextUid():
    uidList=[]
    try:
        l=ldap.initialize(ldap_host)
        l.bind_s(ldap_admin_dn,ldap_admin_pass)
        ldap_result=l.search(ldap_base_dn,ldap.SCOPE_SUBTREE,'cn=*',['uidNumber'])
        while 1:
            result_type, result_data=l.result(ldap_result,0)
            if (result_data == []):
                break
            a=result_data[0][1]['uidNumber']
            print a
    except ldap.SERVER_DOWN:
        print "LDAP server down"
</snip>

What I am trying to do in this piece of code is get the list of the
values of 'uidNumber' attribute. The search operation returns a list
containing a tuple. The tuple contains the DN as one value and a
dictionary with uidNumber and its value. I am trying to extract the
value of the uidNumber. I found that result_data was a dictionary
having a key 'uidNumber', but when I try to print its value, I get a
KeyError. Strangely, when I print result_data.keys(), 'uidNumber' is
present.


Thank you.

Regards,
Guruprasad.

Re: Expired server certificate

[Fredrik M. <mel...@df...>]

Hey Michael,
thanks for remembering! I will it out!

Best,
Fredrik



Michael Ströder schrieb:
> Fredrik,
> 
> I've learned the hard way now that settings in .ldaprc and ldap.conf have
> precedence over what you set in your Python code via ldap.set_option() or
> LDAPObject.set_option(). Best thing is to use this code-line to completely
> switch off processing of .ldaprc and ldap.conf in libldap:
> 
> os.environ['LDAPNOINIT']='1'
> 
> Ciao, Michael.
> 
> Fredrik Melander wrote:
>>> Hmm, there's nothing you can do at the python-ldap level. AFAIK cert
>>> validation is completely done within the OpenSSL libs, except the host name
>>> checking.
>>>
>>> Could you please test with OpenLDAP's command-line tool ldapsearch. This is
>>> important: Please use the tool which uses the very same libldap also used for
>>> python-ldap.
>>>
>>> If ldapsearch fails this would be something to raise on the openldap-software
>>> mailing list together with information about your build of libldap and the
>>> SSL/TLS libs used. Note that libldap could be build with GnuTLS or today even
>>> with Mozilla's libnss.
>>>
>>> Ciao, Michael.
>>>
>>
>>
>> Hi, Michael.
>> Thanks for your reply. I've been looking into this, trying stuff on
>> different machines and once again it's the frustrating issue of
>> different OpenLDAP versions.
>> You might not remember this but I posted a question to this list a
>> couple of mounths ago about the chase referrals flag which also turned
>> out to be treated differently depending on OpenLDAP version.
>>
>> One of my machines here has (let's call it A) the RPM
>> openldap2-client-2.3.37-20.8 installed. While as another one (B) has
>> openldap2-client-2.4.9-7.4 (libldap-2.3.so.0 and  libldap-2.4.so.2
>> respectively).
>>
>> Of course you're right that python-ldap has nothing to do with this,
>> since ldapsearch gives the same results:
>>
>> Computer A:
>> ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ
>>
>> ldap_start_tls: Connect error (-11)
>>         additional info: error:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>
>>
>> Computer B:
>> ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ
>>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <o=myorg,dc=net> with scope subtree
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>>
>> I'm posting this in case somebody runs into similar issues and also in
>> the hope that somebody has a suggestion on how to solve this. I might
>> also need to point out that it isn't about these two computers only.
>> That would be trivial. The application is going to be distributed in a
>> fairly big organization and I can't possibly demand that everybody has
>> the same OpenLDAP version.
>>
>> The most frustrating thing is perhaps that it is the old version that
>> has the desired behaviour. I know this is a bit off topic, but surely
>> there must be a way to check this also in later versions? It'd be much
>> appreciated if anybody could point me in the right direction here.
>>
>> Best regards,
>> Fredrik
> 
> 

Re: Expired server certificate

[Michael S. <mi...@st...>]

Fredrik,

I've learned the hard way now that settings in .ldaprc and ldap.conf have
precedence over what you set in your Python code via ldap.set_option() or
LDAPObject.set_option(). Best thing is to use this code-line to completely
switch off processing of .ldaprc and ldap.conf in libldap:

os.environ['LDAPNOINIT']='1'

Ciao, Michael.

Fredrik Melander wrote:
>> Hmm, there's nothing you can do at the python-ldap level. AFAIK cert
>> validation is completely done within the OpenSSL libs, except the host name
>> checking.
>>
>> Could you please test with OpenLDAP's command-line tool ldapsearch. This is
>> important: Please use the tool which uses the very same libldap also used for
>> python-ldap.
>>
>> If ldapsearch fails this would be something to raise on the openldap-software
>> mailing list together with information about your build of libldap and the
>> SSL/TLS libs used. Note that libldap could be build with GnuTLS or today even
>> with Mozilla's libnss.
>>
>> Ciao, Michael.
>>
> 
> 
> 
> Hi, Michael.
> Thanks for your reply. I've been looking into this, trying stuff on
> different machines and once again it's the frustrating issue of
> different OpenLDAP versions.
> You might not remember this but I posted a question to this list a
> couple of mounths ago about the chase referrals flag which also turned
> out to be treated differently depending on OpenLDAP version.
> 
> One of my machines here has (let's call it A) the RPM
> openldap2-client-2.3.37-20.8 installed. While as another one (B) has
> openldap2-client-2.4.9-7.4 (libldap-2.3.so.0 and  libldap-2.4.so.2
> respectively).
> 
> Of course you're right that python-ldap has nothing to do with this,
> since ldapsearch gives the same results:
> 
> Computer A:
> ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ
> 
> ldap_start_tls: Connect error (-11)
>         additional info: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> 
> Computer B:
> ldapsearch -x -h "host.domain.de" -b "o=myorg,dc=net" -ZZ
> 
> # extended LDIF
> #
> # LDAPv3
> # base <o=myorg,dc=net> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> 
> I'm posting this in case somebody runs into similar issues and also in
> the hope that somebody has a suggestion on how to solve this. I might
> also need to point out that it isn't about these two computers only.
> That would be trivial. The application is going to be distributed in a
> fairly big organization and I can't possibly demand that everybody has
> the same OpenLDAP version.
> 
> The most frustrating thing is perhaps that it is the old version that
> has the desired behaviour. I know this is a bit off topic, but surely
> there must be a way to check this also in later versions? It'd be much
> appreciated if anybody could point me in the right direction here.
> 
> Best regards,
> Fredrik

Re: Python3 and LDAP

[David L. <d...@ad...>]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Yes, I think so. I outlined a plan somewhere.. <br>
The big compatibility problem is that where you once used Python2.x's
strings ("str") to pass binary data, you would now have to use
Python3's "bytes".<br>
And, other places where you would pass strings (like for attribute
names) you might now have to pass unicode strings and python-ldap would
convert these to UTF-8 under the covers.<br>
The other minor compatibility issue was that there is no 'int' in
Python3, only longs now, but that turns out to be hardly noticeable.<br>
<br>
But going back to the bytes/string/unicode problem, I'd like to know if
anyone has 2to3 migration/porting experience and if they might share
some advice/wisdom.<br>
<br>
d<br>
<br>
Bruno Aguirre wrote:
<blockquote
 cite="mid:eb4...@ma..."
 type="cite">My hability to code a Python module is limited. But im
glad to give a hand.<br>
  <br>
Looking in the list i saw that someone said that the actual Python-ldap
can be build for Python 3 modifying some lines. Is this possible? Ar&eacute;
there alternatives?<br>
  <br>
  <div class="gmail_quote">2009/9/9 Michael Str&ouml;der <span dir="ltr">&lt;<a
 moz-do-not-send="true" href="mailto:mi...@st...">mi...@st...</a>&gt;</span><br>
  <blockquote class="gmail_quote"
 style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
    <div class="im">Bruno Aguirre wrote:<br>
&gt;<br>
&gt; Hi to all, I'd like to know if there's a version (alpha, beta or
stable)<br>
&gt; to use ldap in python 3.<br>
    <br>
    </div>
There are still some things to consider. Please dig the mailing list's
archive<br>
for some discussion.<br>
    <br>
Would you personally be willing to put some effort into the C extension
module<br>
part?<br>
    <br>
Ciao, Michael.<br>
    <br>
  </blockquote>
  </div>
  <br>
</blockquote>
<br>
</body>
</html>

Re: Python3 and LDAP

[Bruno A. <yo...@br...>]

My hability to code a Python module is limited. But im glad to give a hand.

Looking in the list i saw that someone said that the actual Python-ldap can
be build for Python 3 modifying some lines. Is this possible? Aré there
alternatives?

2009/9/9 Michael Ströder <mi...@st...>

> Bruno Aguirre wrote:
> >
> > Hi to all, I'd like to know if there's a version (alpha, beta or stable)
> > to use ldap in python 3.
>
> There are still some things to consider. Please dig the mailing list's
> archive
> for some discussion.
>
> Would you personally be willing to put some effort into the C extension
> module
> part?
>
> Ciao, Michael.
>
>

Re: Python3 and LDAP

[Michael S. <mi...@st...>]

Bruno Aguirre wrote:
> 
> Hi to all, I'd like to know if there's a version (alpha, beta or stable)
> to use ldap in python 3.

There are still some things to consider. Please dig the mailing list's archive
for some discussion.

Would you personally be willing to put some effort into the C extension module
part?

Ciao, Michael.

Python3 and LDAP

[Bruno A. <yo...@br...>]

Hi to all, I'd like to know if there's a version (alpha, beta or stable) to
use ldap in python 3.
Thanks for your time.

Re: What's the best way to replace value of attribute which can handle multiple values?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> NO_SUCH_ATTRIBUTE: {'info': 'modify/delete: enabledService: no such  
> value', 'desc': 'No such attribute'}

This means the attribute 'enabledService' is not available in the entry at
all. So you can't remove a certain attribute value from it.

Ciao, Michael.

Re: What's the best way to replace value of attribute which can handle multiple values?

[Zhang H. <zhb...@gm...>]

On Sep 9, 2009, at 9:32 PM, Michael Ströder wrote:

> Zhang Huangbin wrote:
>> NO_SUCH_ATTRIBUTE: {'info': 'modify/delete: enabledService: no such
>> value', 'desc': 'No such attribute'}
>
> This means the attribute 'enabledService' is not available in the  
> entry at
> all. So you can't remove a certain attribute value from it.
>
> Ciao, Michael.

Attribute is present, but not contains value 'forwrad'.

As i posted in previous mail, the ldif data before we invoke .modify_s 
() is:

----
dn: xxx
enabledService: mail
enabledService: smtp
enabledService: pop3
enabledService: imap
enabledService: deliver
----

-- 
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

Re: What's the best way to replace value of attribute which can handle multiple values?

[Zhang H. <zhb...@gm...>]

On Sep 9, 2009, at 9:48 PM, Michael Ströder wrote:

> BTW: That's why
> ldap.modlist.modifyModlist() was implemented.

Any example?

There is no example in official python-ldap document:
http://www.python-ldap.org/doc/html/ldap-modlist.html?highlight=modifymodlist#ldap.modlist.modifyModlist

Thanks very much. :)

-- 
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

Re: What's the best way to replace value of attribute which can handle multiple values?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> 
> On Sep 9, 2009, at 9:48 PM, Michael Ströder wrote:
> 
>> BTW: That's why
>> ldap.modlist.modifyModlist() was implemented.
> 
> Any example?
> 
> There is no example in official python-ldap document:
> http://www.python-ldap.org/doc/html/ldap-modlist.html?highlight=modifymodlist#ldap.modlist.modifyModlist

>>> import ldap.modlist
>>> ldap.modlist.modifyModlist({'cn':'Mike'},{'cn':'Michael
Stroeder','mail':'mi...@st...'})
[(0, 'mail', 'mi...@st...'), (1, 'cn', None), (0, 'cn', 'Michael
Stroeder')]

So basically you read the old_entry dict with an search operation, derive a
new_entry dict from it, tweak that and pass old_entry and new_entry to this
function.

Ciao, Michael.

Re: What's the best way to replace value of attribute which can handle multiple values?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> 
> On Sep 9, 2009, at 9:32 PM, Michael Ströder wrote:
> 
>> Zhang Huangbin wrote:
>>> NO_SUCH_ATTRIBUTE: {'info': 'modify/delete: enabledService: no such
>>> value', 'desc': 'No such attribute'}
>>
>> This means the attribute 'enabledService' is not available in the
>> entry at
>> all. So you can't remove a certain attribute value from it.
>>
> Attribute is present, but not contains value 'forwrad'.

Then it will simply fail. If you have to handle such optional cases you
probably have to sort that out at the client side in some way. I'd read the
whole attribute value list, tweak it and replace it. BTW: That's why
ldap.modlist.modifyModlist() was implemented.

Ciao, Michael.

Re: What's the best way to replace value of attribute which can handle multiple values?

[Zhang H. <zhb...@gm...>]

On Sep 9, 2009, at 6:02 PM, Michael Ströder wrote:

> Zhang Huangbin wrote:
>> On Sep 9, 2009, at 4:54 PM, Michael Ströder wrote:
>>>> If cn=cn2 is not exist, [(ldap.MOD_DELETE, 'cn', 'cn2')] will raise
>>>> an
>>>> error.
>>> Could you please post the error raised and mention with which server
>>> you're
>>> testing?
>>>
>>> I'd try [(ldap.MOD_DELETE, 'cn',['cn2'])]
>>
>> The same error if cn=cn2 not exist: ldap.NO_SUCH_ATTRIBUTE.
>
> And how about the diagnostic message? I'd test the code with  
> trace_level=2.


bind dn: cn=vmailadmin,dc=iredmail,dc=org
operation: [(ldap.MOD_DELETE, 'enabledService', 'forward')]
ldif:
----
dn:  
mail=test22@a.cn,ou=Users,domainName=a.cn,o=domains,dc=iredmail,dc=org
enabledService: smtp
enabledService: imap
enabledService: pop3
enabledService: deliver
----

Below is console log with 'trace_level=2':
------------
*** ldap://127.0.0.1:389 - SimpleLDAPObject.set_option ((17, 3),{})
*** ldap://127.0.0.1:389 - SimpleLDAPObject.set_option ((17, 3),{})
*** ldap://127.0.0.1:389 - SimpleLDAPObject.simple_bind  
(('cn=vmailadmin,dc=iredmail,dc=org', 'passwd', None, None),{})
=> result: 1
*** ldap://127.0.0.1:389 - SimpleLDAPObject.result3 ((1, 1, -1),{})
=> result: (97, [], 1, [])
*** ldap://127.0.0.1:389 - SimpleLDAPObject.modify_ext (('mail=test22@a.cn 
,ou=Users,domainName=a.cn,o=domains,dc=iredmail,dc=org', [(1,  
'enabledService', 'forward')], None, None),{})
=> result: 3
*** ldap://127.0.0.1:389 - SimpleLDAPObject.result3 ((3, 1, -1),{})
=> LDAPError - NO_SUCH_ATTRIBUTE: {'info': 'modify/delete:  
enabledService: no such value', 'desc': 'No such attribute'}
Traceback (most recent call last):
   File "/usr/lib/python2.4/site-packages/web.py-0.32-py2.4.egg/web/ 
application.py", line 242, in process
     return self.handle()
   File "/usr/lib/python2.4/site-packages/web.py-0.32-py2.4.egg/web/ 
application.py", line 233, in handle
     return self._delegate(fn, self.fvars, args)
   File "/usr/lib/python2.4/site-packages/web.py-0.32-py2.4.egg/web/ 
application.py", line 412, in _delegate
     return handle_class(cls)
   File "/usr/lib/python2.4/site-packages/web.py-0.32-py2.4.egg/web/ 
application.py", line 387, in handle_class
     return tocall(*args)
   File "/var/www/iredadmin/controllers/ldap/base.py", line 23, in  
proxyfunc
     return func(self, *args, **kw)
   File "/var/www/iredadmin/controllers/ldap/user.py", line 106, in POST
     data=i,
   File "/var/www/iredadmin/libs/ldaplib/core.py", line 149, in  
proxyfunc
     return func(self, *args, **kw)
   File "/var/www/iredadmin/libs/ldaplib/user.py", line 165, in update
     self.conn.modify_s(self.dn, [(ldap.MOD_DELETE, 'enabledService',  
'forward')])
   File "/usr/lib/python2.4/site-packages/python_ldap-2.3.9-py2.4- 
linux-x86_64.egg/ldap/ldapobject.py", line 328, in modify_s
     return self.result(msgid,all=1,timeout=self.timeout)
   File "/usr/lib/python2.4/site-packages/python_ldap-2.3.9-py2.4- 
linux-x86_64.egg/ldap/ldapobject.py", line 428, in result
     res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
   File "/usr/lib/python2.4/site-packages/python_ldap-2.3.9-py2.4- 
linux-x86_64.egg/ldap/ldapobject.py", line 432, in result2
     res_type, res_data, res_msgid, srv_ctrls = self.result3 
(msgid,all,timeout)
   File "/usr/lib/python2.4/site-packages/python_ldap-2.3.9-py2.4- 
linux-x86_64.egg/ldap/ldapobject.py", line 438, in result3
     ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
   File "/usr/lib/python2.4/site-packages/python_ldap-2.3.9-py2.4- 
linux-x86_64.egg/ldap/ldapobject.py", line 96, in _ldap_call
     result = func(*args,**kwargs)
NO_SUCH_ATTRIBUTE: {'info': 'modify/delete: enabledService: no such  
value', 'desc': 'No such attribute'}

*** ldap://127.0.0.1:389 - SimpleLDAPObject.unbind_ext ((None, None),{})
192.168.6.1:49306 - - [28/Jun/2009 14:42:21] "HTTP/1.1 POST /profile/user/forwarding/test22@a.cn 
" - 500 Internal Server Error
----------

-- 
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

Re: What's the best way to replace value of attribute which can handle multiple values?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> On Sep 9, 2009, at 4:54 PM, Michael Ströder wrote:
>>> If cn=cn2 is not exist, [(ldap.MOD_DELETE, 'cn', 'cn2')] will raise  
>>> an
>>> error.
>> Could you please post the error raised and mention with which server  
>> you're
>> testing?
>>
>> I'd try [(ldap.MOD_DELETE, 'cn',['cn2'])]
> 
> The same error if cn=cn2 not exist: ldap.NO_SUCH_ATTRIBUTE.

And how about the diagnostic message? I'd test the code with trace_level=2.

Ciao, Michael.

Re: What's the best way to replace value of attribute which can handle multiple values?

[Zhang H. <zhb...@gm...>]

Thanks for your reply, Michael. :)

On Sep 9, 2009, at 4:54 PM, Michael Ströder wrote:
>> If cn=cn2 is not exist, [(ldap.MOD_DELETE, 'cn', 'cn2')] will raise  
>> an
>> error.
>
> Could you please post the error raised and mention with which server  
> you're
> testing?
>
> I'd try [(ldap.MOD_DELETE, 'cn',['cn2'])]

The same error if cn=cn2 not exist: ldap.NO_SUCH_ATTRIBUTE.

>
>> If cn=cn2 is not exist, [(ldap.MOD_ADD, 'cn', 'cn4')] will add  
>> cn=cn4,
>> but can't delete 'cn=cn2'.
>
> Try this: [(ldap.MOD_ADD, 'cn',['cn4'])]

It can't delete cn=cn2. And same error raised while cn=cn4 exists:  
ldap.TYPE_OR_VALUE_EXISTS.

I created a function to perform similar request moment ago, but still  
looking for a better way:

-------
class LDAPWrap:
     def __init__(self):
         ... skip some lines ...
         self.conn = ldap.initialize(xxx)
         ... skip some lines ...

     def addOrDelAttrValue(self, dn, attr, value, type):
         """Used to add or replace value of attribute which can handle  
multiple values.

         @type: add, delete.
         """
         self.dn = ldap.filter.escape_filter_chars(dn)
         if type == 'add':
             try:
                 self.conn.modify_s(self.dn, [(ldap.MOD_ADD, attr,  
value)])
                 return (True, 'SUCCESS')
             except ldap.TYPE_OR_VALUE_EXISTS:
                 return (True, 'SUCCESS')
             except Exception, e:
                 return (False, str(e))
         elif type == 'delete':
             try:
                 self.conn.modify_s(self.dn, [(ldap.MOD_DELETE, attr,  
value)])
                 return (True, 'SUCCESS')
             except ldap.NO_SUCH_ATTRIBUTE:
                 return (True, 'SUCCESS')
             except Exception, e:
                 return (False, str(e))
-----

Thanks very much :)

-- 
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

Re: What's the best way to replace value of attribute which can handle multiple values?

[Michael S. <mi...@st...>]

Zhang Huangbin wrote:
> What's the best way to 'replace' value of attribute which can handle  
> multiple values?
> 
> Such as:
> 
> dn: uid=myuid,dc=example,dc=com
> cn: cn1
> cn: cn2
> cn: cn3
> 
> My purpose is to get ldif like this (no cn=cn2 any more):
> 
> dn: uid=myuid,dc=example,dc=com
> cn: cn1
> cn: cn3
> cn: cn4
> 
> I want to replace cn=cn2 by cn=cn4 if it exist, or add cn=cn4 directly  
> if 'cn=cn2' donesn't exist.
> 
> If cn=cn2 is not exist, [(ldap.MOD_DELETE, 'cn', 'cn2')] will raise an  
> error.

Could you please post the error raised and mention with which server you're
testing?

I'd try [(ldap.MOD_DELETE, 'cn',['cn2'])]

> If cn=cn2 is not exist, [(ldap.MOD_ADD, 'cn', 'cn4')] will add cn=cn4,  
> but can't delete 'cn=cn2'.

Try this: [(ldap.MOD_ADD, 'cn',['cn4'])]

In general for this to work the server has to have an EQUALITY matching rule
defined for the attribute type in question and implement this matching rule.
This should be the case for 'cn' alias 'commonName' but one never knows for sure.

In web2ldap I have implemented a variant of the function
ldap.modlist.modifyModlist() which looks at the schema to determine use of
EQUALITY matching rule and generate the diff accordingly.

Ciao, Michael.

Re: What's the best way to replace value of attribute which can handle multiple values?

[Zhang H. <zhb...@gm...>]

On Sep 9, 2009, at 1:32 PM, Zhang Huangbin wrote:
>
> I want to replace cn=cn2 by cn=cn4 if it exist, or add cn=cn4  
> directly if 'cn=cn2' donesn't exist.
>
> If cn=cn2 is not exist, [(ldap.MOD_DELETE, 'cn', 'cn2')] will raise  
> an error.
> If cn=cn2 is not exist, [(ldap.MOD_ADD, 'cn', 'cn4')] will add  
> cn=cn4, but can't delete 'cn=cn2'.

Oops, forget to mention that i will modify more attributes every time,  
not only 'cn'. Such as:

----
mod_attrs = [
    (ldap.MOD_XXX, attr1, value1),
    (ldap.MOD_XXX, attr2, [value2]),
    ...
    ]

self.conn.modify_s(dn, mod_attrs)
----

Is there a better way to modify it except using several  
'try:...except:...' block?

-- 
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

What's the best way to replace value of attribute which can handle multiple values?

[Zhang H. <zhb...@gm...>]

Hi, all.

What's the best way to 'replace' value of attribute which can handle  
multiple values?

Such as:

dn: uid=myuid,dc=example,dc=com
cn: cn1
cn: cn2
cn: cn3

My purpose is to get ldif like this (no cn=cn2 any more):

dn: uid=myuid,dc=example,dc=com
cn: cn1
cn: cn3
cn: cn4

I want to replace cn=cn2 by cn=cn4 if it exist, or add cn=cn4 directly  
if 'cn=cn2' donesn't exist.

If cn=cn2 is not exist, [(ldap.MOD_DELETE, 'cn', 'cn2')] will raise an  
error.
If cn=cn2 is not exist, [(ldap.MOD_ADD, 'cn', 'cn4')] will add cn=cn4,  
but can't delete 'cn=cn2'.

Thanks very much. :)

-- 
Best Regards.

Zhang Huangbin

- Open Source Mail Server Solution for Red Hat(R) Enterprise Linux,
   CentOS, Debian, Ubuntu: http://www.iredmail.org/

Re: hello everybody

[James A. <ja...@da...>]

Michael Ströder wrote:
> Łukasz Mierzwa wrote:
>> I'm writing LDAP library (ORM without R as I call it) for python, it's using 
>> python-ldap to do the hard work and let You manage LDAP entries in more ORM 
>> style. 
> 
> 1. You're not the first one implementing such a module on top of python-ldap.
> You might want to dig the mailing list's archive to find others.

Yes, I started one, then someone developed it further at 
https://launchpad.net/python-ldap-om

> 2. Most implementations of higher-level APIs fall short with mapping attribute
> type descriptors (OIDs or NAME) to Python class attribute names since they
> ignore the fact that there are sub-types defined in LDAP (;binary and language
> sub-types such as ;de-DE). Also there does not have to be a NAME in an
> attribute type description. So raw OIDs might be returned in a LDAP search result.
> 
> 3. No implementation is dealing correctly with attribute type descriptor
> aliasing with OIDs and several values for NAME. You might want to look at
> ldap.schema.models.Entry to get an idea.

I'm aware of these and chose to ignore them - my library wasn't meant to be 
general purpose, it was for scenarios where you have control of the LDAP 
server and can make these things can't happen. In fact my ultimate idea was 
to upload user-defined model schema to the LDAP server via cn=config.

-- 
James Andrewartha

Re: hello everybody

[Michael S. <mi...@st...>]

Łukasz,

Łukasz Mierzwa wrote:
> 
> I'm writing LDAP library (ORM without R as I call it) for python, it's using 
> python-ldap to do the hard work and let You manage LDAP entries in more ORM 
> style. 

I don't have the spare time to look more closely at it not to speak of really
contributing to it. So just a few general hints:

1. You're not the first one implementing such a module on top of python-ldap.
You might want to dig the mailing list's archive to find others.

2. Most implementations of higher-level APIs fall short with mapping attribute
type descriptors (OIDs or NAME) to Python class attribute names since they
ignore the fact that there are sub-types defined in LDAP (;binary and language
sub-types such as ;de-DE). Also there does not have to be a NAME in an
attribute type description. So raw OIDs might be returned in a LDAP search result.

3. No implementation is dealing correctly with attribute type descriptor
aliasing with OIDs and several values for NAME. You might want to look at
ldap.schema.models.Entry to get an idea.

Ciao, Michael.

hello everybody

[Łukasz M. <l.m...@gm...>]

Hi list,

I'm writing LDAP library (ORM without R as I call it) for python, it's using 
python-ldap to do the hard work and let You manage LDAP entries in more ORM 
style. It's still missing many things and there are probably plenty of bugs 
but it's mostly working. I'm not much of a programmer and this is really a way 
to learn python so I would love some tips about what I'm doing wrong before I 
get too far. 

If anyone is interested You could find it at:
docs: http://pumpkin.prymitive.com
get source: git clone http://git.prymitive.com/pumpkin
redmine project: http://redmine.prymitive.com/projects/show/pumpkin

Łukasz Mierzwa

Modify windows ad password

[Yuan-Chung H. <yc...@gm...>]

Hi

I use python-ldap(2.3.8) to modify AD's user password.
When I run it, the password change done, it always show traceback message.

Traceback (most recent call last):
  File "ldapauth.py", line 141, in <module>
    modifyAD('userid','passwordblah')
  File "ldapauth.py", line 105, in modifyAD
    conn.modify_s(dn, attr)
  File "c:\lang\python\lib\site-packages\ldap\ldapobject.py", line
327, in modify_s
    msgid = self.modify(dn,modlist)
  File "c:\lang\python\lib\site-packages\ldap\ldapobject.py", line
324, in modify
    return self.modify_ext(dn,modlist,None,None)
  File "c:\lang\python\lib\site-packages\ldap\ldapobject.py", line
297, in modify_ext
    return self._ldap_call(self._l.modify_ext,dn,modlist,EncodeControlTuples(serverctrls),EncodeControlTuples(clientctrls))
  File "c:\lang\python\lib\site-packages\ldap\ldapobject.py", line 96,
in _ldap_call
    result = func(*args,**kwargs)
TypeError: argument 1 must be string, not None

snippets code:
def modifyAD(username, password):
  LDAP_SERVER = 'ldaps://myad:636'
  LDAP_ADMIN = admin@myad'
  LDAP_PASSWD = ''
  BASE_DN = ''
  searchScope = ldap.SCOPE_SUBTREE
  conn = ldap.initialize(LDAP_SERVER)
  ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, '-ad.pem')
  ldap.set_option(ldap.OPT_REFERRALS,0)
  conn.protocol_version = ldap.VERSION3
  conn.bind_s(LDAP_ADMIN, LDAP_PASSWD)
  searchFilter = 'cn='+username
  attrs = ['unicodePwd']
  ldap_result_id = conn.search_s(BASE_DN, searchScope, searchFilter, attrs)
  if (ldap_result_id == []):
    print 'user not found'
  else:
    newPassword = ('"%s"' % password).encode('utf-16-le')
    for dn,entry in ldap_result_id:
      attr = [( ldap.MOD_REPLACE, 'unicodePwd', newPassword)]
      try:
        conn.modify_s(dn, attr)
      except ldap.LDAPError, error:
        print 'error',error
  conn.unbind_s()


Does anybody known how to solve?

Best regards,
ychsiao

Re: SASL GSSAPI under Win32

[Torsten K. <pyt...@tk...>]

Hi Michael,

> > http://svn.kmrc.de/download/distribution/contrib/doc/Minimal-Cyrus-SASL-Win32-HowTo.txt
> 
> Many thanks for this! I don't know how persistent this link will be.
> So do you mind if I add this as-is to python-ldap's source
> distribution? In the long run we can add this in file
> Doc/installing.rst.

yes, please do so.

As for the .dll inclusion in .eggs: You are right, .eggs are indeed
simply .zip files. But they are "enriched" by an internal directory and
file structure that has to be recorded during build.
There is an option (IMHO extra_data) to include .dlls and other
"extras" in a subdirectory called DATA. I didn't use that option so
far, since I'd still prefer a completely static solution.

Anyway, I'll try to build a combined solution (static libsasl2,
plugin .dlls) now. If I succeed building a static libsasl2 that loads
its plugins from the standard location, and also to include the plugin
.dlls into the .egg somehow, we could take it from there. What do you
think?

Best regards,
Torsten
-- 
Fon: +49-7071-700240 | Fax: +49-7071-700241 | http://www.tk-webart.de

Keep your boss's boss off your boss's back.