Menu
▾
▴
python-ldap-dev
|
From: Hans A. <Han...@Ph...> - 2002-03-11 11:22:08
|
Hi all, I'm new to this list, but as far as I can see from the archives (and from the source, of course), SASL binds are still on the TODO list for python-ldap. A few days ago I started experimenting with this topic, and I succeeded in doing SASL binds from python. However, my sasl_bind_s() method for the ldap class is at the moment only a proof of concept and has many shortcomings (works only with the gssapi-method or methods which do not require user interaction, links to a "private" openldap lib (liblutil.a), does not implement interaction callbacks, to name only a few). However, I am not really an experienced C programmer, and I think I would need some help with several topics (memory management, how to do callbacks to user-supplied python functions from C, and so on). Thanks, Hans -- Han...@Ph... |
|
From: <mi...@st...> - 2002-03-11 11:43:54
|
Hans Aschauer wrote: > > SASL binds are still on the TODO list for python-ldap. Yes. > A few days ago I started experimenting with this topic, and I succeeded > in doing SASL binds from python. However, my sasl_bind_s() method for > the ldap class is at the moment only a proof of concept and has many > shortcomings (works only with the gssapi-method or methods which do not > require user interaction, GSS-API means Kerberos? Which LDAP server are you using? What's your motivation for doing SASL binds? > links to a "private" openldap lib (liblutil.a), For what reason? Note that unlike python-ldap 1.x which wrapped LDAP C APIs of different vendors python-ldap 2.x is closely tied to OpenLDAP 2.x libs. Therefore it's no problem to use everything which is shipped with recent OpenLDAP 2.0.23+ nowadays. > does not implement interaction callbacks, to name only a > few). Hmm, implementing callbacks is a messy thing anyway. If we can make most things without it I'd be glad to follow your approach. > However, I am not really an experienced C programmer, Welcome to the club... > and I think I > would need some help with several topics (memory management, how to do > callbacks to user-supplied python functions from C, and so on). Hmm, unfortunately experienced C programmers seem to be rare on this list... Best bet is that you send your patches to the list and we'll see... Ciao, Michael. |
|
From: Hans A. <Han...@Ph...> - 2002-03-11 12:33:50
|
> Hans Aschauer wrote: > > SASL binds are still on the TODO list for python-ldap. > > Yes. > > > A few days ago I started experimenting with this topic, and I > > succeeded in doing SASL binds from python. However, my > > sasl_bind_s() method for the ldap class is at the moment only a > > proof of concept and has many shortcomings (works only with the > > gssapi-method or methods which do not require user interaction, > > GSS-API means Kerberos? Yes (In fact, not necessarily. Kerberos is however most widly used in gssapi things). > Which LDAP server are you using? OpenLDAP 2.? (the one shipped with SuSE 7.3), and the Heimdal Kerberos distribution (also SuSE 7.3). > What's your motivation for doing SASL binds? The fun of doing it. Seriously: AFAIK SASL is supposed to be _the_ authentication method for LDAPv3 binds. For example, it can provide you whith single-sign-on, and the like. > > links to a "private" openldap lib (liblutil.a), > > For what reason? This is just because I was to lazy (I mean: I didn't have time) to implement my own callbacks, which are required by SASL. So I took a look at the source of openldap's ldapadd program, and did the same thing as this program does. As I said, it's only a proof of concept. Of course, this should change. > Note that unlike python-ldap 1.x which wrapped LDAP C APIs of > different vendors python-ldap 2.x is closely tied to OpenLDAP 2.x > libs. Therefore it's no problem to use everything which is shipped > with recent OpenLDAP 2.0.23+ nowadays. The above mentioned lib ships only with the source of openldap, since it is only used for and statically linked to the openldap tools. However, what this library provides is only useful for programs which are called from the command line (passwords are read from stdin, etc.). So there needs something to be done which is more general... > > does not implement interaction callbacks, to name only a > > few). > > Hmm, implementing callbacks is a messy thing anyway. If we can make > most things without it I'd be glad to follow your approach. Agree. However, SASL is a very general approach to authentication/authorization, and the programmer can never know, what information will be required by the auth-method used (the method might be choosen at run-time, for example). SASL thus sends some user-interaction requests (along with a plain english text which can be used for prompting the user) to callback functions, which gather the required information. This information can be something like a username and a password, but it could also be "Please insert your smartcard!"... Of course, one could think of a cleaner way of doing this on a higher level (override a method in a class derived from ldapobject, for example?). > > However, I am not really an experienced C programmer, > > Welcome to the club... > > > and I think I > > would need some help with several topics (memory management, how to > > do callbacks to user-supplied python functions from C, and so on). > > Hmm, unfortunately experienced C programmers seem to be rare on this > list... Probably because the concepts behind C and python are mutually exclusive :-) > Best bet is that you send your patches to the list and we'll see... Ok, I don't have them here at the moment, but I can send them today in the evening (MEZ). Hans -- Han...@Ph... |
|
From: Hans A. <Han...@Ph...> - 2002-03-12 11:42:34
|
Am Montag, 11. März 2002 12:43 schrieb Michael Ströder: > Best bet is that you send your patches to the list and we'll see... Ok, I'm sending the modified files (not patches since I'm not sure if I still have the originals around). Still a mess, but I removed the dependency on liblutil.a (makes it simpler to compile, as you don't need the sources for openldap). Works only with gssapi, as the requirde callbacks for other mechanisms are not really implemented: for other mechanisms, you see only printf's, and the program segfaults afterwards, because interact->reslut and so on is filled with rubbish. The mechanisms which one can try depend on the installation of sasl (have a look at /usr/lib/sasl/). In order to compile it, you will need the sasl and sasl-devel packages. setup.cfg takes care of the libsasl linking. Hans -- Han...@Ph... |
|
From: Hans A. <Han...@Ph...> - 2002-03-12 11:43:17
Attachments:
sasl_changes.tgz
|
Am Montag, 11. März 2002 12:43 schrieb Michael Ströder: Ooops, forgot the attachment... -- Han...@Ph... |
Thanks for helping keep SourceForge clean.
X