Menu
▾
▴
python-ldap-dev
|
From: Melita M. <mel...@gm...> - 2008-06-18 07:24:10
|
Hi, I'm wondering which is the generic way to search for groups in LDAP. I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, '(ou=Group)') Is there a better way? Also I need to get a groups that a certain user is a member of. Any ideas how to read it? Thank you very much for all ideas -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic |
|
From: Michael S. <mi...@st...> - 2008-06-18 09:15:38
|
Melita Mihaljevic wrote: > Hi, > I'm wondering which is the generic way to search for groups in LDAP. > I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, > '(ou=Group)') The filter (ou=Group) does not make sense to me. You're probably mixing this with the search root. 1. Bear in mind that there are many different types of group entries out in the wild. LDAP entries are typed by object class. So your filter has to specifically search for group entries by object class. 2. Additionally for determining whether a certain user is member of a group you have to compare a certain member attribute within the group entry with an attribute within the user's entry or the DN of the entry. 3. You should never ever (accidently) request the member attribute within the group entry to be returned in the search results since some groups can be big leading to a large amount of data to be returned. The user entry: dn: cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de uid: michael mail: mi...@st... Example of a filter generated by web2ldap (normally everything in one line, broke up here for readability): (| (&(objectClass=organizationalRole)(roleOccupant=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) (&(objectClass=rfc822MailGroup)(mail=mi...@st...)) (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) (&(objectClass=mailGroup)(mgrpRFC822MailMember=mi...@st...)) (&(objectClass=posixGroup)(memberUid=michael)) (&(objectClass=nisMailAlias)(rfc822MailMember=mi...@st...)) (&(objectClass=groupOfNames)(member=cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de)) )) Ciao, Michael. |
|
From: Melita M. <mel...@gm...> - 2008-06-18 15:39:35
|
On Wed, Jun 18, 2008 at 11:15 AM, Michael Ströder <mi...@st...> wrote: > > Example of a filter generated by web2ldap (normally everything in one line, > broke up here for readability): > > (| > (&(objectClass=organizationalRole)(roleOccupant=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > (&(objectClass=rfc822MailGroup)(mail=mi...@st...)) > (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > (&(objectClass=mailGroup)(mgrpRFC822MailMember=mi...@st...)) > (&(objectClass=posixGroup)(memberUid=michael)) > (&(objectClass=nisMailAlias)(rfc822MailMember=mi...@st...)) > (&(objectClass=groupOfNames)(member=cn=michael > str\C3\B6der,ou=private,dc=stroeder,dc=de)) > )) > > Ciao, Michael. Thank you all for everything, but I have some more problems: My current LDAP situation is: dn: cn=Group A,ou=Groups,ou=testing,dc=example,dc=org cn: Group A member: cn=dummy member: uid=usera,ou=Unit A,ou=Users,ou=testing,dc=example,dc=org objectClass: groupOfNames dn: cn=Group B,ou=Groups,ou=testing,dc=example,dc=org cn: Group B objectClass: groupOfUniqueNames uniqueMember: cn=dummy uniqueMember: uid=userb,ou=Unit B,ou=Users,ou=testing,dc=example,dc=org And I tried to do a generic search for all groups usera is a member of. (I searched for all objectClass that could be groupOfUniqueNames, groupOfNames or posixGroup at the momen). My search filter is (it's all in one line): search_filter = '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) (&(objectClass=groupOfNames)(member=uid=usera*)) (&(objectClass=posixGroup)(memberUid=usera*)))' and when I do a search: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, search_filter) I got an empty list. Could someon explain me why is that so and how to fix it. I only want to search for uid. Also the other thing I want to do is to search (objectClass=*)&(*member*=uid=usera*). Is that possible ? Thank you a lot. Mel -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic |
|
From: Michael S. <mi...@st...> - 2008-06-18 15:53:00
|
Melita Mihaljevic wrote: > > My search filter is (it's all in one line): > search_filter = > '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) > (&(objectClass=groupOfNames)(member=uid=usera*)) > (&(objectClass=posixGroup)(memberUid=usera*)))' Why do you want to do wildcard searches? This is not guaranteed to work since some of the member attributes might not even have a SUBSTR matching rule assigned. > Also the other thing I want to do is to search > (objectClass=*)&(*member*=uid=usera*). Is that possible ? No it's not. And for security reasons you should really stay away from wildcard searches when doing group evaluation! That's a security mechanism and therefore your code MUST be as exact as possible! Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-06-18 15:58:50
|
Michael Ströder wrote: > Melita Mihaljevic wrote: >> >> My search filter is (it's all in one line): >> search_filter = >> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) >> (&(objectClass=groupOfNames)(member=uid=usera*)) >> (&(objectClass=posixGroup)(memberUid=usera*)))' > > Why do you want to do wildcard searches? This is not guaranteed to work > since some of the member attributes might not even have a SUBSTR > matching rule assigned. And note that user-IDs might not always be in the attribute 'uid'. It's perfectly valid that a user enters his e-mail address into the login form and you first have to search for the user's entry which might not have attribute 'uid' set at all. Ciao, Michael. |
|
From: Melita M. <mel...@gm...> - 2008-06-18 16:06:10
|
On Wed, Jun 18, 2008 at 5:58 PM, Michael Ströder <mi...@st...> wrote: > Michael Ströder wrote: > >> Melita Mihaljevic wrote: >> >>> >>> My search filter is (it's all in one line): >>> search_filter = >>> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) >>> (&(objectClass=groupOfNames)(member=uid=usera*)) >>> (&(objectClass=posixGroup)(memberUid=usera*)))' >>> >> >> Why do you want to do wildcard searches? This is not guaranteed to work >> since some of the member attributes might not even have a SUBSTR matching >> rule assigned. > > Because I know only uid and don't now the other user informations > >> > And note that user-IDs might not always be in the attribute 'uid'. It's > perfectly valid that a user enters his e-mail address into the login form > and you first have to search for the user's entry which might not have > attribute 'uid' set at all. Because in the MoinMoin I search only groups with uid in it,only those are important for me. Mel -- Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at fer.hr ICQ: 201278527 | Gtalk: melita.mihaljevic | http://mihaljevicmelita.blogspot.com/ PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic |
|
From: Michael S. <mi...@st...> - 2008-06-18 16:47:16
|
Melita Mihaljevic wrote: > On Wed, Jun 18, 2008 at 5:58 PM, Michael Ströder <mi...@st... > <mailto:mi...@st...>> wrote: > Michael Ströder wrote: > Melita Mihaljevic wrote: > My search filter is (it's all in one line): > search_filter = > '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*)) > (&(objectClass=groupOfNames)(member=uid=usera*)) > (&(objectClass=posixGroup)(memberUid=usera*)))' > > Why do you want to do wildcard searches? This is not guaranteed > to work since some of the member attributes might not even have > a SUBSTR matching rule assigned. > > Because I know only uid and don't now the other user informations The user enters some user name. During login you have to use a configurable search filter for searching the user's entry. Something like: user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' An then replace %s with what the user entered as user name. Then you have the DN and some more eventually needed attributes for conducting a exact search for the group entries a user is member of like I described in my former posting. > Because in the MoinMoin I search only groups with uid in it,only those > are important for me. LDAP directories can have user entries which do not have attribute 'uid' at all! Ciao, Michael. |
|
From: Michael S. <mi...@st...> - 2008-06-18 17:17:28
|
Michael Ströder wrote: > The user enters some user name. During login you have to use a > configurable search filter for searching the user's entry. > > Something like: > user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' > > An then replace %s with what the user entered as user name. Furthermore: 1. You have to check whether exactly *one* entry is returned in the search results. search_ext_s(..,sizelimit=2) 2. You MUST only accept non-empty passwords when checking the user's password with a bind request. If you send a simple bind request with an empty password the bind is ok because it's only treated as anonymous bind by most LDAP servers. Ciao, Michael. |
|
From: Melita M. <mel...@gm...> - 2008-06-19 12:24:29
|
On Wed, Jun 18, 2008 at 7:17 PM, Michael Ströder <mi...@st...>
wrote:
> Michael Ströder wrote:
>
>> The user enters some user name. During login you have to use a
>> configurable search filter for searching the user's entry.
>>
>> Something like:
>> user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))'
>>
>> An then replace %s with what the user entered as user name.
>>
>
> Furthermore:
>
> 1. You have to check whether exactly *one* entry is returned in the search
> results. search_ext_s(..,sizelimit=2)
> 2. You MUST only accept non-empty passwords when checking the user's
> password with a bind request. If you send a simple bind request with an
> empty password the bind is ok because it's only treated as anonymous bind by
> most LDAP servers.
>
> Ciao, Michael.
Ok,
Probably we didn't understand.I will use uid=userid_name ( %s =
userid_name).
I have a test that I want to succeed:
def testMemberOfGroup(self):
"""Authenticate to LDAP and read all groups that user with uid usera
is a member of.
"""
server_uri = self.ldap_env.slapd.url
base_dn = self.ldap_env.basedn
lo = ldap.initialize(server_uri)
ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
lo.simple_bind_s('', '')
search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit
A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for checking
if this works
search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE,
search_filter)
(yes this works but I don't want to need to know all those stuff after the
uid=usera)
I know you said it's a bad thing to search for substring nut this is the
only way how I can say something is a grop -> for me in ma definition,
something is a group if has a member (or a type containing word member-
there is wher it will be grat to use substrings) and in the member part of
the record it has uid, the rest of the groups I don't want to know about
them.
And I have a part of record record:
'member': ['cn=dummy', 'uid=usera,ou=Unit
A,ou=Users,ou=testing,dc=example,dc=org']
And I only want to search for uid=usera, not the rest of the record. This is
only for test and for the real search I will use it more configurable.
--
Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at
fer.hr
ICQ: 201278527 | Gtalk: melita.mihaljevic |
http://mihaljevicmelita.blogspot.com/
PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo
http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic
|
|
From: Michael S. <mi...@st...> - 2008-06-19 14:23:31
|
Melita Mihaljevic wrote: > > > On Wed, Jun 18, 2008 at 7:17 PM, Michael Ströder <mi...@st... > <mailto:mi...@st...>> wrote: > > Michael Ströder wrote: > > The user enters some user name. During login you have to use a > configurable search filter for searching the user's entry. > > Something like: > user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' > > An then replace %s with what the user entered as user name. > > > Furthermore: > > 1. You have to check whether exactly *one* entry is returned in the > search results. search_ext_s(..,sizelimit=2) > 2. You MUST only accept non-empty passwords when checking the user's > password with a bind request. If you send a simple bind request with > an empty password the bind is ok because it's only treated as > anonymous bind by most LDAP servers. > > Ok, > Probably we didn't understand.I will use uid=userid_name ( %s = > userid_name). Did you actually read what I wrote before? > I have a test that I want to succeed: > [..] > search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for > checking if this works > search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, > search_filter) > > (yes this works but I don't want to need to know all those stuff after > the uid=usera) You have to deal with all those "stuff after the uid=usera". Hint: In MS AD the DN of the user's entry does not even start with uid=! If you don't follow the concepts I described you will fail finishing this project correctly. Period. > I know you said it's a bad thing to search for substring nut this is the > only way how I can say something is a grop -> for me in ma definition, Nope. Rethink! Period. > something is a group if has a member (or a type containing word member- > there is wher it will be grat to use substrings) and in the member part > of the record it has uid, the rest of the groups I don't want to know > about them. Again: There may be user entries which do not have attribute 'uid' at all! Believe me, you're oversimplifying things. > And I have a part of record record: > 'member': ['cn=dummy', 'uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org'] Don't request attribute 'member' during group lookup. Your application just have to know in which groups a user is member of. It should not retrieve all members since that can be many! > And I only want to search for uid=usera, not the rest of the record. Explicitly set the requested attributes with argument attrlist. See also: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.search Ciao, Michael. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X