Reading groups from LDAP

2008-06-18 Thread Melita Mihaljevic 
Hi,
I'm wondering which is the generic way to search for groups in LDAP.
I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE,
'(ou=Group)')
Is there a better way?
Also I need to get a groups that a certain user is a member of. Any ideas
how to read it?

Thank you very much for all ideas

-- 
Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at
fer.hr
ICQ: 201278527 | Gtalk: melita.mihaljevic |
http://mihaljevicmelita.blogspot.com/
PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo
http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: python-ldap question

2008-06-18 Thread Michael Ströder 
Melita,

I'd kindly ask you to come over to the python-ldap-dev mailing list (See 
To:, Bcc: to you to protect your e-mail address) to further discuss 
things like this because others are surely interested in this too.

http://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Melita Mihaljevic wrote:
> 
> I'm developing extending MoinMoin groups to LDAP, and I need to read all 
> groups from LDAP dir and map then with users that are members of certain 
> group.

Hmm, you probably should not read all groups since group entries can be 
very large. One of my customers has entries 'groupOfNames' containing 
over 100.000 DNs in the attribute 'member'! Rather after the user's 
login you should determine the groups the user is a direct member of.

> I looked at your web2ldap application and thought maybe you have 
> some ideas.

Did you have a look at the filters sent by web2ldap? The [groupadm] 
feature sends two search request (not requesting the member attribute!):
- search (different types of) groups the user is a member of
- search all groups

> I tried to search with ou=Groups but this is only one case. Do you know/ 
> have idea how to do it generaly.

Hmm, I'm not sure I fully understand what you're after.

Ciao, Michael.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

2008-06-18 Thread Michael Ströder 
Melita Mihaljevic wrote:
> Hi,
> I'm wondering which is the generic way to search for groups in LDAP.
> I used: search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, 
> '(ou=Group)')

The filter (ou=Group) does not make sense to me. You're probably mixing 
this with the search root.

1. Bear in mind that there are many different types of group entries out 
in the wild. LDAP entries are typed by object class. So your filter has 
to specifically search for group entries by object class.

2. Additionally for determining whether a certain user is member of a 
group you have to compare a certain member attribute within the group 
entry with an attribute within the user's entry or the DN of the entry.

3. You should never ever (accidently) request the member attribute 
within the group entry to be returned in the search results since some 
groups can be big leading to a large amount of data to be returned.

The user entry:
dn: cn=michael str\C3\B6der,ou=private,dc=stroeder,dc=de
uid: michael
mail: [EMAIL PROTECTED]

Example of a filter generated by web2ldap (normally everything in one 
line, broke up here for readability):

(|
  (&(objectClass=organizationalRole)(roleOccupant=cn=michael 
str\C3\B6der,ou=private,dc=stroeder,dc=de))
  (&(objectClass=rfc822MailGroup)([EMAIL PROTECTED]))
  (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael 
str\C3\B6der,ou=private,dc=stroeder,dc=de))
  (&(objectClass=mailGroup)([EMAIL PROTECTED]))
  (&(objectClass=posixGroup)(memberUid=michael))
  (&(objectClass=nisMailAlias)([EMAIL PROTECTED]))
  (&(objectClass=groupOfNames)(member=cn=michael 
str\C3\B6der,ou=private,dc=stroeder,dc=de))
))

Ciao, Michael.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

2008-06-18 Thread Melita Mihaljevic 
On Wed, Jun 18, 2008 at 11:15 AM, Michael Ströder <[EMAIL PROTECTED]>
wrote:

>
> Example of a filter generated by web2ldap (normally everything in one line,
> broke up here for readability):
>
> (|
>  (&(objectClass=organizationalRole)(roleOccupant=cn=michael
> str\C3\B6der,ou=private,dc=stroeder,dc=de))
>  (&(objectClass=rfc822MailGroup)([EMAIL PROTECTED]))
>  (&(objectClass=groupOfUniqueNames)(uniqueMember=cn=michael
> str\C3\B6der,ou=private,dc=stroeder,dc=de))
>  (&(objectClass=mailGroup)([EMAIL PROTECTED]))
>  (&(objectClass=posixGroup)(memberUid=michael))
>  (&(objectClass=nisMailAlias)([EMAIL PROTECTED]))
>  (&(objectClass=groupOfNames)(member=cn=michael
> str\C3\B6der,ou=private,dc=stroeder,dc=de))
> ))
>
> Ciao, Michael.


Thank you all for everything, but I have some more problems:
My current LDAP situation is:

dn: cn=Group A,ou=Groups,ou=testing,dc=example,dc=org
cn: Group A
member: cn=dummy
member: uid=usera,ou=Unit A,ou=Users,ou=testing,dc=example,dc=org
objectClass: groupOfNames

dn: cn=Group B,ou=Groups,ou=testing,dc=example,dc=org
cn: Group B
objectClass: groupOfUniqueNames
uniqueMember: cn=dummy
uniqueMember: uid=userb,ou=Unit B,ou=Users,ou=testing,dc=example,dc=org

And I tried to do a generic search for all groups usera is a member of. (I
searched for all objectClass that could be groupOfUniqueNames, groupOfNames
or posixGroup at the momen).
My search filter is (it's all in one line):
search_filter =
'(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*))
(&(objectClass=groupOfNames)(member=uid=usera*))
(&(objectClass=posixGroup)(memberUid=usera*)))'

and when I do a search:
 search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, search_filter)
I got an empty list. Could someon explain me why is that so and how to fix
it. I only want to search for uid.

Also the other thing I want to do is to search
(objectClass=*)&(*member*=uid=usera*). Is that possible ?

Thank you a lot.
Mel

-- 
Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at
fer.hr
ICQ: 201278527 | Gtalk: melita.mihaljevic |
http://mihaljevicmelita.blogspot.com/
PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo
http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

2008-06-18 Thread Michael Ströder 
Melita Mihaljevic wrote:
> 
> My search filter is (it's all in one line):
> search_filter =
> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*))
> (&(objectClass=groupOfNames)(member=uid=usera*))
> (&(objectClass=posixGroup)(memberUid=usera*)))'

Why do you want to do wildcard searches? This is not guaranteed to work 
since some of the member attributes might not even have a SUBSTR 
matching rule assigned.

> Also the other thing I want to do is to search 
> (objectClass=*)&(*member*=uid=usera*). Is that possible ?

No it's not.

And for security reasons you should really stay away from wildcard 
searches when doing group evaluation! That's a security mechanism and 
therefore your code MUST be as exact as possible!

Ciao, Michael.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

2008-06-18 Thread Michael Ströder 
Michael Ströder wrote:
> Melita Mihaljevic wrote:
>>
>> My search filter is (it's all in one line):
>> search_filter =
>> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*))
>> (&(objectClass=groupOfNames)(member=uid=usera*))
>> (&(objectClass=posixGroup)(memberUid=usera*)))'
> 
> Why do you want to do wildcard searches? This is not guaranteed to work 
> since some of the member attributes might not even have a SUBSTR 
> matching rule assigned.

And note that user-IDs might not always be in the attribute 'uid'. It's 
perfectly valid that a user enters his e-mail address into the login 
form and you first have to search for the user's entry which might not 
have attribute 'uid' set at all.

Ciao, Michael.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

2008-06-18 Thread Melita Mihaljevic 
On Wed, Jun 18, 2008 at 5:58 PM, Michael Ströder <[EMAIL PROTECTED]>
wrote:

> Michael Ströder wrote:
>
>> Melita Mihaljevic wrote:
>>
>>>
>>> My search filter is (it's all in one line):
>>> search_filter =
>>> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*))
>>> (&(objectClass=groupOfNames)(member=uid=usera*))
>>> (&(objectClass=posixGroup)(memberUid=usera*)))'
>>>
>>
>> Why do you want to do wildcard searches? This is not guaranteed to work
>> since some of the member attributes might not even have a SUBSTR matching
>> rule assigned.
>
> Because I know only uid and don't now the other user informations

>
>>
> And note that user-IDs might not always be in the attribute 'uid'. It's
> perfectly valid that a user enters his e-mail address into the login form
> and you first have to search for the user's entry which might not have
> attribute 'uid' set at all.

Because in the MoinMoin I search only groups with uid in it,only those are
important for me.

Mel



-- 
Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at
fer.hr
ICQ: 201278527 | Gtalk: melita.mihaljevic |
http://mihaljevicmelita.blogspot.com/
PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo
http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

2008-06-18 Thread Michael Ströder 
Melita Mihaljevic wrote:
> On Wed, Jun 18, 2008 at 5:58 PM, Michael Ströder <[EMAIL PROTECTED] 
> > wrote:
> Michael Ströder wrote:
> Melita Mihaljevic wrote:
> My search filter is (it's all in one line):
> search_filter =
> '(|(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=usera*))
> (&(objectClass=groupOfNames)(member=uid=usera*))
> (&(objectClass=posixGroup)(memberUid=usera*)))'
> 
> Why do you want to do wildcard searches? This is not guaranteed
> to work since some of the member attributes might not even have
> a SUBSTR matching rule assigned.
> 
> Because I know only uid and don't now the other user informations

The user enters some user name. During login you have to use a 
configurable search filter for searching the user's entry.

Something like:
user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))'

An then replace %s with what the user entered as user name.

Then you have the DN and some more eventually needed attributes for 
conducting a exact search for the group entries a user is member of like 
I described in my former posting.

> Because in the MoinMoin I search only groups with uid in it,only those 
> are important for me.

LDAP directories can have user entries which do not have attribute 'uid' 
at all!

Ciao, Michael.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

2008-06-18 Thread Michael Ströder 
Michael Ströder wrote:
> The user enters some user name. During login you have to use a 
> configurable search filter for searching the user's entry.
> 
> Something like:
> user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))'
> 
> An then replace %s with what the user entered as user name.

Furthermore:

1. You have to check whether exactly *one* entry is returned in the 
search results. search_ext_s(..,sizelimit=2)
2. You MUST only accept non-empty passwords when checking the user's 
password with a bind request. If you send a simple bind request with an 
empty password the bind is ok because it's only treated as anonymous 
bind by most LDAP servers.

Ciao, Michael.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev