Re: Reading groups from LDAP

[Melita Mihaljevic]

On Wed, Jun 18, 2008 at 7:17 PM, Michael Ströder <[EMAIL PROTECTED]>
wrote:

> Michael Ströder wrote:
>
>> The user enters some user name. During login you have to use a
>> configurable search filter for searching the user's entry.
>>
>> Something like:
>> user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))'
>>
>> An then replace %s with what the user entered as user name.
>>
>
> Furthermore:
>
> 1. You have to check whether exactly *one* entry is returned in the search
> results. search_ext_s(..,sizelimit=2)
> 2. You MUST only accept non-empty passwords when checking the user's
> password with a bind request. If you send a simple bind request with an
> empty password the bind is ok because it's only treated as anonymous bind by
> most LDAP servers.
>
> Ciao, Michael.


Ok,
Probably we didn't understand.I will use uid=userid_name ( %s =
userid_name).
I have a test that I want to succeed:




def testMemberOfGroup(self):
"""Authenticate to LDAP and read all groups that user with uid usera
is a member of.
"""
server_uri = self.ldap_env.slapd.url
base_dn = self.ldap_env.basedn
lo = ldap.initialize(server_uri)
ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3)
lo.simple_bind_s('', '')
search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit
A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for checking
if this works
search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE,
search_filter)

(yes this works but I don't want to need to know all those stuff after the
uid=usera)

I know you said it's a bad thing to search for substring nut this is the
only way how I can say something is a grop -> for me in ma definition,
something is a group if has a member (or a type containing word member-
there is wher it will be grat to use substrings) and in the member part of
the record it has uid, the rest of the groups I don't want to know about
them.

And I have a part of record record:
'member': ['cn=dummy', 'uid=usera,ou=Unit
A,ou=Users,ou=testing,dc=example,dc=org']

And I only want to search for uid=usera, not the rest of the record. This is
only for test and for the real search I will use it more configurable.



-- 
Melita MIhaljevic|melita.mihaljevic at gmail.com| melita.mihaljevic at
fer.hr
ICQ: 201278527 | Gtalk: melita.mihaljevic |
http://mihaljevicmelita.blogspot.com/
PGP: 0xDB17A80C | http://fly.srk.fer.hr/~gizmo
http://www.last.fm/user/maligizmo/ | http://www.linkedin.com/in/mmihaljevic
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Re: Reading groups from LDAP

[Michael Ströder]

Melita Mihaljevic wrote:
> 
> 
> On Wed, Jun 18, 2008 at 7:17 PM, Michael Ströder <[EMAIL PROTECTED] 
> > wrote:
> 
> Michael Ströder wrote:
> 
> The user enters some user name. During login you have to use a
> configurable search filter for searching the user's entry.
> 
> Something like:
> user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))'
> 
> An then replace %s with what the user entered as user name.
> 
> 
> Furthermore:
> 
> 1. You have to check whether exactly *one* entry is returned in the
> search results. search_ext_s(..,sizelimit=2)
> 2. You MUST only accept non-empty passwords when checking the user's
> password with a bind request. If you send a simple bind request with
> an empty password the bind is ok because it's only treated as
> anonymous bind by most LDAP servers.
> 
> Ok,
> Probably we didn't understand.I will use uid=userid_name ( %s = 
> userid_name).

Did you actually read what I wrote before?

> I have a test that I want to succeed:
> [..]
> search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit 
> A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for 
> checking if this works
> search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, 
> search_filter)
> 
> (yes this works but I don't want to need to know all those stuff after 
> the uid=usera)

You have to deal with all those "stuff after the uid=usera". Hint: In MS 
AD the DN of the user's entry does not even start with uid=!

If you don't follow the concepts I described you will fail finishing 
this project correctly. Period.

> I know you said it's a bad thing to search for substring nut this is the 
> only way how I can say something is a grop -> for me in ma definition, 

Nope. Rethink! Period.

> something is a group if has a member (or a type containing word member- 
> there is wher it will be grat to use substrings) and in the member part 
> of the record it has uid, the rest of the groups I don't want to know 
> about them.

Again:
There may be user entries which do not have attribute 'uid' at all!
Believe me, you're oversimplifying things.

> And I have a part of record record:
> 'member': ['cn=dummy', 'uid=usera,ou=Unit 
> A,ou=Users,ou=testing,dc=example,dc=org']

Don't request attribute 'member' during group lookup. Your application 
just have to know in which groups a user is member of. It should not 
retrieve all members since that can be many!

> And I only want to search for uid=usera, not the rest of the record. 

Explicitly set the requested attributes with argument attrlist.
See also:
http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.search

Ciao, Michael.

-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev