[PATCH] default values
Hi, the attached patch allows you to use default values for the functions/arguments below. This is helpful in an environment where /etc/openldap/ldap.conf is kept up to date with correct information. ldap.initialize(uri) LDAPObject.search_*(base, scope) The semantics are identical to the command-line "ldapsearch" tool. This means: - uri <- "HOST" from /etc/openldap.conf - base <- "BASE" from /etc/openldap.conf - scope <- SCOPE_SUBTREE The patch is against the latest CVS and has been tested. Regards, Geert ? python-ldap-CVS-defaults.patch ? python-ldap-default-uri.patch Index: Lib/ldap/functions.py === RCS file: /cvsroot/python-ldap/python-ldap/Lib/ldap/functions.py,v retrieving revision 1.20 diff -u -r1.20 functions.py --- Lib/ldap/functions.py 22 Mar 2007 23:12:36 - 1.20 +++ Lib/ldap/functions.py 21 Aug 2007 20:39:04 - @@ -69,7 +69,7 @@ return result -def initialize(uri,trace_level=0,trace_file=sys.stdout,trace_stack_limit=None): +def initialize(uri=None,trace_level=0,trace_file=sys.stdout,trace_stack_limit=None): """ Return LDAPObject instance by opening LDAP connection to LDAP host specified by LDAP URL Index: Lib/ldap/ldapobject.py === RCS file: /cvsroot/python-ldap/python-ldap/Lib/ldap/ldapobject.py,v retrieving revision 1.98 diff -u -r1.98 ldapobject.py --- Lib/ldap/ldapobject.py 5 Jun 2007 09:56:15 - 1.98 +++ Lib/ldap/ldapobject.py 21 Aug 2007 20:39:05 - @@ -59,7 +59,7 @@ } def __init__( -self,uri, +self,uri=None, trace_level=0,trace_file=None,trace_stack_limit=5 ): self._trace_level = trace_level @@ -439,13 +439,13 @@ decoded_serverctrls = DecodeControlTuples(serverctrls) return rtype, rdata, rmsgid, decoded_serverctrls - def search_ext(self,base,scope,filterstr='(objectClass=*)',attrlist=None,attrsonly=0,serverctrls=None,clientctrls=None,timeout=-1,sizelimit=0): + def search_ext(self,base=None,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)',attrlist=None,attrsonly=0,serverctrls=None,clientctrls=None,timeout=-1,sizelimit=0): """ -search(base, scope [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0]]]) -> int -search_s(base, scope [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0]]]) -search_st(base, scope [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0 [,timeout=-1) -search_ext(base,scope,[,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0 [,serverctrls=None [,clientctrls=None [,timeout=-1 [,sizelimit=0]]]) -search_ext_s(base,scope,[,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0 [,serverctrls=None [,clientctrls=None [,timeout=-1 [,sizelimit=0]]]) +search([base=None [,scope=ldap.SCOPE_SUBTREE [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0]) -> int +search_s([base=None [,scope=ldap.SCOPE_SUBTREE [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0]) +search_st([base=None [,scope=ldap.SCOPE_SUBTREE [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0 [,timeout=-1]]) +search_ext([base=None [,scope=ldap.SCOPE_SUBTREE [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0 [,serverctrls=None [,clientctrls=None [,timeout=-1 [,sizelimit=0]) +search_ext_s([base=None [,scope=ldap.SCOPE_SUBTREE [,filterstr='(objectClass=*)' [,attrlist=None [,attrsonly=0 [,serverctrls=None [,clientctrls=None [,timeout=-1 [,sizelimit=0]) Perform an LDAP search operation, with base as the DN of the entry at which to start the search, scope being one of @@ -493,17 +493,17 @@ timeout,sizelimit, ) - def search_ext_s(self,base,scope,filterstr='(objectClass=*)',attrlist=None,attrsonly=0,serverctrls=None,clientctrls=None,timeout=-1,sizelimit=0): + def search_ext_s(self,base=None,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)',attrlist=None,attrsonly=0,serverctrls=None,clientctrls=None,timeout=-1,sizelimit=0): msgid = self.search_ext(base,scope,filterstr,attrlist,attrsonly,serverctrls,clientctrls,timeout,sizelimit) return self.result(msgid,all=1,timeout=timeout)[1] - def search(self,base,scope,filterstr='(objectClass=*)',attrlist=None,attrsonly=0): + def search(self,base=None,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)',attrlist=None,attrsonly=0): return self.search_ext(base,scope,filterstr,attrlist,attrsonly,None,None) - def search_s(self,base,scope,filterstr='(objectClass=*)',attrlist=None,attrsonly=0): + def search_s(self,base=None,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)',attrlist=None,attrsonly=0): return self.search_ext_s(base,scope,filterstr,attrlist,attrsonly,None,None,timeout=self.timeout) - def search_st(self,base,scope,filterstr='(objectClass=*)',attrlist=None,attrsonly=0,timeout=-1): + def search_st(self,base=None,scope=ldap.SCOPE_SUBTREE,filterstr
Re: Creating Active Directory Objects
Hello Mike > Apologies in advanced if this is a duplicate post, but every time I > tried searching the archives it would time out. I am wondering if it > is possible to create Active Directory objects (users) with the python- > ldap module. I am currently developing on Mac OS X. I realize there > are AD modules out there, but I am not aware of any that will compile > and run on Mac OS X. If there are I would appreciate any > suggestions. Any information you can provide would be much appreciated! > It is definately possibly to create active directory users with python-ldap. You just need to take care that you set the minimum amount of attributes required, otherwise the addition will fail. I don't have any code ready at the moment, but just create a user object with ADUC and see what attributes that sets. Then take these as a base. Note that you don't need to create the SID and the GUID -- these are created automatically by AD. Regards, Geert - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
Michael Ströder wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing AD > via python-ldap. > This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
> > Mike Matz wrote: >> >> Thanks for the help guys. It got me off to a great start. I have >> successfully created a user in my AD. As you already eluded to, I am >> struggling with the password attribute. Can the password attribute >> be set when creating a user. From what I gathered, the password >> attribute is 'unicodePwd'. >> Forget about using LDAP to change a user's password. It can be done but it requires 128-bit SSL and so you need to set up certificate services and distribute the CA certificate to your client. An easier way is to use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 and later support this protocol. Unfortunately there is no command-line interface to this call so you need to create a Python extension module for wrapping this call. My (in progress) project FreeADI contains a wrapper for the Set Password call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at freeadi.org. The code is available under the liberal MIT license. The "userPassword" attribute is the Unix shadow hash, and is not used for Kerberos. Regards, Geert - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: sAMAccountName
Roland Hedberg wrote: > On the topic python-ldap <-> AD: > > My problem is that I can add an entry using the User object class and > attributes contained in that class without any problems. > > But when I try to add the samAccountName attribute and thereby the > object class SecurityPrincipal the server complains. > I am not 100% sure wether this is the same issue, but I have noticed that you cannot create a security principal in AD without a valid password. But because you can only set the password once the principal is created, this is a cyclical dependency. You can get out of this by creating the account in the disabled state (by setting the appropriate flag in userAccountControl), then setting the password, and then enabling it. On a related note, you may be interested in my current project Python-AD: http://www.boskant.nl/trac/python-ad/ The code is ready for use and I will make the first release in a couple of days. At the moment the code is available though Mercurial. I have an working example script of create a user with Python-AD here: http://www.boskant.nl/trac/python-ad/wiki/TutorialFive The example sets sAMAccountName and it works flawlessly. Regards, Geert - SF.Net email is sponsored by: The Future of Linux Business White Paper from Novell. From the desktop to the data center, Linux is going mainstream. Let it simplify your IT future. http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: sAMAccountName
Michael Ströder wrote: > Geert Jansen wrote: > >> On a related note, you may be interested in my current project >> Python-AD: http://www.boskant.nl/trac/python-ad/ >> > > How are you using Kerberos? Do you expect the user to run MIT's kinit > before sending a SASL/GSSAPI bind request? Does it also work with > heimdal? Do you make use of a Windows logon when running on Windows? > The user doesn't need to run kinit (but he can do so and in that case those credentials can be picked up). I provide a class called "Creds" that the user can use to acquire credentials: from ad import Creds, activate creds = Creds(domain) Creds.acquire(username, password) activate(creds) Behind the scenes a new private ccache and Kerberos configuration are installed using the $KRB5CCNAME and $KRB5_CONFIG environment variables. I have not tested this with Heimdal so far. If it supports the environment variables above it should work. Also I haven't tested windows but I think that the Creds interface should be portable to that platform as well. Regards, Geert - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
[ANNOUNCE] python-ad
All, with this email I am announcing the first public release of python-ad. Python-AD is a Python client for MS Active Directory built on top of python-ldap. Amongst others it has the following features: * Automatic domain controller discovery (taking into account locality and timing) * Transparent multi-domain functionality. * Credential management. Credentials can be acquired using a username/password, username/keytab or can be loaded from the OS. Python-AD is ideal for situations where you need to manage data in AD from UNIX or Linux, such as adding users or querying printers. The software, including full documentation, can be found at: http://www.boskant.nl/trac/python-ad/ Regards, Geert Jansen - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: [ANNOUNCE] python-ad
Mike Matz wrote: > Will this initial release work on Mac OS X? If not, are there any > plans in the future for Mac OS X? At the moment I have not tested Python-AD on OSX, but I would be happy to support it in a future version. This requires though that someone sends me patches, or that I find a way of getting access to OSX myself (I do not own a Mac). Regards Geert - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: [ANNOUNCE] python-ad
Michael Ströder wrote: > I saw that kinit is started as a shell sub-process. Actually Python-AD comes with a C module that wraps the required Kerberos functions (see lib/ad/protocol/krb5.c). What you probably saw is the use of kinit in the test suite, where I use it to verify the credentials acquired by the C module. Regards, Geert - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: [ANNOUNCE] python-ad
Michael Ströder wrote: > Ah, ok. Interesting. Why don't you separate the krb5 module into another > project. I guess some people might be interested in that. > > Especially my dream would be to support HTTP-Authentication based on > SPNEGO/GSSAPI in web2ldap. But not only authenticating the user at the > web server. I would rather like forward the service ticket requested for > a particular LDAP service to the LDAP server in a SASL/GSSAPI > BindRequest. Do you think that's feasible? > Well... at the moment the module is really bare bones and only exposes the few functions of the vast Kerberos API that Python-AD needs. Also I don't want to digress too much at this point. I created Python-AD as part of something bigger which does not exist yet: FreeADI. FreeADI would provide Active Directory integration for Linux systems, meaning you can use AD as the directory and authentication service on Linux. (Given the fact that Likewise Open was released last week, I am not sure though it would still be useful). >From what I understand from you though, you'd like the GSSAPI to be wrapped and not the Kerberos API. This is easier as the GSSAPI seems significantly smaller than the Kerberos API. By the way I had a look at web2ldap. You mention that you use an ASN.1 parser from Pisces and that you feel that people may have issues with its license. Python-AD comes with its own (very simple) ASN.1 parser/generator as well. It can parse arbitrary BER, emits DER and comes with a full test suite. The code is licensed under the MIT license so it may be less concerning. Also if you really want I could re-license it under the GPL. Regards, Geert - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: [ANNOUNCE] python-ad
Torsten Kurbad wrote: > ME, ME, ME!!! :o) > > I tried several krb5 modules lying around in the net so far - and none > really worked! In fact, most of the implementations require an external > kinit call, which is NOT what I intend to let my users do... > > So, I'd very much appreciate, if you think about Michael's idea, > Geert! > What is the use case you are thinking about? As mentioned in my other email the Kerberos API is vast and while wrapping it in Python can be done (it is actually not difficult) but it is a lot of work. And after that people will want support for Heimdal, and then Windows, Mac... :-) Regards, Geert - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: [ANNOUNCE] python-ad
Michael Ströder wrote: > > Well, setting an env var is not really a good choice when running within > a multi-threaded web application... :-/ > I was thinking how one could solve the problem of per-thread credentials in python-ldap (or python-ad).. I think it can be done with the keyring credential cache code that is in recent MIT Kerberos distributions. Per-thread keyrings exist so if you set $KRB5CCNAME to "KEYRING:thread:default" then you should be able to use per-thread credentials. Regards, Geert - SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
[PATCH] support for LDAP_OPT_X_NOCANON
Hi, OpenLDAP CVS has just added support for a new LDAP option LDAP_OPT_X_NOCANON. This option turns off host canonicalization based on reverse DNS in OpenLDAP. The attached patch makes this option available in python-ldap. One use case for this option is environments where you don't need reverse DNS for canonicalization, or where you have server-side canonicalization. This works great in Windows environments, especially so because there reverse DNS is often wrong. If you combine this LDAP option with the setting "rdns = no" in your /etc/krb5.conf, you are now able to use SASL/GSSAPI to authenticate to an LDAP server that has no or no proper reverse DNS. Regards, Geert python-ldap-2.3.5-canon.patch Description: Binary data - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
[PATCH] support for LDAP_OPT_X_NOCANON
[re-send in plain text. apologies for posting in html] Hi, OpenLDAP CVS has just added support for a new LDAP option LDAP_OPT_X_NOCANON. This option turns off host canonicalization based on reverse DNS in OpenLDAP. The attached patch makes this option available in python-ldap. One use case for this option is environments where you don't need reverse DNS for canonicalization, or where you have server-side canonicalization. This works great in Windows environments, especially so because there reverse DNS is often wrong. If you combine this LDAP option with the setting "rdns = no" in your /etc/krb5.conf, you are now able to use SASL/GSSAPI to authenticate to an LDAP server that has no or no proper reverse DNS. Regards, Geert python-ldap-2.3.5-canon.patch Description: Binary data - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: using Kerberos to authenticate to Active Directory from python ldap
On Fri, Apr 10, 2009 at 11:24 AM, Olivier Sessink wrote: > I noticed that there is some C code related to Kerberos in python-ad. > Is this code required to initialize a kerberos authentication, or is > this just to change passwords and things like that? Actually, both. The C code exposes a small subset of the Kerberos API to Python. I use it for credential management so things like acquire a ticket using a password or a keytab, and to set or change a password. Regards, Geert -- This SF.net email is sponsored by: High Quality Requirements in a Collaborative Environment. Download a free trial of Rational Requirements Composer Now! http://p.sf.net/sfu/www-ibm-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ANN: python-ldap-2.3.8
Hi Michael, could you have a look at the patch that i submitted a while ago to expose LDAP_OPT_X_SASL_NOCANON? This option is a new LDAP option that disables SASL host name canonicalization. It is very useful in Windows AD environments. Patch attached. References: - http://sourceforge.net/mailarchive/message.php?msg_name=648242720811211518k726c54b9y1c8357255477ae5a%40mail.gmail.com - http://www.openldap.org/lists/openldap-bugs/200811/msg00116.html Regards, Geert python-ldap-2.3.8-canon.patch Description: Binary data -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ANN: python-ldap-2.3.8
2009/5/3 Michael Ströder : > > Why didn't you patch LDAP_get_option()? That is an oversight. It should be updated as well. New patch attached. > If I also extend LDAP_get_option() l.get_option(ldap.OPT_X_SASL_NOCANON) > will always return -1 if set to any value instead of 0. Is that correct? Yes, that should be fine. Thanks, Geert python-ldap-2.3.8-canon.patch Description: Binary data -- Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ldap.OPT_X_SASL_NOCANON (was: ANN: python-ldap-2.3.8)
2009/5/4 Michael Ströder : > Ok, committed in HEAD. Please test. I've tested current HEAD and it works for me. > Is it urgent to have that in a generally available release? Not really urgent but it would be good if a new release was made in the next 2-3 months or so. This would ensure that the next wave of distribution releases (Fedora 12, Ubuntu 9.10) pick this up. Regards, Geert -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
