Melita Mihaljevic wrote: > > > On Wed, Jun 18, 2008 at 7:17 PM, Michael Ströder <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Michael Ströder wrote: > > The user enters some user name. During login you have to use a > configurable search filter for searching the user's entry. > > Something like: > user_search_filter_template = '(|(uid=%s)(sAMAccountName=%s))' > > An then replace %s with what the user entered as user name. > > > Furthermore: > > 1. You have to check whether exactly *one* entry is returned in the > search results. search_ext_s(..,sizelimit=2) > 2. You MUST only accept non-empty passwords when checking the user's > password with a bind request. If you send a simple bind request with > an empty password the bind is ok because it's only treated as > anonymous bind by most LDAP servers. > > Ok, > Probably we didn't understand.I will use uid=userid_name ( %s = > userid_name).
Did you actually read what I wrote before? > I have a test that I want to succeed: > [..] > search_filter='(|(&(objectClass=*)(member=uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org)))'' # ths one was just for > checking if this works > search_groups = lo.search_st(base_dn, ldap.SCOPE_SUBTREE, > search_filter) > > (yes this works but I don't want to need to know all those stuff after > the uid=usera) You have to deal with all those "stuff after the uid=usera". Hint: In MS AD the DN of the user's entry does not even start with uid=! If you don't follow the concepts I described you will fail finishing this project correctly. Period. > I know you said it's a bad thing to search for substring nut this is the > only way how I can say something is a grop -> for me in ma definition, Nope. Rethink! Period. > something is a group if has a member (or a type containing word member- > there is wher it will be grat to use substrings) and in the member part > of the record it has uid, the rest of the groups I don't want to know > about them. Again: There may be user entries which do not have attribute 'uid' at all! Believe me, you're oversimplifying things. > And I have a part of record record: > 'member': ['cn=dummy', 'uid=usera,ou=Unit > A,ou=Users,ou=testing,dc=example,dc=org'] Don't request attribute 'member' during group lookup. Your application just have to know in which groups a user is member of. It should not retrieve all members since that can be many! > And I only want to search for uid=usera, not the rest of the record. Explicitly set the requested attributes with argument attrlist. See also: http://python-ldap.sourceforge.net/doc/html/ldap.html#ldap.LDAPObject.search Ciao, Michael. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
