Re: Python-LDAP for Python 3.0
David, David Leonard wrote: > > I have been looking at how to build the _ldap module for python3.x. I'm glad you're again working on python-ldap! Several months ago I tried to raise a discussion about this: http://www.mail-archive.com/python-ldap-dev@lists.sourceforge.net/msg00394.html > So, here I'd like to propose and explain some API changes Python 3.x > users. I'm focused on the _ldap module right now, but the (pure python) > library modules will experience carry-on effects. > > These are my goals with the _ldap module: > > * allow Python 2.x clients to keep working without changes > * dual environment support: both 2.x and 3.x build environments I'm not sure whether we should maintain backwards compability. Given the amount of code you're currently changing it's worth to think more about an incompatible change. Before going into technical details I'd like to discuss the goals from a very high-level view. We should discuss these ideas before going any further (slightly updated compared to the old posting mentioned above): Move away from SourceForge New GIT-based(?) repository (distributed VCS) Wrap libldap (and libber?) with built-in ctypes Distinct classes for LDAP search results, continuation references, entries etc. Better exception classes for errors with resultCode, diagnosticMessage etc. being class members. Also return diagnosticMessage upon success in search results. Receive LDAPv3 extended controls in intermediate search responses. Compability layers for mozldap, OpenLDAP and winldap? Partial rewrite of ldap.schema with some API changes Class library for LDAP syntaxes and matching rules Full Unicode support maybe with schema-aware LDAP operations I'd prefer python-ldap to be part of the Python standard lib in the long run. New code would make it possible to meet the licensing prerequisites of the PSF for this from the very beginning. Ciao, Michael. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
How to verify server certificate
Hi, list! Short question: when negotiating TLS with the LDAP server with start_tls_s(), can I use python-ldap to follow the certificate chain and verify the server certificate? If so, how? Best regards, Fredrik smime.p7s Description: S/MIME Cryptographic Signature -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: How to verify server certificate
Fredrik Melander wrote: > Short question: when negotiating TLS with the LDAP server with > start_tls_s(), can I use python-ldap to follow the certificate chain and > verify the server certificate? If so, how? The OpenLDAP libs are doing that for you (with the help of an underlying lib like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent versions of OpenLDAP libs. For the most common case with OpenLDAP C libs linked to OpenSSL libs see script Demo/initialize.py: ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') Ciao, Michael. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: How to verify server certificate
Michael Ströder schrieb: > Fredrik Melander wrote: >> Short question: when negotiating TLS with the LDAP server with >> start_tls_s(), can I use python-ldap to follow the certificate chain and >> verify the server certificate? If so, how? > > The OpenLDAP libs are doing that for you (with the help of an underlying lib > like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent > versions of OpenLDAP libs. > > For the most common case with OpenLDAP C libs linked to OpenSSL libs see > script Demo/initialize.py: > > ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') > > Ciao, Michael. > Hi, Michael Thanks for the very fast reply! I've been playing around with a certificate that should be broken without having my script complain the least. I would have expected python-ldap to throw an exception or similar but for the time being it seems to be pretending that everything's alright. Here's my connect-method in the class that's using ldap: def get_connection(self, connection_string): "Connect to ldap and return the handle" conn = ldap.initialize(connection_string) conn.protocol_version = ldap.VERSION3 conn.set_option(ldap.OPT_REFERRALS, 0) conn.set_option(ldap.OPT_X_TLS_CACERTFILE, "etc/openldap/ssl/cacert.pem") conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) conn.start_tls_s() conn.simple_bind_s(self.ldap_user, self.ldap_password) return conn What is it that I'm misunderstanding here? Best regards, Fredrik smime.p7s Description: S/MIME Cryptographic Signature -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
ldap.passwd_s with Active Direcory
Hi,
I'm not sure if this is the right place for this query, but I couldn't
find a python-LDAP-Users list.
I'm trying to modify a user's password on an Windows 2003 Active
directory using passwd_s, however the server is returning the following
error:
{'info': '203D: LdapErr: DSID-0C090C7D, comment: Unknown extended
request OID, data 0, vece', 'desc': 'Protocol error'}
I realise this is a server configuration thing as opposed to a
python-ldap issue, but google hasn't been any help so far. Does anyone
here know what it is I need to enable/change in order to get it to work?
The connection is using ldaps:// on port 636 and I can search the AD and
modify other values eg givenName etc, just not passwords, and I'm
binding as domain administrator.
Thanks
Mike Peters
"This message is intended for the named recipient only and may be
privileged and/or confidential. If you are not the intended or named
recipient or have received this email in error then you should not copy
forward or disclose it to any other persons. If you have received this
email in error you should destroy it and contact the sender so that we
may take appropriate action. The views and opinions expressed in this
email may not represent the views and opinions of Open International
Limited or any of its subsidiaries and are made without prejudice and
subject to contract. The Company Reserves the right to intercept and
review all email communications."
Open International Limited. Registered Office: Buckholt Drive, Warndon,
Worcester, WR4 9SR.
Registered in England. Registered No: 05716519
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: How to verify server certificate
Fredrik Melander wrote: > Michael Ströder schrieb: >> Fredrik Melander wrote: >>> Short question: when negotiating TLS with the LDAP server with >>> start_tls_s(), can I use python-ldap to follow the certificate chain and >>> verify the server certificate? If so, how? >> The OpenLDAP libs are doing that for you (with the help of an underlying lib >> like OpenSSL, GnuTLS or NSS). Same for CRL checking available in recent >> versions of OpenLDAP libs. >> >> For the most common case with OpenLDAP C libs linked to OpenSSL libs see >> script Demo/initialize.py: >> >> ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,'/etc/httpd/ssl.crt/myCA-cacerts.pem') > > Thanks for the very fast reply! > > I've been playing around with a certificate that should be broken > without having my script complain the least. Why should it be broken? > I would have expected > python-ldap to throw an exception or similar but for the time being it > seems to be pretending that everything's alright. If the cert or hostname validation fails ldap.SERVER_DOWN is raised. > Here's my connect-method in the class that's using ldap: > > def get_connection(self, connection_string): > "Connect to ldap and return the handle" > > conn = ldap.initialize(connection_string) > conn.protocol_version = ldap.VERSION3 > conn.set_option(ldap.OPT_REFERRALS, 0) > conn.set_option(ldap.OPT_X_TLS_CACERTFILE, > "etc/openldap/ssl/cacert.pem") > conn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND) > > conn.start_tls_s() > conn.simple_bind_s(self.ldap_user, self.ldap_password) > return conn > > What is it that I'm misunderstanding here? Well, there's a reason why in Demo/initialize.py the TLS-related options are set globally. Only in recent versions of OpenLDAP you can set these options per connection. And libldap might also use TLS-related configuration in a .ldaprc or /etc/ldap.conf if available. Ciao, Michael. -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list Python-LDAP-dev@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ldap.passwd_s with Active Direcory
mike.pet...@opengi.co.uk wrote:
>
> I'm not sure if this is the right place for this query, but I couldn't
> find a python-LDAP-Users list.
>
> I'm trying to modify a user's password on an Windows 2003 Active
> directory using passwd_s, however the server is returning the following
> error:
>
> {'info': '203D: LdapErr: DSID-0C090C7D, comment: Unknown extended
> request OID, data 0, vece', 'desc': 'Protocol error'}
>
> I realise this is a server configuration thing as opposed to a
> python-ldap issue, but google hasn't been any help so far. Does anyone
> here know what it is I need to enable/change in order to get it to work?
This is because Windows 2003 AD does not support the LDAP Password Modify
Extended Operation (see RFC 3062).
> The connection is using ldaps:// on port 636 and I can search the AD and
> modify other values eg givenName etc, just not passwords, and I'm
> binding as domain administrator.
There's a MSDN article about how to set attribute unicodePwd via LDAP in AD.
Ciao, Michael.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
RE: ldap.passwd_s with Active Direcory
Michael,
Thanks for the quick response, much appreciated. I guess I've been barking up
the wrong tree then :)
If I try the alternative method however:
mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )]
dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local'
r = l.modify_s(dn, mod_attrs)
I get:
{'info': '001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM),
data 0\n', 'desc': 'Server is unwilling to perform'}
I guess I'm still missing something :(
One thing which may be relevant is if I use l.start_tls_s() before
simple_bind_s, the login fails although without start_tls_s Wireshark shows the
connection to be encrypted.
Thanks again
Mike Peters
> -Original Message-
> From: Michael Ströder [mailto:mich...@stroeder.com]
> Sent: 04 August 2009 17:29
> To: Mike Peters
> Cc: python-ldap-dev@lists.sourceforge.net
> Subject: Re: ldap.passwd_s with Active Direcory
>
> mike.pet...@opengi.co.uk wrote:
> >
> > I'm not sure if this is the right place for this query, but I
> couldn't
> > find a python-LDAP-Users list.
> >
> > I'm trying to modify a user's password on an Windows 2003 Active
> > directory using passwd_s, however the server is returning the
> following
> > error:
> >
> > {'info': '203D: LdapErr: DSID-0C090C7D, comment: Unknown extended
> > request OID, data 0, vece', 'desc': 'Protocol error'}
> >
> > I realise this is a server configuration thing as opposed to a
> > python-ldap issue, but google hasn't been any help so far. Does
> anyone
> > here know what it is I need to enable/change in order to get it to
> work?
>
> This is because Windows 2003 AD does not support the LDAP Password
> Modify
> Extended Operation (see RFC 3062).
>
> > The connection is using ldaps:// on port 636 and I can search the AD
> and
> > modify other values eg givenName etc, just not passwords, and I'm
> > binding as domain administrator.
>
> There's a MSDN article about how to set attribute unicodePwd via LDAP
> in AD.
>
> Ciao, Michael.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: ldap.passwd_s with Active Direcory
mike.pet...@opengi.co.uk wrote:
>
>> There's a MSDN article about how to set attribute unicodePwd via LDAP
>> in AD.
>
> If I try the alternative method however:
>
> mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )]
> dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local'
> r = l.modify_s(dn, mod_attrs)
>
> I get:
>
> {'info': '001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM),
> data 0\n', 'desc': 'Server is unwilling to perform'}
>
> I guess I'm still missing something :(
Did you search for the MSDN article? The value has to be in your case above:
'"password"'.encode('utf-16-le')
Note the quotes and the UTF-16 low-endian encoding.
> One thing which may be relevant is if I use l.start_tls_s() before
> simple_bind_s, the login fails although without start_tls_s Wireshark shows
> the connection to be encrypted.
With AD the connection has to be encrypted for write access to unicodePwd but
that can also be done with ldaps:// on port 636.
Ciao, Michael.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
