Skip to content

SlapdObject updates #463

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

SlapdObject updates #463

wants to merge 2 commits into from

Conversation

mdavidsaver
Copy link

@mdavidsaver mdavidsaver commented Mar 9, 2022
edited
Loading

Changes to SlapdObject, which I've found helpful in testing a project using python-ldap.

  1. Switch to slapd -Tadd instead of slapadd. Addresses issue with slapadd being under /usr/sbin, where Debian puts it.
  2. Cleanup some of the ldap* vs slap* handling, and allow ldap* to override bind DN/password.
  3. All CLI methods return captured output.

@mdavidsaver
Look for slapadd in /sbin as well
57493b1 
Debian puts the slap* utilities under /usr/sbin

https://packages.debian.org/file:slapadd
mistotebe
mistotebe requested changes Mar 10, 2022
View reviewed changes
@mdavidsaver
slapdtest: changes to CLI argument handling
d32007e 
Use 'slapd -Tadd' instead of 'slapadd'.

Separate logic for ldap* vs. slapd wrt. authentication
and allow override of user/password.

All CLI methods return captured output.
@mdavidsaver mdavidsaver force-pushed the slapdobject-updates branch from f9ffbe6 to d32007e Compare April 10, 2022 18:54
@mdavidsaver
Copy link
Author

I've dropped the changes involving ldaps://, which moots most of the reviewer comments. I did switch from slapadd to slapd -Tadd as requested. I also added bind_dn= and bind_pw= to the ldap* methods. eg. ldapwhoami(bind_dn="CN=special,...", bind_pw="...").

Also added is a warning if slapadd() is called while the daemon is running. This is only a warning because one test (test_slapadd in Tests/t_ldapobject.py) does this. Although just before calling restart(), so it probably has no ill effects.

mistotebe
mistotebe reviewed Apr 11, 2022
View reviewed changes
Lib/slapdtest/_slapdtest.py
args.append('-Q')

if bind_dn or bind_pw:
raise RuntimeError('-Y EXTERNAL ignores -D and -w')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about treating those being passed in as a signal to use a simple bind? Also the self.cli_sasl_external check is gone?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about treating those being passed in as a signal to use a simple bind?

Maybe showing my ignorance here. Is a simple bind meaningful with ldapi://?

So the condition for choosing -Y EXTERNAL would be ldap_uri.startswith('ldapi://') and bind_dn is None?

Also the self.cli_sasl_external check is gone?

Yes. I don't think this was the correct condition. Knowing that ldapi:// is supported doesn't imply that it will be used for a particular operation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SASL EXTERNAL mechanism is independent of the ldapi:// transport. cli_sasl_external tells you whether that mechanism is available/should be used, ldapi:// tells you how to contact the server (over a UNIX socket vs. as opposed to a TCP socket), the LDAP protocol still behaves the same over both.

Hope that clears things up a bit, let me know if not.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For example if we set up a TLS layer and used a client certificate while doing so, some servers could also accept the EXTERNAL mechanism, using the client certificate to generate the identity the session should bind as (OpenLDAP does this).

BTW not asking that you take it into account in this pull request, just giving some background.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quanah quanah quanah left review comments

@mistotebe mistotebe mistotebe requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mdavidsaver @quanah @mistotebe