LDAP Clients

The following recipies demonstrate asynchronous LDAP clients.

A Minimal Client Using Endpoints

While Ldaptor exposes helper classes to connect clients to the DIT, it is possible to use the Twisted endpoints API to connect an Ldaptor client to a server.

Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#! /usr/bin/env python

import sys

from ldaptor.protocols.ldap.ldapclient import LDAPClient
from ldaptor.protocols.ldap.ldapsyntax import LDAPEntry
from twisted.internet.defer import inlineCallbacks
from twisted.internet.endpoints import clientFromString, connectProtocol
from twisted.internet.task import react
from twisted.python import log


@inlineCallbacks
def onConnect(clientProtocol):
    o = LDAPEntry(clientProtocol, "dc=fr")
    results = yield o.search()
    data = "".join([result.getLDIF() for result in results])
    log.msg("LDIF formatted results:\n{}".format(data))


def onError(err, reactor):
    if reactor.running:
        log.err(err)
        reactor.stop()


def main(reactor):
    log.startLogging(sys.stdout)
    endpoint_str = "tcp:host=localhost:port=8080"
    e = clientFromString(reactor, endpoint_str)
    d = connectProtocol(e, LDAPClient())
    d.addCallback(onConnect)
    d.addErrback(onError, reactor)
    return d


react(main)

Discussion

The twisted.internet.task.react() function is perfect for running a one-shot main() function. When main() is called, we create a client endpoint from a string description and the reactor. twisted.internet.endpoints.connectProtocol() is used to make a one-time connection to an LDAP directory listening on the local host, port 8080. When the deferred returned from that function fires, the connection has been established and the client protocol instance is passed to the onConnect() callback.

This callback uses inline deferreds to make the syntax more compact. We create an ldaptor.protocols.ldap.ldapsyntax.LDAPEntry with a DN matching the root of the directory and call the asynchronous search() method. The result returned when the deferred fires is a list of LDAPEntry objects.

When cast as strings, these entries are formatted as LDIF.

Searching with the Paged Search Result Control

Some DITs place limits on the number of entries they are willing to return as the result of a LDAP SEARCH request. Microsoft’s Active Directory is one such service. In order to query and process large result sets, you can use the paged result control (OID 1.2.840.113556.1.4.319) if you DIT supports it.

The paged result control allows you to request a particular page size. The DIT will return a response control that has a magic cookie if the there are additional pages of results. You can use the cookie on a new request to process the results one page at a time.

Code

For ad.example.com domain, store the admin password in a file named pass_file and run the following example, where 10.20.1.2 is replaced with the IP of your AD server:

python docs/source/cookbook/client_paged_search_results.py \
    tcp:host=10.20.1.2:port=389 \
    'CN=Administrator,CN=Users,DC=ad,DC=example,DC=com' \
    pass_file \
    'CN=Users,DC=ad,DC=example,DC=com' \
    --page-size 5

The output should look like:

Page 1
CN=Users,DC=ad,DC=example,DC=com
CN=Administrator,CN=Users,DC=ad,DC=example,DC=com
CN=Guest,CN=Users,DC=ad,DC=example,DC=com
CN=SUPPORT_388945a0,CN=Users,DC=ad,DC=example,DC=com
CN=HelpServicesGroup,CN=Users,DC=ad,DC=example,DC=com
Page 2
CN=TelnetClients,CN=Users,DC=ad,DC=example,DC=com
CN=krbtgt,CN=Users,DC=ad,DC=example,DC=com
CN=Domain Computers,CN=Users,DC=ad,DC=example,DC=com
There were 8 results returned in total.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#! /usr/bin/env python

import argparse
import sys

from twisted.internet import defer
from twisted.internet.endpoints import clientFromString, connectProtocol
from twisted.internet.task import react
from ldaptor.protocols.ldap.ldapclient import LDAPClient
from ldaptor.protocols.ldap.ldapsyntax import LDAPEntry
from ldaptor.protocols import pureber


@defer.inlineCallbacks
def onConnect(client, args):
    binddn = args.bind_dn
    bindpw = args.passwd_file.read().strip()
    if args.start_tls:
        yield client.startTLS()
    try:
        yield client.bind(binddn, bindpw)
    except Exception as ex:
        print(ex)
        raise
    page_size = args.page_size
    cookie = ""
    page = 1
    count = 0
    while True:
        results, cookie = yield process_entry(
            client, args, args.filter, page_size=page_size, cookie=cookie
        )
        count += len(results)
        print("Page {}".format(page))
        display_results(results)
        if len(cookie) == 0:
            break
        page += 1
    print("There were {} results returned in total.".format(count))


@defer.inlineCallbacks
def process_entry(client, args, search_filter, page_size=100, cookie=""):
    basedn = args.base_dn
    control_value = pureber.BERSequence(
        [
            pureber.BERInteger(page_size),
            pureber.BEROctetString(cookie),
        ]
    )
    controls = [("1.2.840.113556.1.4.319", None, control_value)]
    o = LDAPEntry(client, basedn)
    results, resp_controls = yield o.search(
        filterText=search_filter,
        attributes=["dn"],
        controls=controls,
        return_controls=True,
    )
    cookie = get_paged_search_cookie(resp_controls)
    defer.returnValue((results, cookie))


def display_results(results):
    for entry in results:
        print(entry.dn.getText())


def get_paged_search_cookie(controls):
    """
    Input: semi-parsed controls list from LDAP response;
    list of tuples (controlType, criticality, controlValue).
    Parses the controlValue and returns the cookie as a byte string.
    """
    control_value = controls[0][2]
    ber_context = pureber.BERDecoderContext()
    ber_seq, bytes_used = pureber.berDecodeObject(ber_context, control_value)
    raw_cookie = ber_seq[1]
    cookie = raw_cookie.value
    return cookie


def onError(err):
    err.printDetailedTraceback(file=sys.stderr)


def main(reactor, args):
    endpoint_str = args.endpoint
    e = clientFromString(reactor, endpoint_str)
    d = connectProtocol(e, LDAPClient())
    d.addCallback(onConnect, args)
    d.addErrback(onError)
    return d


if __name__ == "__main__":
    parser = argparse.ArgumentParser(description="AD LDAP demo.")
    parser.add_argument(
        "endpoint",
        action="store",
        help="The Active Directory service endpoint. See "
        "https://twistedmatrix.com/documents/current/core/howto/endpoints.html#clients",
    )
    parser.add_argument(
        "bind_dn", action="store", help="The DN to BIND to the service as."
    )
    parser.add_argument(
        "passwd_file",
        action="store",
        type=argparse.FileType("r"),
        help="A file containing the password used to log into the service.",
    )
    parser.add_argument(
        "base_dn", action="store", help="The base DN to start from when searching."
    )
    parser.add_argument("-f", "--filter", action="store", help="LDAP filter")
    parser.add_argument(
        "-p",
        "--page-size",
        type=int,
        action="store",
        default=100,
        help="Page size (default 100).",
    )
    parser.add_argument(
        "--start-tls",
        action="store_true",
        help="Request StartTLS after connecting to the service.",
    )
    args = parser.parse_args()
    react(main, [args])

Discussion

On connecting to the LDAP service, our client establishes TLS and BINDs as a DN that has permission to perform a search. Page, cookie, and the result count are intialized before looping to process each page. Initially, a blank cookie is used in the search request. The cookie obtained from each response is used in the next request, until the cookie is blank. This signals the end of the loop.

Note how the search returns a tuple of results and controls from the LDAP response. This is because the return_controls flag of the search was set to True.

Parsing the cookie requires some BER decoding. For details on encoding of the control value, refer to RFC 2696.

Adding an LDAP Entry

Ldaptor allows your LDAP client make many different kinds of LDAP requests. In this example, a simple client connects to an LDAP service and requests adding an new entry.

Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#! /usr/bin/env python

import sys

from twisted.internet import defer
from twisted.internet.endpoints import clientFromString, connectProtocol
from twisted.internet.task import react
from twisted.python import log
from ldaptor.protocols.ldap.ldapclient import LDAPClient
from ldaptor.protocols import pureber, pureldap


def entry_to_attributes(entry):
    """
    Convert a simple mapping to the data structures required for an
    entry in the DIT.

    Returns: (dn, attributes)
    """
    attributes = {}
    dn = None
    for prop, value in entry.items():
        if prop == "dn":
            dn = value
            continue
        attributes.setdefault(prop, set()).add(value)
    if dn is None:
        raise Exception("Entry needs to include key, `dn`!")
    ldap_attributes = []
    for attrib, values in attributes.items():
        ldap_attribute_type = pureldap.LDAPAttributeDescription(attrib)
        ldap_attribute_values = []
        for value in values:
            ldap_attribute_values.append(pureldap.LDAPAttributeValue(value))
        ldap_values = pureber.BERSet(ldap_attribute_values)
        ldap_attributes.append((ldap_attribute_type, ldap_values))
    return dn, ldap_attributes


@defer.inlineCallbacks
def onConnect(client, entry):
    dn, attributes = entry_to_attributes(entry)
    op = pureldap.LDAPAddRequest(entry=dn, attributes=attributes)
    response = yield client.send(op)
    if response.resultCode != 0:
        log.err(
            "DIT reported error code {}: {}".format(
                response.resultCode, response.errorMessage
            )
        )


def onError(err, reactor):
    if reactor.running:
        log.err(err)
        reactor.stop()


def main(reactor):
    log.startLogging(sys.stdout)
    entry = {
        "dn": "gn=Jane+sn=Doe,ou=people,dc=example,dc=fr",
        "c": "US",
        "gn": "Jane",
        "l": "Philadelphia",
        "objectClass": "addressbookPerson",
        "postalAddress": "230",
        "postalCode": "314159",
        "sn": "Doe",
        "st": "PA",
        "street": "Mobius Strip",
        "userPassword": "terces",
    }
    endpoint_str = "tcp:host=localhost:port=8080"
    e = clientFromString(reactor, endpoint_str)
    d = connectProtocol(e, LDAPClient())
    d.addCallback(onConnect, entry)
    d.addErrback(onError, reactor)
    return d


react(main)

Discussion

Once again, the twisted.internet.task.react() function is used to call the main() function of the client. When main() is called, we create a client endpoint from a string description and the reactor. twisted.internet.endpoints.connectProtocol() is used to make a one-time connection to a LDAP directory listening on the local host, port 8080.

When the deferred returned from that function fires, the connection has been established and the client protocol instance is passed to the onConnect() callback, along with our entry.

In this case we use a simple Python dictionary to model our entry. We need to transform this into a data structure that ldaptor.protocols.pureldap.LDAPAddRequest can use. Once we’ve created the request, it is relatively simple to send it to the directory service with a call to the send() method of our client. The response will indicate either success or failure.