Conversation
Debian puts the slap* utilities under /usr/sbin https://packages.debian.org/file:slapadd
Use 'slapd -Tadd' instead of 'slapadd'. Separate logic for ldap* vs. slapd wrt. authentication and allow override of user/password. All CLI methods return captured output.
mdavidsaver
force-pushed
the
slapdobject-updates
branch
from
f9ffbe6 to
d32007e
Compare
|
I've dropped the changes involving Also added is a warning if |
| args.append('-Q') | ||
|
|
||
| if bind_dn or bind_pw: | ||
| raise RuntimeError('-Y EXTERNAL ignores -D and -w') |
There was a problem hiding this comment.
How about treating those being passed in as a signal to use a simple bind? Also the self.cli_sasl_external check is gone?
There was a problem hiding this comment.
How about treating those being passed in as a signal to use a simple bind?
Maybe showing my ignorance here. Is a simple bind meaningful with ldapi://?
So the condition for choosing -Y EXTERNAL would be ldap_uri.startswith('ldapi://') and bind_dn is None?
Also the
self.cli_sasl_externalcheck is gone?
Yes. I don't think this was the correct condition. Knowing that ldapi:// is supported doesn't imply that it will be used for a particular operation.
There was a problem hiding this comment.
The SASL EXTERNAL mechanism is independent of the ldapi:// transport. cli_sasl_external tells you whether that mechanism is available/should be used, ldapi:// tells you how to contact the server (over a UNIX socket vs. as opposed to a TCP socket), the LDAP protocol still behaves the same over both.
Hope that clears things up a bit, let me know if not.
There was a problem hiding this comment.
For example if we set up a TLS layer and used a client certificate while doing so, some servers could also accept the EXTERNAL mechanism, using the client certificate to generate the identity the session should bind as (OpenLDAP does this).
BTW not asking that you take it into account in this pull request, just giving some background.
3 participants
Changes to
SlapdObject, which I've found helpful in testing a project using python-ldap.slapd -Taddinstead ofslapadd. Addresses issue withslapaddbeing under/usr/sbin, where Debian puts it.ldap*vsslap*handling, and allowldap*to override bind DN/password.