diff --git a/.coveragerc b/.coveragerc
deleted file mode 100644
index 738d86fa..00000000
--- a/.coveragerc
+++ /dev/null
@@ -1,27 +0,0 @@
-[run]
-branch = True
-source =
- ldap
- ldif
- ldapurl
- slapdtest
-
-[paths]
-source =
- Lib/
- .tox/*/lib/python*/site-packages/
-
-[report]
-ignore_errors = False
-precision = 1
-exclude_lines =
- pragma: no cover
- raise NotImplementedError
- if 0:
- if __name__ == .__main__.:
- if PY2
- if not PY2
-
-[html]
-directory = build/htmlcov
-title = python-ldap coverage report
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0bc2ae0e..36fde319 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,30 +1,49 @@
---
name: CI
-on: [push, pull_request]
+on:
+ push:
+ pull_request:
+ schedule:
+ # every Monday
+ - cron: '30 4 * * 1'
+ workflow_dispatch:
+
+permissions:
+ contents: read
jobs:
distros:
name: "Ubuntu with Python ${{ matrix.python-version }}"
- runs-on: "ubuntu-latest"
+ runs-on: "${{ matrix.image }}"
strategy:
fail-fast: false
matrix:
- python-version: [3.6, 3.7, 3.8, 3.9, pypy3]
+ python-version:
+ - "3.9"
+ - "3.10"
+ - "3.11"
+ - "3.12"
+ - "3.13"
+ - "pypy3.9"
+ - "pypy3.10"
+ image:
+ - "ubuntu-22.04"
steps:
- name: Checkout
- uses: "actions/checkout@v2"
+ uses: "actions/checkout@v6"
- name: Install apt dependencies
run: |
set -ex
sudo apt update
- sudo apt install -y ldap-utils slapd enchant libldap2-dev libsasl2-dev apparmor-utils
+ sudo apt install -y ldap-utils slapd enchant-2 libldap2-dev libsasl2-dev apparmor-utils
- name: Disable AppArmor
run: sudo aa-disable /usr/sbin/slapd
- name: Set up Python ${{ matrix.python-version }}
- uses: actions/setup-python@v2
+ uses: actions/setup-python@v6
with:
python-version: ${{ matrix.python-version }}
+ allow-prereleases: true
- name: "Install Python dependencies"
run: |
set -xe
diff --git a/.github/workflows/tox-fedora.yml b/.github/workflows/tox-fedora.yml
index c0dbb45c..cef8df1a 100644
--- a/.github/workflows/tox-fedora.yml
+++ b/.github/workflows/tox-fedora.yml
@@ -2,33 +2,34 @@ on: [push, pull_request]
name: Tox on Fedora
+permissions:
+ contents: read
+
jobs:
tox_test:
name: Tox env "${{matrix.tox_env}}" on Fedora
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v6
- name: Run Tox tests
- uses: fedora-python/tox-github-action@master
+ uses: fedora-python/tox-github-action@main
with:
tox_env: ${{ matrix.tox_env }}
dnf_install: >
@c-development openldap-devel python3-devel
openldap-servers openldap-clients lcov clang-analyzer valgrind
- enchant
+ enchant python3-setuptools
strategy:
matrix:
tox_env:
- - py36
- - py37
- - py38
- py39
- py310
- - c90-py36
- - c90-py37
+ - py311
+ - py312
+ - py313
- py3-nosasltls
- py3-trace
- pypy3
- doc
# Use GitHub's Linux Docker host
- runs-on: ubuntu-latest
+ runs-on: ubuntu-22.04
diff --git a/.gitignore b/.gitignore
index bab21878..75a13538 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,8 +3,6 @@
*.pyc
__pycache__/
.tox
-.coverage*
-!.coveragerc
/.cache
/.pytest_cache
diff --git a/.readthedocs.yaml b/.readthedocs.yaml
new file mode 100644
index 00000000..91fb6028
--- /dev/null
+++ b/.readthedocs.yaml
@@ -0,0 +1,22 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Set the version of Python and other tools you might need
+build:
+ os: ubuntu-22.04
+ tools:
+ python: "3.11"
+
+# Build documentation in the docs/ directory with Sphinx
+sphinx:
+ configuration: Doc/conf.py
+
+# We recommend specifying your dependencies to enable reproducible builds:
+# https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html
+python:
+ install:
+ - requirements: Doc/requirements.txt
diff --git a/CHANGES b/CHANGES
index c358fa9e..05fcf4b6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,104 @@
+Released 3.4.5 2025-10-10
+
+Security fixes:
+* CVE-2025-61911 (GHSA-r7r6-cc7p-4v5m): Enforce ``str`` input in
+ ``ldap.filter.escape_filter_chars`` with ``escape_mode=1``; ensure proper
+ escaping. (thanks to lukas-eu)
+* CVE-2025-61912 (GHSA-p34h-wq7j-h5v6): Correct NUL escaping in
+ ``ldap.dn.escape_dn_chars`` to ``\00`` per RFC 4514. (thanks to aradona91)
+
+Fixes:
+* ReconnectLDAPObject now properly reconnects on UNAVAILABLE, CONNECT_ERROR
+ and TIMEOUT exceptions (previously only SERVER_DOWN), fixing reconnection
+ issues especially during server restarts
+* Fixed syncrepl.py to use named constants instead of raw decimal values
+ for result types
+* Fixed error handling in SearchNoOpMixIn to prevent a undefined variable error
+
+Tests:
+* Added comprehensive reconnection test cases including concurrent operation
+ handling and server restart scenarios
+
+Doc/
+* Updated installation docs and fixed various documentation typos
+* Added ReadTheDocs configuration file
+
+Infrastructure:
+* Add testing and document support for Python 3.13
+
+----------------------------------------------------------------
+Released 3.4.4 2022-11-17
+
+Fixes:
+* Reconnect race condition in ReconnectLDAPObject is now fixed
+* Socket ownership is now claimed once we've passed it to libldap
+* LDAP_set_option string formats are now compatible with Python 3.12
+
+Doc/
+* Security Policy was created
+* Broken article links are fixed now
+* Bring Conscious Language improvements
+
+Infrastructure:
+* Add testing and document support for Python 3.10, 3.11, and 3.12
+
+
+----------------------------------------------------------------
+Released 3.4.3 2022-09-15
+
+This is a minor release to bring back the removed OPT_X_TLS option.
+Please note, it's still a deprecated option and it will be removed in 3.5.0.
+
+The following deprecated option has been brought back:
+- ``OPT_X_TLS``
+
+Fixes:
+* Sphinx documentation is now successfully built
+* pypy3 tests stability was improved
+* setup.py deprecation warning is now resolved
+
+
+----------------------------------------------------------------
+Released 3.4.2 2022-07-06
+
+This is a minor release to provide out-of-the-box compatibility with the merge
+of libldap and libldap_r that happened with OpenLDAP's 2.5 release.
+
+The following undocumented functions are deprecated and scheduled for removal:
+- ``ldap.cidict.strlist_intersection``
+- ``ldap.cidict.strlist_minus``
+- ``ldap.cidict.strlist_union``
+
+The following deprecated option has been removed:
+- ``OPT_X_TLS``
+
+Doc/
+* SASL option usage has been clarified
+
+Lib/
+* ppolicy control definition has been updated to match Behera draft 11
+
+Modules/
+* By default, compile against libldap, checking whether it provides a
+ threadsafe implementation at runtime
+* When decoding controls, the module can now distinguish between no value
+ (now exposed as ``None``) and an empty value (exposed as ``b''``)
+* Several new OpenLDAP options are now supported:
+ * ``OPT_SOCKET_BIND_ADDRESSES``
+ * ``OPT_TCP_USER_TIMEOUT``
+ * ``OPT_X_SASL_MAXBUFSIZE``
+ * ``OPT_X_SASL_SECPROPS``
+ * ``OPT_X_TLS_ECNAME``
+ * ``OPT_X_TLS_PEERCERT``
+ * ``OPT_X_TLS_PROTOCOL``-related options and constants
+
+Fixes:
+* Encoding/decoding of boolean controls has been corrected
+* ldap.schema.models.Entry is now usable
+* ``method`` keyword to ReconnectLDAPObject.bind_s is now usable
+
+
+----------------------------------------------------------------
Released 3.4.0 2021-11-26
This release requires Python 3.6 or above,
diff --git a/Demo/pyasn1/syncrepl.py b/Demo/pyasn1/syncrepl.py
index f1f24e19..754b237a 100644
--- a/Demo/pyasn1/syncrepl.py
+++ b/Demo/pyasn1/syncrepl.py
@@ -76,7 +76,7 @@ def syncrepl_entry(self, dn, attributes, uuid):
logger.debug('Detected %s of entry %r', change_type, dn)
# If we have a cookie then this is not our first time being run,
# so it must be a change
- if 'ldap_cookie' in self.__data:
+ if 'cookie' in self.__data:
self.perform_application_sync(dn, attributes, previous_attributes)
def syncrepl_delete(self,uuids):
@@ -98,7 +98,7 @@ def syncrepl_present(self,uuids,refreshDeletes=False):
deletedEntries = [
uuid
for uuid in self.__data.keys()
- if uuid not in self.__presentUUIDs and uuid != 'ldap_cookie'
+ if uuid not in self.__presentUUIDs and uuid != 'cookie'
]
self.syncrepl_delete( deletedEntries )
# Phase is now completed, reset the list
diff --git a/Doc/conf.py b/Doc/conf.py
index b883736e..e79cfb34 100644
--- a/Doc/conf.py
+++ b/Doc/conf.py
@@ -50,8 +50,8 @@
# The suffix of source filenames.
source_suffix = '.rst'
-# The master toctree document.
-master_doc = 'index'
+# The root toctree document.
+root_doc = 'index'
# General substitutions.
project = 'python-ldap'
diff --git a/Doc/contributing.rst b/Doc/contributing.rst
index 1fc1365b..de63a2e3 100644
--- a/Doc/contributing.rst
+++ b/Doc/contributing.rst
@@ -19,7 +19,7 @@ Communication
Always keep in mind that python-ldap is developed and maintained by volunteers.
We're happy to share our work, and to work with you to make the library better,
-but (until you pay someone), there's obligation to provide assistance.
+but (until you pay someone), there's no obligation to provide assistance.
So, keep it friendly, respectful, and supportive!
@@ -72,9 +72,6 @@ If you're used to open-source Python development with Git, here's the gist:
.. _the bug tracker: https://github.com/python-ldap/python-ldap/issues
.. _tox: https://tox.readthedocs.io/en/latest/
-Or, if you prefer to avoid closed-source services:
-
-* ``git clone https://pagure.io/python-ldap``
* Send bug reports and patches to the mailing list.
* Run tests with `tox`_; ignore Python interpreters you don't have locally.
* Read the documentation directly at `Read the Docs`_.
@@ -203,8 +200,6 @@ remember:
* Consider making the summary line suitable for the CHANGES document,
and starting it with a prefix like ``Lib:`` or ``Tests:``.
-* Push to Pagure as well.
-
If you have good reason to break the “rules”, go ahead and break them,
but mention why.
@@ -218,11 +213,13 @@ If you are tasked with releasing python-ldap, remember to:
* Go through all changes since last version, and add them to ``CHANGES``.
* Run :ref:`additional tests` as appropriate, fix any regressions.
* Change the release date in ``CHANGES``.
+* Update ``__version__`` tags where appropriate (each module ``ldap``,
+ ``ldif``, ``ldapurl``, ``slapdtest`` has its own copy).
* Merge all that (using pull requests).
* Run ``python setup.py sdist``, and smoke-test the resulting package
(install in a clean virtual environment, import ``ldap``).
* Create GPG-signed Git tag: ``git tag -s python-ldap-{version}``.
- Push it to GitHub and Pagure.
+ Push it to GitHub.
* Release the ``sdist`` on PyPI.
* Announce the release on the mailing list.
Mention the Git hash.
diff --git a/Doc/faq.rst b/Doc/faq.rst
index e96fc030..39a6743c 100644
--- a/Doc/faq.rst
+++ b/Doc/faq.rst
@@ -13,7 +13,7 @@ Project
**A3**: see file CHANGES in source distribution
or `repository`_.
-.. _repository: https://github.com/python-ldap/python-ldap/blob/master/CHANGES
+.. _repository: https://github.com/python-ldap/python-ldap/blob/main/CHANGES
Usage
diff --git a/Doc/installing.rst b/Doc/installing.rst
index e4518c11..1c7ec8c3 100644
--- a/Doc/installing.rst
+++ b/Doc/installing.rst
@@ -63,8 +63,8 @@ to get up to date information which versions are available.
Windows
-------
-Unofficial packages for Windows are available on
-`Christoph Gohlke's page `_.
+Unofficial binary builds for Windows are provided by Christoph Gohlke, available at
+`python-ldap-build `_.
`FreeBSD `_
@@ -76,12 +76,23 @@ The CVS repository of FreeBSD contains the package
macOS
-----
-You can install directly with pip::
+You can install directly with pip. First install Xcode command line tools::
$ xcode-select --install
- $ pip install python-ldap \
- --global-option=build_ext \
- --global-option="-I$(xcrun --show-sdk-path)/usr/include/sasl"
+
+Then install python-ldap::
+
+ $ pip install python-ldap
+
+For custom installations, you may need to set environment variables::
+
+ $ export CPPFLAGS="-I$(xcrun --show-sdk-path)/usr/include/sasl"
+ $ pip install python-ldap
+
+If using Homebrew::
+
+ $ brew install openldap
+ $ pip install python-ldap
.. _install-source:
@@ -90,11 +101,14 @@ Installing from Source
======================
-python-ldap is built and installed using the Python setuptools.
-From a source repository::
+python-ldap is built and installed using modern Python packaging standards
+with pyproject.toml configuration. From a source repository::
- $ python -m pip install setuptools
- $ python setup.py install
+ $ pip install .
+
+For development installation with editable mode::
+
+ $ pip install -e .
If you have more than one Python interpreter installed locally, you should
use the same one you plan to use python-ldap with.
@@ -143,10 +157,15 @@ Packages for building::
Debian
------
+Packages for building::
+
+ # apt-get install build-essential ldap-utils \
+ libldap2-dev libsasl2-dev
+
Packages for building and testing::
- # apt-get install build-essential python3-dev \
- libldap2-dev libsasl2-dev slapd ldap-utils tox \
+ # apt-get install build-essential ldap-utils \
+ libldap2-dev libsasl2-dev slapd python3-dev tox \
lcov valgrind
.. note::
diff --git a/Doc/reference/ldap-controls.rst b/Doc/reference/ldap-controls.rst
index 37d7c1bc..2206e101 100644
--- a/Doc/reference/ldap-controls.rst
+++ b/Doc/reference/ldap-controls.rst
@@ -171,6 +171,7 @@ search.
.. autoclass:: ldap.controls.psearch.EntryChangeNotificationControl
:members:
+.. |ASN.1| replace:: Asn1Type
:py:mod:`ldap.controls.sessiontrack` Session tracking control
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/Doc/reference/ldap-extop.rst b/Doc/reference/ldap-extop.rst
index 8fe49f42..ad70e4e7 100644
--- a/Doc/reference/ldap-extop.rst
+++ b/Doc/reference/ldap-extop.rst
@@ -38,3 +38,5 @@ This requires :py:mod:`pyasn1` and :py:mod:`pyasn1_modules` to be installed.
.. autoclass:: ldap.extop.dds.RefreshResponse
:members:
+
+.. |ASN.1| replace:: Asn1Type
diff --git a/Doc/reference/ldap-syncrepl.rst b/Doc/reference/ldap-syncrepl.rst
index b3b2cf9a..046b15a9 100644
--- a/Doc/reference/ldap-syncrepl.rst
+++ b/Doc/reference/ldap-syncrepl.rst
@@ -20,3 +20,6 @@ This module defines the following classes:
.. autoclass:: ldap.syncrepl.SyncreplConsumer
:members:
+
+.. autoclass:: ldap.syncrepl.OpenLDAPSyncreplCookie
+ :members:
diff --git a/Doc/reference/ldap.rst b/Doc/reference/ldap.rst
index 57485c7a..397b7663 100644
--- a/Doc/reference/ldap.rst
+++ b/Doc/reference/ldap.rst
@@ -38,7 +38,8 @@ This module defines the following functions:
The *uri* parameter may be a comma- or whitespace-separated list of URIs
containing only the schema, the host, and the port fields. Note that
when using multiple URIs you cannot determine to which URI your client
- gets connected.
+ gets connected. If *uri* is :py:const:`None`, the default URIs from
+ ``ldap.conf`` or :py:const:`OPT_URI` global option will be used.
If *fileno* parameter is given then the file descriptor will be used to
connect to an LDAP server. The *fileno* must either be a socket file
@@ -226,6 +227,9 @@ the following option identifiers are defined as constants:
SASL options
::::::::::::
+Unlike most other options, SASL options must be set on an
+:py:class:`LDAPObject` instance.
+
.. py:data:: OPT_X_SASL_AUTHCID
.. py:data:: OPT_X_SASL_AUTHZID
@@ -234,7 +238,7 @@ SASL options
.. py:data:: OPT_X_SASL_NOCANON
- If set to zero SASL host name canonicalization is disabled.
+ If set to zero, SASL host name canonicalization is disabled.
.. py:data:: OPT_X_SASL_REALM
@@ -349,7 +353,7 @@ TLS options
.. py:data:: OPT_X_TLS_REQUIRE_SAN
get/set how OpenLDAP validates subject alternative name extension,
- available in OpenSSL 2.4.52 and newer.
+ available in OpenLDAP 2.4.52 and newer.
:py:const:`OPT_X_TLS_NEVER`
Don't check SAN
@@ -372,21 +376,27 @@ TLS options
.. py:data:: OPT_X_TLS_ALLOW
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
+ and :py:const:`OPT_X_TLS_REQUIRE_SAN`
.. py:data:: OPT_X_TLS_DEMAND
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
+ and :py:const:`OPT_X_TLS_REQUIRE_SAN`
.. py:data:: OPT_X_TLS_HARD
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
+ and :py:const:`OPT_X_TLS_REQUIRE_SAN`
.. py:data:: OPT_X_TLS_NEVER
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
+ and :py:const:`OPT_X_TLS_REQUIRE_SAN`
.. py:data:: OPT_X_TLS_TRY
+ Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
+
.. deprecated:: 3.3.0
This value is only used by slapd server internally. It will be removed
in the future.
@@ -406,14 +416,58 @@ TLS options
.. py:data:: OPT_X_TLS_PEERCERT
- Get peer's certificate as binary ASN.1 data structure (not supported)
+ Get peer's certificate as binary ASN.1 data structure (DER)
+
+ .. versionadded:: 3.4.1
+
+ .. note::
+ The option leaks memory with OpenLDAP < 2.5.8.
.. py:data:: OPT_X_TLS_PROTOCOL_MIN
get/set minimum protocol version (wire protocol version as int)
- * ``0x303`` for TLS 1.2
- * ``0x304`` for TLS 1.3
+.. py:data:: OPT_X_TLS_PROTOCOL_MAX
+
+ get/set maximum protocol version (wire protocol version as int),
+ available in OpenLDAP 2.5 and newer.
+
+ .. versionadded:: 3.4.1
+
+.. py:data:: OPT_X_TLS_PROTOCOL_SSL3
+
+ Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
+ :py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents SSL 3
+
+ .. versionadded:: 3.4.1
+
+.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_0
+
+ Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
+ :py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.0
+
+ .. versionadded:: 3.4.1
+
+.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_1
+
+ Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
+ :py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.1
+
+ .. versionadded:: 3.4.1
+
+.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_2
+
+ Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
+ :py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.2
+
+ .. versionadded:: 3.4.1
+
+.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_3
+
+ Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
+ :py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.3
+
+ .. versionadded:: 3.4.1
.. py:data:: OPT_X_TLS_VERSION
@@ -551,13 +605,13 @@ The module defines the following exceptions:
.. py:exception:: COMPARE_FALSE
A compare operation returned false.
- (This exception should only be seen asynchronous operations, because
+ (This exception should only be seen in asynchronous operations, because
:py:meth:`~LDAPObject.compare_s()` returns a boolean result.)
.. py:exception:: COMPARE_TRUE
A compare operation returned true.
- (This exception should only be seen asynchronous operations, because
+ (This exception should only be seen in asynchronous operations, because
:py:meth:`~LDAPObject.compare_s()` returns a boolean result.)
.. py:exception:: CONFIDENTIALITY_REQUIRED
@@ -918,10 +972,14 @@ and wait for and return with the server's result, or with
The *dn* and *attr* arguments are text strings; see :ref:`bytes_mode`.
- .. note::
- A design fault in the LDAP API prevents *value*
- from containing *NULL* characters.
+.. py:method:: LDAPObject.connect() -> None
+
+ Opens a connection to the server if one is not established already. If that
+ fails, an instance of :py:exc:`ldap.LDAPError` is raised.
+
+ Requires libldap 2.5+ and will fail with :py:exc:`NotImplementedError`
+ if that is not met.
.. py:method:: LDAPObject.delete(dn) -> int
@@ -1316,7 +1374,7 @@ and wait for and return with the server's result, or with
This synchronous method implements the LDAP "Who Am I?"
extended operation.
- It is useful for finding out to find out which identity
+ It is useful for finding out which identity
is assumed by the LDAP server after a SASL bind.
.. seealso::
diff --git a/Doc/resources.rst b/Doc/resources.rst
index 56cb1a1a..795f8b63 100644
--- a/Doc/resources.rst
+++ b/Doc/resources.rst
@@ -8,13 +8,13 @@ members. Therefore some information might be outdated or links might be broken.
*Python LDAP Applications* articles by Matt Butcher
---------------------------------------------------
-* `Part 1 - Installing and Configuring the Python-LDAP Library and Binding to an LDAP Directory `_
+* `Part 1 - Installing and Configuring the Python-LDAP Library and Binding to an LDAP Directory `_
This also covers SASL.
-* `Part 2 - LDAP Operations `_
-* `Part 3 - More LDAP Operations and the LDAP URL Library `_
-* `Part 4 - LDAP Schema `_
+* `Part 2 - LDAP Operations `_
+* `Part 3 - More LDAP Operations and the LDAP URL Library `_
+* `Part 4 - LDAP Schema `_
Gee, someone waded through the badly documented mysteries of module
:mod:`ldap.schema`.
diff --git a/Doc/spelling_wordlist.txt b/Doc/spelling_wordlist.txt
index e6c2aedd..4381ebee 100644
--- a/Doc/spelling_wordlist.txt
+++ b/Doc/spelling_wordlist.txt
@@ -25,6 +25,7 @@ changeNumber
changesOnly
changeType
changeTypes
+Christoph
cidict
clientctrls
conf
@@ -56,8 +57,10 @@ filterstr
filterStr
formatOID
func
+Gohlke
GPG
Heimdal
+Homebrew
hostport
hrefTarget
hrefText
@@ -98,13 +101,13 @@ oc
oid
oids
OpenLDAP
-Pagure
postalAddress
pre
previousDN
processResultsCount
Proxied
py
+pyproject
pytest
rdn
readthedocs
@@ -145,6 +148,7 @@ syncrepl
syntaxes
timelimit
TLS
+toml
tracebacks
tuple
tuples
@@ -161,5 +165,6 @@ userPassword
usr
uuids
Valgrind
+Xcode
whitespace
workflow
diff --git a/INSTALL b/INSTALL
index b9b13d2d..224df4a4 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,8 +1,7 @@
Quick build instructions:
edit setup.cfg (see Build/ for platform-specific examples)
- python setup.py build
- python setup.py install
+ pip install .
Detailed instructions are in Doc/installing.rst, or online at:
diff --git a/Lib/ldap/cidict.py b/Lib/ldap/cidict.py
index f846fd29..65041e0a 100644
--- a/Lib/ldap/cidict.py
+++ b/Lib/ldap/cidict.py
@@ -85,7 +85,7 @@ def strlist_minus(a,b):
a,b are supposed to be lists of case-insensitive strings.
"""
warnings.warn(
- "strlist functions are deprecated and will be removed in 3.5",
+ "strlist functions are deprecated and will be removed in 4.0",
category=DeprecationWarning,
stacklevel=2,
)
@@ -105,7 +105,7 @@ def strlist_intersection(a,b):
Return intersection of two lists of case-insensitive strings a,b.
"""
warnings.warn(
- "strlist functions are deprecated and will be removed in 3.5",
+ "strlist functions are deprecated and will be removed in 4.0",
category=DeprecationWarning,
stacklevel=2,
)
@@ -125,7 +125,7 @@ def strlist_union(a,b):
Return union of two lists of case-insensitive strings a,b.
"""
warnings.warn(
- "strlist functions are deprecated and will be removed in 3.5",
+ "strlist functions are deprecated and will be removed in 4.0",
category=DeprecationWarning,
stacklevel=2,
)
diff --git a/Lib/ldap/constants.py b/Lib/ldap/constants.py
index 1c1d76a7..0e7df6e7 100644
--- a/Lib/ldap/constants.py
+++ b/Lib/ldap/constants.py
@@ -244,6 +244,7 @@ class Str(Constant):
Int('OPT_SIZELIMIT'),
Int('OPT_TIMELIMIT'),
Int('OPT_REFERRALS', optional=True),
+ Int('OPT_RESULT_CODE'),
Int('OPT_ERROR_NUMBER'),
Int('OPT_RESTART'),
Int('OPT_PROTOCOL_VERSION'),
@@ -261,6 +262,7 @@ class Str(Constant):
Int('OPT_TIMEOUT'),
Int('OPT_REFHOPLIMIT'),
Int('OPT_NETWORK_TIMEOUT'),
+ Int('OPT_TCP_USER_TIMEOUT', optional=True),
Int('OPT_URI'),
Int('OPT_DEFBASE', optional=True),
@@ -299,8 +301,19 @@ class Str(Constant):
TLSInt('OPT_X_TLS_PACKAGE', optional=True),
# Added in OpenLDAP 2.4.52
+ TLSInt('OPT_X_TLS_ECNAME', optional=True),
TLSInt('OPT_X_TLS_REQUIRE_SAN', optional=True),
+ # Added in OpenLDAP 2.5
+ TLSInt('OPT_X_TLS_PEERCERT', optional=True),
+ TLSInt('OPT_X_TLS_PROTOCOL_MAX', optional=True),
+
+ TLSInt('OPT_X_TLS_PROTOCOL_SSL3', optional=True),
+ TLSInt('OPT_X_TLS_PROTOCOL_TLS1_0', optional=True),
+ TLSInt('OPT_X_TLS_PROTOCOL_TLS1_1', optional=True),
+ TLSInt('OPT_X_TLS_PROTOCOL_TLS1_2', optional=True),
+ TLSInt('OPT_X_TLS_PROTOCOL_TLS1_3', optional=True),
+
Int('OPT_X_SASL_MECH'),
Int('OPT_X_SASL_REALM'),
Int('OPT_X_SASL_AUTHCID'),
@@ -341,9 +354,7 @@ class Str(Constant):
# XXX - these should be errors
Int('URL_ERR_BADSCOPE'),
Int('URL_ERR_MEM'),
- # Int('LIBLDAP_R'),
- Feature('LIBLDAP_R', 'HAVE_LIBLDAP_R'),
Feature('SASL_AVAIL', 'HAVE_SASL'),
Feature('TLS_AVAIL', 'HAVE_TLS'),
Feature('INIT_FD_AVAIL', 'HAVE_LDAP_INIT_FD'),
diff --git a/Lib/ldap/controls/openldap.py b/Lib/ldap/controls/openldap.py
index 24040ed7..26c76868 100644
--- a/Lib/ldap/controls/openldap.py
+++ b/Lib/ldap/controls/openldap.py
@@ -51,6 +51,7 @@ class SearchNoOpMixIn:
"""
def noop_search_st(self,base,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)',timeout=-1):
+ msg_id = None
try:
msg_id = self.search_ext(
base,
@@ -66,9 +67,10 @@ def noop_search_st(self,base,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)
ldap.TIMELIMIT_EXCEEDED,
ldap.SIZELIMIT_EXCEEDED,
ldap.ADMINLIMIT_EXCEEDED
- ) as e:
- self.abandon(msg_id)
- raise e
+ ):
+ if msg_id is not None:
+ self.abandon(msg_id)
+ raise
else:
noop_srch_ctrl = [
c
diff --git a/Lib/ldap/controls/ppolicy.py b/Lib/ldap/controls/ppolicy.py
index da7586f0..f3a8416d 100644
--- a/Lib/ldap/controls/ppolicy.py
+++ b/Lib/ldap/controls/ppolicy.py
@@ -40,9 +40,10 @@ class PasswordPolicyError(univ.Enumerated):
('insufficientPasswordQuality',5),
('passwordTooShort',6),
('passwordTooYoung',7),
- ('passwordInHistory',8)
+ ('passwordInHistory',8),
+ ('passwordTooLong',9),
)
- subtypeSpec = univ.Enumerated.subtypeSpec + constraint.SingleValueConstraint(0,1,2,3,4,5,6,7,8)
+ subtypeSpec = univ.Enumerated.subtypeSpec + constraint.SingleValueConstraint(0,1,2,3,4,5,6,7,8,9)
class PasswordPolicyResponseValue(univ.Sequence):
diff --git a/Lib/ldap/dn.py b/Lib/ldap/dn.py
index a9d96846..64d7d0e9 100644
--- a/Lib/ldap/dn.py
+++ b/Lib/ldap/dn.py
@@ -26,7 +26,8 @@ def escape_dn_chars(s):
s = s.replace('>' ,'\\>')
s = s.replace(';' ,'\\;')
s = s.replace('=' ,'\\=')
- s = s.replace('\000' ,'\\\000')
+ # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
+ s = s.replace('\x00' ,'\\00')
if s[-1]==' ':
s = ''.join((s[:-1],'\\ '))
if s[0]=='#' or s[0]==' ':
@@ -48,12 +49,17 @@ def str2dn(dn,flags=0):
return ldap.functions._ldap_function_call(None,_ldap.str2dn,dn,flags)
-def dn2str(dn):
+def dn2str(dn, flags=0):
"""
This function takes a decomposed DN as parameter and returns
- a single string. It's the inverse to str2dn() but will always
- return a DN in LDAPv3 format compliant to RFC 4514.
+ a single string. It's the inverse to str2dn() but will by default always
+ return a DN in LDAPv3 format compliant to RFC 4514 if not otherwise specified
+ via flags.
+
+ See also the OpenLDAP man-page ldap_dn2str(3)
"""
+ if flags:
+ return ldap.functions._ldap_function_call(None, _ldap.dn2str, dn, flags)
return ','.join([
'+'.join([
'='.join((atype,escape_dn_chars(avalue or '')))
@@ -61,6 +67,7 @@ def dn2str(dn):
for rdn in dn
])
+
def explode_dn(dn, notypes=False, flags=0):
"""
explode_dn(dn [, notypes=False [, flags=0]]) -> list
@@ -116,3 +123,8 @@ def is_dn(s,flags=0):
return False
else:
return True
+
+
+def normalize(s, flags=0):
+ """Returns a normalized distinguished name (DN)"""
+ return dn2str(str2dn(s, flags), flags)
diff --git a/Lib/ldap/extop/dds.py b/Lib/ldap/extop/dds.py
index 7fab0813..a970d71d 100644
--- a/Lib/ldap/extop/dds.py
+++ b/Lib/ldap/extop/dds.py
@@ -35,6 +35,7 @@ class RefreshRequestValue(univ.Sequence):
)
def __init__(self,requestName=None,entryName=None,requestTtl=None):
+ super().__init__(requestName or self.requestName, b'')
self.entryName = entryName
self.requestTtl = requestTtl or self.defaultRequestTtl
diff --git a/Lib/ldap/filter.py b/Lib/ldap/filter.py
index 782737aa..5bd41b21 100644
--- a/Lib/ldap/filter.py
+++ b/Lib/ldap/filter.py
@@ -24,6 +24,8 @@ def escape_filter_chars(assertion_value,escape_mode=0):
If 1 all NON-ASCII chars are escaped.
If 2 all chars are escaped.
"""
+ if not isinstance(assertion_value, str):
+ raise TypeError("assertion_value must be of type str.")
if escape_mode:
r = []
if escape_mode==1:
diff --git a/Lib/ldap/ldapobject.py b/Lib/ldap/ldapobject.py
index 40091ad7..057fe71a 100644
--- a/Lib/ldap/ldapobject.py
+++ b/Lib/ldap/ldapobject.py
@@ -67,7 +67,7 @@ class SimpleLDAPObject:
}
def __init__(
- self,uri,
+ self,uri=None,
trace_level=0,trace_file=None,trace_stack_limit=5,bytes_mode=None,
bytes_strictness=None, fileno=None
):
@@ -171,6 +171,13 @@ def fileno(self):
"""
return self.get_option(ldap.OPT_DESC)
+ def connect(self):
+ """
+ connect() -> None
+ Establishes LDAP connection if needed.
+ """
+ return self._ldap_call(self._l.connect)
+
def abandon_ext(self,msgid,serverctrls=None,clientctrls=None):
"""
abandon_ext(msgid[,serverctrls=None[,clientctrls=None]]) -> None
@@ -521,7 +528,7 @@ def result(self,msgid=ldap.RES_ANY,all=1,timeout=None):
The method returns a tuple of the form (result_type,
result_data). The result_type is one of the constants RES_*.
- See search() for a description of the search result's
+ See search_ext() for a description of the search result's
result_data, otherwise the result_data is normally meaningless.
The result() method will block for timeout seconds, or
@@ -588,7 +595,7 @@ def search_ext(self,base,scope,filterstr=None,attrlist=None,attrsonly=0,serverct
values are stored in a list as dictionary value.
The DN in dn is extracted using the underlying ldap_get_dn(),
- which may raise an exception of the DN is malformed.
+ which may raise an exception if the DN is malformed.
If attrsonly is non-zero, the values of attrs will be
meaningless (they are not transmitted in the result).
@@ -820,8 +827,7 @@ def get_naming_contexts(self):
class ReconnectLDAPObject(SimpleLDAPObject):
"""
:py:class:`SimpleLDAPObject` subclass whose synchronous request methods
- automatically reconnect and re-try in case of server failure
- (:exc:`ldap.SERVER_DOWN`).
+ automatically reconnect and re-try in case of server failure.
The first arguments are same as for the :py:func:`~ldap.initialize()`
function.
@@ -833,6 +839,10 @@ class ReconnectLDAPObject(SimpleLDAPObject):
* retry_delay: specifies the time in seconds between reconnect attempts.
This class also implements the pickle protocol.
+
+ .. versionadded:: 3.4.5
+ The exceptions :py:exc:`ldap.SERVER_DOWN`, :py:exc:`ldap.UNAVAILABLE`, :py:exc:`ldap.CONNECT_ERROR` and
+ :py:exc:`ldap.TIMEOUT` (configurable via :py:attr:`_reconnect_exceptions`) now trigger a reconnect.
"""
__transient_attrs__ = {
@@ -842,9 +852,10 @@ class ReconnectLDAPObject(SimpleLDAPObject):
'_reconnect_lock',
'_last_bind',
}
+ _reconnect_exceptions = (ldap.SERVER_DOWN, ldap.UNAVAILABLE, ldap.CONNECT_ERROR, ldap.TIMEOUT)
def __init__(
- self,uri,
+ self,uri=None,
trace_level=0,trace_file=None,trace_stack_limit=5,bytes_mode=None,
bytes_strictness=None, retry_max=1, retry_delay=60.0, fileno=None
):
@@ -877,7 +888,10 @@ def __getstate__(self):
for k,v in self.__dict__.items()
if k not in self.__transient_attrs__
}
- state['_last_bind'] = self._last_bind[0].__name__, self._last_bind[1], self._last_bind[2]
+ if self._last_bind is None:
+ state['_last_bind'] = None
+ else:
+ state['_last_bind'] = self._last_bind[0].__name__, self._last_bind[1], self._last_bind[2]
return state
def __setstate__(self,d):
@@ -888,15 +902,16 @@ def __setstate__(self,d):
else:
d.setdefault('bytes_strictness', 'warn')
self.__dict__.update(d)
- self._last_bind = getattr(SimpleLDAPObject, self._last_bind[0]), self._last_bind[1], self._last_bind[2]
+ if self._last_bind is not None:
+ self._last_bind = getattr(SimpleLDAPObject, self._last_bind[0]), self._last_bind[1], self._last_bind[2]
self._ldap_object_lock = self._ldap_lock()
self._reconnect_lock = ldap.LDAPLock(desc='reconnect lock within %s' % (repr(self)))
# XXX cannot pickle file, use default trace file
self._trace_file = ldap._trace_file
- self.reconnect(self._uri)
+ self.reconnect(self._uri,force=True)
- def _store_last_bind(self,method,*args,**kwargs):
- self._last_bind = (method,args,kwargs)
+ def _store_last_bind(self,_method,*args,**kwargs):
+ self._last_bind = (_method,args,kwargs)
def _apply_last_bind(self):
if self._last_bind!=None:
@@ -914,11 +929,16 @@ def _restore_options(self):
def passwd_s(self,*args,**kwargs):
return self._apply_method_s(SimpleLDAPObject.passwd_s,*args,**kwargs)
- def reconnect(self,uri,retry_max=1,retry_delay=60.0):
+ def reconnect(self,uri,retry_max=1,retry_delay=60.0,force=True):
# Drop and clean up old connection completely
# Reconnect
self._reconnect_lock.acquire()
try:
+ if hasattr(self,'_l'):
+ if force:
+ SimpleLDAPObject.unbind_s(self)
+ else:
+ return
reconnect_counter = retry_max
while reconnect_counter:
counter_text = '%d. (of %d)' % (retry_max-reconnect_counter+1,retry_max)
@@ -962,14 +982,12 @@ def reconnect(self,uri,retry_max=1,retry_delay=60.0):
return # reconnect()
def _apply_method_s(self,func,*args,**kwargs):
- if not hasattr(self,'_l'):
- self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
+ self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay,force=False)
try:
return func(self,*args,**kwargs)
- except ldap.SERVER_DOWN:
- SimpleLDAPObject.unbind_s(self)
+ except self._reconnect_exceptions:
# Try to reconnect
- self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay)
+ self.reconnect(self._uri,retry_max=self._retry_max,retry_delay=self._retry_delay,force=True)
# Re-try last operation
return func(self,*args,**kwargs)
diff --git a/Lib/ldap/pkginfo.py b/Lib/ldap/pkginfo.py
index ef958a13..2ac6852d 100644
--- a/Lib/ldap/pkginfo.py
+++ b/Lib/ldap/pkginfo.py
@@ -1,6 +1,6 @@
"""
meta attributes for packaging which does not import any dependencies
"""
-__version__ = '3.4.0'
+__version__ = '3.4.5'
__author__ = 'python-ldap project'
__license__ = 'Python style'
diff --git a/Lib/ldap/schema/subentry.py b/Lib/ldap/schema/subentry.py
index b83d819b..3f73df71 100644
--- a/Lib/ldap/schema/subentry.py
+++ b/Lib/ldap/schema/subentry.py
@@ -476,10 +476,10 @@ def urlfetch(uri,trace_level=0):
l.unbind_s()
del l
else:
- ldif_file = urlopen(uri)
- ldif_parser = ldif.LDIFRecordList(ldif_file,max_entries=1)
- ldif_parser.parse()
- subschemasubentry_dn,s_temp = ldif_parser.all_records[0]
+ with urlopen(uri) as ldif_file:
+ ldif_parser = ldif.LDIFRecordList(ldif_file,max_entries=1)
+ ldif_parser.parse()
+ subschemasubentry_dn,s_temp = ldif_parser.all_records[0]
# Work-around for mixed-cased attribute names
subschemasubentry_entry = ldap.cidict.cidict()
s_temp = s_temp or {}
diff --git a/Lib/ldap/syncrepl.py b/Lib/ldap/syncrepl.py
index 1708b468..0e1b6a3f 100644
--- a/Lib/ldap/syncrepl.py
+++ b/Lib/ldap/syncrepl.py
@@ -4,6 +4,7 @@
See https://www.python-ldap.org/ for project details.
"""
+from typing import AnyStr, Dict, List, Tuple, Union
from uuid import UUID
# Imports from pyasn1
@@ -12,8 +13,10 @@
from ldap.pkginfo import __version__, __author__, __license__
from ldap.controls import RequestControl, ResponseControl, KNOWN_RESPONSE_CONTROLS
+from ldap import RES_SEARCH_RESULT, RES_SEARCH_ENTRY, RES_INTERMEDIATE
__all__ = [
+ 'OpenLDAPSyncreplCookie',
'SyncreplConsumer',
]
@@ -407,7 +410,7 @@ def syncrepl_poll(self, msgid=-1, timeout=None, all=0):
all=0,
)
- if type == 101:
+ if type == RES_SEARCH_RESULT:
# search result. This marks the end of a refreshOnly session.
# look for a SyncDone control, save the cookie, and if necessary
# delete non-present entries.
@@ -420,7 +423,7 @@ def syncrepl_poll(self, msgid=-1, timeout=None, all=0):
return False
- elif type == 100:
+ elif type == RES_SEARCH_ENTRY:
# search entry with associated SyncState control
for m in msg:
dn, attrs, ctrls = m
@@ -439,7 +442,7 @@ def syncrepl_poll(self, msgid=-1, timeout=None, all=0):
self.syncrepl_set_cookie(c.cookie)
break
- elif type == 121:
+ elif type == RES_INTERMEDIATE:
# Intermediate message. If it is a SyncInfoMessage, parse it
for m in msg:
rname, resp, ctrls = m
@@ -534,3 +537,71 @@ def syncrepl_refreshdone(self):
follows.
"""
pass
+
+
+class OpenLDAPSyncreplCookie:
+ """
+ OpenLDAPSyncreplCookie - allows a consumer to track a cookie across a
+ refreshAndPersist syncrepl session against a multi-provider OpenLDAP cluster
+ """
+
+ rid: int = 0
+ sid: int = 0
+ _csnset: Dict[int, str]
+
+ def __init__(self, cookie: AnyStr = "") -> None:
+ self._csnset = {}
+
+ if cookie:
+ self.update(cookie)
+
+ def _parse_csn(self, csn: str) -> Tuple[str, str, str, str]:
+ time, order, sid, other = csn.split('#', 3)
+ return (time, order, sid, other)
+
+ def _parse_cookie(self, cookie: AnyStr) -> Dict[str, Union[str, List[str]]]:
+ if isinstance(cookie, bytes):
+ cookie = cookie.decode()
+
+ result = {}
+ parts = cookie.split(',')
+ for part in parts:
+ if part.startswith('rid='):
+ result['rid'] = part[4:]
+ elif part.startswith('sid='):
+ result['sid'] = part[4:]
+ elif part.startswith('csn='):
+ result['csn'] = part[4:].split(';')
+ elif part.startswith('delcsn='):
+ result['delcsn'] = part[7:]
+ else:
+ # Did not recognize this cookie part
+ pass
+ return result
+
+ def update(self, cookie: AnyStr):
+ """
+ Update the CSN set based on a cookie we just received, use in
+ syncrepl_set_cookie() to track the session state.
+ """
+ components = self._parse_cookie(cookie)
+ for csn in components.get('csn', []):
+ _, _, sid, _ = self._parse_csn(csn)
+ if sid not in self._csnset or self._csnset[sid] < csn:
+ self._csnset[sid] = csn
+
+ return self
+
+ def unparse(self) -> str:
+ """
+ Return the cookie as a string, use in syncrepl_get_cookie() or when
+ storing the state for later use.
+ """
+ cookie = 'rid={:03},sid={:03x}'.format(self.rid or 0, self.sid or 0)
+ if self._csnset:
+ cookie += ',csn='
+ cookie += ';'.join(csn for sid, csn in sorted(self._csnset.items()))
+ return cookie
+
+ def __str__(self):
+ return self.unparse()
diff --git a/Lib/ldapurl.py b/Lib/ldapurl.py
index cce4e806..57900028 100644
--- a/Lib/ldapurl.py
+++ b/Lib/ldapurl.py
@@ -4,7 +4,7 @@
See https://www.python-ldap.org/ for details.
"""
-__version__ = '3.4.0'
+__version__ = '3.4.5'
__all__ = [
# constants
diff --git a/Lib/ldif.py b/Lib/ldif.py
index 7e69a594..356f95ea 100644
--- a/Lib/ldif.py
+++ b/Lib/ldif.py
@@ -3,7 +3,7 @@
See https://www.python-ldap.org/ for details.
"""
-__version__ = '3.4.0'
+__version__ = '3.4.5'
__all__ = [
# constants
@@ -373,7 +373,8 @@ def _next_key_and_value(self):
if self._process_url_schemes:
u = urlparse(url)
if u[0] in self._process_url_schemes:
- attr_value = urlopen(url).read()
+ with urlopen(url) as fd:
+ attr_value = fd.read()
else:
# All values should be valid ascii; we support UTF-8 as a
# non-official, backwards compatibility layer.
diff --git a/Lib/slapdtest/__init__.py b/Lib/slapdtest/__init__.py
index bb59e7fa..0fabc4c4 100644
--- a/Lib/slapdtest/__init__.py
+++ b/Lib/slapdtest/__init__.py
@@ -4,7 +4,7 @@
See https://www.python-ldap.org/ for details.
"""
-__version__ = '3.4.0'
+__version__ = '3.4.5'
from slapdtest._slapdtest import SlapdObject, SlapdTestCase, SysLogHandler
from slapdtest._slapdtest import requires_ldapi, requires_sasl, requires_tls
diff --git a/Lib/slapdtest/_slapdtest.py b/Lib/slapdtest/_slapdtest.py
index 36841110..b60313b0 100644
--- a/Lib/slapdtest/_slapdtest.py
+++ b/Lib/slapdtest/_slapdtest.py
@@ -41,6 +41,11 @@
cn: module
olcModuleLoad: back_%(database)s
+dn: olcDatabase=config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: config
+olcRootDN: %(rootdn)s
+
dn: olcDatabase=%(database)s,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
@@ -259,7 +264,6 @@ def _find_commands(self):
self.PATH_LDAPDELETE = self._find_command('ldapdelete')
self.PATH_LDAPMODIFY = self._find_command('ldapmodify')
self.PATH_LDAPWHOAMI = self._find_command('ldapwhoami')
- self.PATH_SLAPADD = self._find_command('slapadd')
self.PATH_SLAPD = os.environ.get('SLAPD', None)
if not self.PATH_SLAPD:
@@ -276,7 +280,7 @@ def _find_command(self, cmd, in_sbin=False):
if command is None:
raise ValueError(
"Command '{}' not found. Set the {} environment variable to "
- "override slapdtest's search path.".format(cmd, var_name)
+ "override slapdtest's search path: {}.".format(cmd, var_name, path)
)
return command
@@ -347,6 +351,7 @@ def gen_config(self):
'cafile': self.cafile,
'servercert': self.servercert,
'serverkey': self.serverkey,
+ 'slapd_path': self.SBIN_PATH,
}
return self.slapd_conf_template % config_dict
@@ -407,12 +412,17 @@ def _start_slapd(self):
'-F', self._slapd_conf,
'-h', ' '.join(urls),
]
+ stderr = None
if self._log.isEnabledFor(logging.DEBUG):
slapd_args.extend(['-d', '-1'])
+ stderr = os.open(os.path.join(self.testrundir, 'slapd.log'), os.O_WRONLY|os.O_CREAT)
else:
slapd_args.extend(['-d', '0'])
self._log.info('starting slapd: %r', ' '.join(slapd_args))
- self._proc = subprocess.Popen(slapd_args)
+ self._proc = subprocess.Popen(slapd_args, stderr=stderr)
+ if stderr is not None:
+ os.close(stderr)
+ stderr = None
# Waits until the LDAP server socket is open, or slapd crashed
deadline = time.monotonic() + 10
# no cover to avoid spurious coverage changes, see
@@ -452,7 +462,7 @@ def start(self):
self._proc.pid, self.ldap_uri, self.ldapi_uri
)
- def stop(self):
+ def stop(self, cleanup=True):
"""
Stops the slapd server, and waits for it to terminate and cleans up
"""
@@ -460,15 +470,24 @@ def stop(self):
self._log.debug('stopping slapd with pid %d', self._proc.pid)
self._proc.terminate()
self.wait()
- self._cleanup_rundir()
+ if cleanup:
+ self._cleanup_rundir()
atexit.unregister(self.stop)
def restart(self):
"""
Restarts the slapd server with same data
"""
- self._proc.terminate()
+ self.terminate()
self.wait()
+ self.resume()
+
+ def terminate(self):
+ """Terminate slapd server"""
+ self._proc.terminate()
+
+ def resume(self):
+ """Start slapd server"""
self._start_slapd()
def wait(self):
@@ -500,14 +519,17 @@ def _cli_auth_args(self):
# no cover to avoid spurious coverage changes
def _cli_popen(self, ldapcommand, extra_args=None, ldap_uri=None,
- stdin_data=None): # pragma: no cover
+ stdin_data=None, tool=None): # pragma: no cover
if ldap_uri is None:
ldap_uri = self.default_ldap_uri
if ldapcommand.split("/")[-1].startswith("ldap"):
args = [ldapcommand, '-H', ldap_uri] + self._cli_auth_args()
else:
- args = [ldapcommand, '-F', self._slapd_conf]
+ if tool:
+ args = [ldapcommand, '-T', tool, '-F', self._slapd_conf]
+ else:
+ args = [ldapcommand, '-F', self._slapd_conf]
args += (extra_args or [])
@@ -566,9 +588,10 @@ def slapadd(self, ldif, extra_args=None):
Runs slapadd on this slapd instance, passing it the ldif content
"""
self._cli_popen(
- self.PATH_SLAPADD,
+ self.PATH_SLAPD,
stdin_data=ldif.encode("utf-8") if ldif else None,
extra_args=extra_args,
+ tool='add'
)
def __enter__(self):
@@ -576,7 +599,7 @@ def __enter__(self):
return self
def __exit__(self, exc_type, exc_value, traceback):
- self.stop()
+ self.stop(exc_type is None)
class SlapdTestCase(unittest.TestCase):
@@ -605,4 +628,4 @@ def setUpClass(cls):
@classmethod
def tearDownClass(cls):
- cls.server.stop()
+ cls.server.stop(False)
diff --git a/MANIFEST.in b/MANIFEST.in
index 687d2b0c..bedea8d6 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,5 +1,5 @@
include MANIFEST.in Makefile CHANGES INSTALL LICENCE README TODO
-include tox.ini .coveragerc
+include tox.ini
include Modules/*.c Modules/*.h
recursive-include Build *.cfg*
recursive-include Lib *.py
diff --git a/Makefile b/Makefile
index 577ba883..da23b374 100644
--- a/Makefile
+++ b/Makefile
@@ -20,7 +20,6 @@ Modules/constants_generated.h: Lib/ldap/constants.py
.PHONY: clean
clean:
rm -rf build dist *.egg-info .tox MANIFEST
- rm -f .coverage .coverage.*
find . \( -name '*.py[co]' -or -name '*.so*' -or -name '*.dylib' \) \
-delete
find . -depth -name __pycache__ -exec rm -rf {} \;
@@ -89,7 +88,8 @@ valgrind: build $(PYTHON_SUPP)
autoformat: indent black
indent:
- indent Modules/*.c Modules/*.h
+ indent Modules/*.c
+ indent -npsl Modules/pythonldap.h
rm -f Modules/*.c~ Modules/*.h~
black:
diff --git a/Modules/LDAPObject.c b/Modules/LDAPObject.c
index da18d575..f96a6068 100644
--- a/Modules/LDAPObject.c
+++ b/Modules/LDAPObject.c
@@ -1,16 +1,10 @@
/* See https://www.python-ldap.org/ for details. */
-#include "common.h"
+#include "pythonldap.h"
#include "patchlevel.h"
#include
#include
-#include "constants.h"
-#include "LDAPObject.h"
-#include "ldapcontrol.h"
-#include "message.h"
-#include "berval.h"
-#include "options.h"
#ifdef HAVE_SASL
#include
@@ -276,13 +270,8 @@ attrs_from_List(PyObject *attrlist, char ***attrsp)
if (attrlist == Py_None) {
/* None means a NULL attrlist */
-#if PY_MAJOR_VERSION == 2
- }
- else if (PyBytes_Check(attrlist)) {
-#else
}
else if (PyUnicode_Check(attrlist)) {
-#endif
/* caught by John Benninghoff */
LDAPerror_TypeError
("attrs_from_List(): expected *list* of strings, not a string",
@@ -293,17 +282,16 @@ attrs_from_List(PyObject *attrlist, char ***attrsp)
PyObject *item = NULL;
Py_ssize_t i, len, strlen;
-#if PY_MAJOR_VERSION >= 3
const char *str;
-#else
- char *str;
-#endif
seq = PySequence_Fast(attrlist, "expected list of strings or None");
if (seq == NULL)
goto error;
- len = PySequence_Length(attrlist);
+ len = PySequence_Size(seq);
+ if (len == -1) {
+ goto error;
+ }
attrs = PyMem_NEW(char *, len + 1);
@@ -315,24 +303,12 @@ attrs_from_List(PyObject *attrlist, char ***attrsp)
item = PySequence_Fast_GET_ITEM(seq, i);
if (item == NULL)
goto error;
-#if PY_MAJOR_VERSION == 2
- /* Encoded in Python to UTF-8 */
- if (!PyBytes_Check(item)) {
- LDAPerror_TypeError
- ("attrs_from_List(): expected bytes in list", item);
- goto error;
- }
- if (PyBytes_AsStringAndSize(item, &str, &strlen) == -1) {
- goto error;
- }
-#else
if (!PyUnicode_Check(item)) {
LDAPerror_TypeError
("attrs_from_List(): expected string in list", item);
goto error;
}
str = PyUnicode_AsUTF8AndSize(item, &strlen);
-#endif
/* Make a copy. PyBytes_AsString* / PyUnicode_AsUTF8* return
* internal values that must be treated like const char. Python
* 3.7 actually returns a const char.
@@ -521,7 +497,7 @@ l_ldap_add_ext(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
/* ldap_simple_bind */
@@ -572,7 +548,7 @@ l_ldap_simple_bind(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
#ifdef HAVE_SASL
@@ -730,7 +706,7 @@ l_ldap_sasl_bind_s(LDAPObject *self, PyObject *args)
}
else if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(ldaperror);
+ return PyLong_FromLong(ldaperror);
}
static PyObject *
@@ -757,15 +733,9 @@ l_ldap_sasl_interactive_bind_s(LDAPObject *self, PyObject *args)
* unsigned int, we need to use the "I" flag if we're running Python 2.3+ and a
* "i" otherwise.
*/
-#if (PY_MAJOR_VERSION == 2) && (PY_MINOR_VERSION < 3)
- if (!PyArg_ParseTuple
- (args, "sOOOi:sasl_interactive_bind_s", &who, &SASLObject,
- &serverctrls, &clientctrls, &sasl_flags))
-#else
if (!PyArg_ParseTuple
(args, "sOOOI:sasl_interactive_bind_s", &who, &SASLObject,
&serverctrls, &clientctrls, &sasl_flags))
-#endif
return NULL;
if (not_valid(self))
@@ -809,7 +779,7 @@ l_ldap_sasl_interactive_bind_s(LDAPObject *self, PyObject *args)
if (msgid != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
#endif
@@ -858,7 +828,7 @@ l_ldap_cancel(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
#endif
@@ -912,7 +882,7 @@ l_ldap_compare_ext(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
/* ldap_delete_ext */
@@ -958,7 +928,7 @@ l_ldap_delete_ext(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
/* ldap_modify_ext */
@@ -1015,7 +985,7 @@ l_ldap_modify_ext(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
/* ldap_rename */
@@ -1065,7 +1035,7 @@ l_ldap_rename(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
/* ldap_result4 */
@@ -1281,7 +1251,7 @@ l_ldap_search_ext(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
/* ldap_whoami_s (available since OpenLDAP 2.1.13) */
@@ -1451,7 +1421,7 @@ l_ldap_passwd(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
}
/* ldap_extended_operation */
@@ -1502,7 +1472,39 @@ l_ldap_extended_operation(LDAPObject *self, PyObject *args)
if (ldaperror != LDAP_SUCCESS)
return LDAPerror(self->ldap);
- return PyInt_FromLong(msgid);
+ return PyLong_FromLong(msgid);
+}
+
+/* ldap_connect */
+
+static PyObject *
+l_ldap_connect(LDAPObject *self, PyObject Py_UNUSED(args))
+{
+#if LDAP_VENDOR_VERSION >= 20500
+ int ldaperror;
+
+ if (ldap_version_info.ldapai_vendor_version < 20500)
+#endif
+ {
+ PyErr_SetString(PyExc_NotImplementedError,
+ "loaded libldap doesn't support this feature");
+ return NULL;
+ }
+
+#if LDAP_VENDOR_VERSION >= 20500
+ if (not_valid(self))
+ return NULL;
+
+ LDAP_BEGIN_ALLOW_THREADS(self);
+ ldaperror = ldap_connect(self->ldap);
+ LDAP_END_ALLOW_THREADS(self);
+
+ if ( ldaperror != LDAP_SUCCESS )
+ return LDAPerror(self->ldap);
+
+ Py_INCREF(Py_None);
+ return Py_None;
+#endif
}
/* methods */
@@ -1534,6 +1536,7 @@ static PyMethodDef methods[] = {
{"cancel", (PyCFunction)l_ldap_cancel, METH_VARARGS},
#endif
{"extop", (PyCFunction)l_ldap_extended_operation, METH_VARARGS},
+ {"connect", (PyCFunction)l_ldap_connect, METH_NOARGS},
{NULL, NULL}
};
diff --git a/Modules/LDAPObject.h b/Modules/LDAPObject.h
deleted file mode 100644
index 4af0b382..00000000
--- a/Modules/LDAPObject.h
+++ /dev/null
@@ -1,38 +0,0 @@
-/* See https://www.python-ldap.org/ for details. */
-
-#ifndef __h_LDAPObject
-#define __h_LDAPObject
-
-#include "common.h"
-
-typedef struct {
- PyObject_HEAD LDAP *ldap;
- PyThreadState *_save; /* for thread saving on referrals */
- int valid;
-} LDAPObject;
-
-extern PyTypeObject LDAP_Type;
-
-#define LDAPObject_Check(v) (Py_TYPE(v) == &LDAP_Type)
-
-extern LDAPObject *newLDAPObject(LDAP *);
-
-/* macros to allow thread saving in the context of an LDAP connection */
-
-#define LDAP_BEGIN_ALLOW_THREADS( l ) \
- { \
- LDAPObject *lo = (l); \
- if (lo->_save != NULL) \
- Py_FatalError( "saving thread twice?" ); \
- lo->_save = PyEval_SaveThread(); \
- }
-
-#define LDAP_END_ALLOW_THREADS( l ) \
- { \
- LDAPObject *lo = (l); \
- PyThreadState *_save = lo->_save; \
- lo->_save = NULL; \
- PyEval_RestoreThread( _save ); \
- }
-
-#endif /* __h_LDAPObject */
diff --git a/Modules/berval.c b/Modules/berval.c
index 7435ee0a..39cc98a8 100644
--- a/Modules/berval.c
+++ b/Modules/berval.c
@@ -1,7 +1,6 @@
/* See https://www.python-ldap.org/ for details. */
-#include "common.h"
-#include "berval.h"
+#include "pythonldap.h"
/*
* Copies out the data from a berval, and returns it as a new Python object,
@@ -17,7 +16,7 @@ LDAPberval_to_object(const struct berval *bv)
{
PyObject *ret = NULL;
- if (!bv) {
+ if (!bv || !bv->bv_val) {
ret = Py_None;
Py_INCREF(ret);
}
diff --git a/Modules/berval.h b/Modules/berval.h
deleted file mode 100644
index 9c427240..00000000
--- a/Modules/berval.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/* See https://www.python-ldap.org/ for details. */
-
-#ifndef __h_berval
-#define __h_berval
-
-#include "common.h"
-
-PyObject *LDAPberval_to_object(const struct berval *bv);
-PyObject *LDAPberval_to_unicode_object(const struct berval *bv);
-
-#endif /* __h_berval_ */
diff --git a/Modules/common.c b/Modules/common.c
index 9d7001c0..4cfee744 100644
--- a/Modules/common.c
+++ b/Modules/common.c
@@ -1,7 +1,7 @@
/* Miscellaneous common routines
* See https://www.python-ldap.org/ for details. */
-#include "common.h"
+#include "pythonldap.h"
/* dynamically add the methods into the module dictionary d */
diff --git a/Modules/common.h b/Modules/common.h
deleted file mode 100644
index 886024f2..00000000
--- a/Modules/common.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/* common utility macros
- * See https://www.python-ldap.org/ for details. */
-
-#ifndef __h_common
-#define __h_common
-
-#define PY_SSIZE_T_CLEAN
-
-#include "Python.h"
-
-#if defined(HAVE_CONFIG_H)
-#include "config.h"
-#endif
-
-#include
-#include
-#include
-
-#if LDAP_API_VERSION < 2040
-#error Current python-ldap requires OpenLDAP 2.4.x
-#endif
-
-#if LDAP_VENDOR_VERSION >= 20448
- /* openldap.h with ldap_init_fd() was introduced in 2.4.48
- * see https://bugs.openldap.org/show_bug.cgi?id=8671
- */
-#define HAVE_LDAP_INIT_FD 1
-#include
-#elif (defined(__APPLE__) && (LDAP_VENDOR_VERSION == 20428))
-/* macOS system libldap 2.4.28 does not have ldap_init_fd symbol */
-#undef HAVE_LDAP_INIT_FD
-#else
- /* ldap_init_fd() has been around for a very long time
- * SSSD has been defining the function for a while, so it's probably OK.
- */
-#define HAVE_LDAP_INIT_FD 1
-#define LDAP_PROTO_TCP 1
-#define LDAP_PROTO_UDP 2
-#define LDAP_PROTO_IPC 3
-extern int ldap_init_fd(ber_socket_t fd, int proto, LDAP_CONST char *url,
- LDAP **ldp);
-#endif
-
-#if defined(MS_WINDOWS)
-#include
-#else /* unix */
-#include
-#include
-#include
-#endif
-
-#include
-#define streq( a, b ) \
- ( (*(a)==*(b)) && 0==strcmp(a,b) )
-
-extern PyObject *LDAPerror_TypeError(const char *, PyObject *);
-
-void LDAPadd_methods(PyObject *d, PyMethodDef *methods);
-
-#define PyNone_Check(o) ((o) == Py_None)
-
-/* Py2/3 compatibility */
-#if PY_VERSION_HEX >= 0x03000000
-/* In Python 3, alias PyInt to PyLong */
-#define PyInt_FromLong PyLong_FromLong
-#endif
-
-#endif /* __h_common_ */
diff --git a/Modules/constants.c b/Modules/constants.c
index 07d60653..64804e8d 100644
--- a/Modules/constants.c
+++ b/Modules/constants.c
@@ -1,9 +1,7 @@
/* constants defined for LDAP
* See https://www.python-ldap.org/ for details. */
-#include "common.h"
-#include "constants.h"
-#include "ldapcontrol.h"
+#include "pythonldap.h"
/* the base exception class */
@@ -107,20 +105,20 @@ LDAPraise_for_message(LDAP *l, LDAPMessage *m)
}
if (msgtype > 0) {
- pyresult = PyInt_FromLong(msgtype);
+ pyresult = PyLong_FromLong(msgtype);
if (pyresult)
PyDict_SetItemString(info, "msgtype", pyresult);
Py_XDECREF(pyresult);
}
if (msgid >= 0) {
- pyresult = PyInt_FromLong(msgid);
+ pyresult = PyLong_FromLong(msgid);
if (pyresult)
PyDict_SetItemString(info, "msgid", pyresult);
Py_XDECREF(pyresult);
}
- pyresult = PyInt_FromLong(errnum);
+ pyresult = PyLong_FromLong(errnum);
if (pyresult)
PyDict_SetItemString(info, "result", pyresult);
Py_XDECREF(pyresult);
@@ -131,7 +129,7 @@ LDAPraise_for_message(LDAP *l, LDAPMessage *m)
Py_XDECREF(str);
if (myerrno != 0) {
- pyerrno = PyInt_FromLong(myerrno);
+ pyerrno = PyLong_FromLong(myerrno);
if (pyerrno)
PyDict_SetItemString(info, "errno", pyerrno);
Py_XDECREF(pyerrno);
@@ -197,6 +195,8 @@ int
LDAPinit_constants(PyObject *m)
{
PyObject *exc, *nobj;
+ struct ldap_apifeature_info info = { 1, "X_OPENLDAP_THREAD_SAFE", 0 };
+ int thread_safe = 0;
/* simple constants */
@@ -221,6 +221,22 @@ LDAPinit_constants(PyObject *m)
return -1;
Py_INCREF(LDAPexception_class);
+#ifdef LDAP_API_FEATURE_X_OPENLDAP_THREAD_SAFE
+ if (ldap_get_option(NULL, LDAP_OPT_API_FEATURE_INFO, &info) == LDAP_SUCCESS) {
+ thread_safe = (info.ldapaif_version == 1);
+ }
+#endif
+ if (PyModule_AddIntConstant(m, "LIBLDAP_R", thread_safe) != 0)
+ return -1;
+
+ if (ldap_get_option(NULL, LDAP_OPT_API_INFO, &ldap_version_info) != LDAP_SUCCESS) {
+ PyErr_SetString(PyExc_ImportError, "unrecognised libldap version");
+ return -1;
+ }
+ if (PyModule_AddIntConstant(m, "_VENDOR_VERSION_RUNTIME",
+ ldap_version_info.ldapai_vendor_version ) != 0)
+ return -1;
+
/* Generated constants -- see Lib/ldap/constants.py */
#define add_err(n) do { \
diff --git a/Modules/constants.h b/Modules/constants.h
deleted file mode 100644
index 7b9ce53e..00000000
--- a/Modules/constants.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/* See https://www.python-ldap.org/ for details. */
-
-#ifndef __h_constants_
-#define __h_constants_
-
-#include "common.h"
-
-extern int LDAPinit_constants(PyObject *m);
-extern PyObject *LDAPconstant(int);
-
-extern PyObject *LDAPexception_class;
-extern PyObject *LDAPerror(LDAP *);
-extern PyObject *LDAPraise_for_message(LDAP *, LDAPMessage *m);
-PyObject *LDAPerr(int errnum);
-
-#ifndef LDAP_CONTROL_PAGE_OID
-#define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319"
-#endif /* !LDAP_CONTROL_PAGE_OID */
-
-#ifndef LDAP_CONTROL_VALUESRETURNFILTER
-#define LDAP_CONTROL_VALUESRETURNFILTER "1.2.826.0.1.3344810.2.3" /* RFC 3876 */
-#endif /* !LDAP_CONTROL_VALUESRETURNFILTER */
-
-#endif /* __h_constants_ */
diff --git a/Modules/constants_generated.h b/Modules/constants_generated.h
index e357fa23..3e59f828 100644
--- a/Modules/constants_generated.h
+++ b/Modules/constants_generated.h
@@ -76,10 +76,12 @@ add_err(TOO_LATE);
add_err(CANNOT_CANCEL);
#endif
+
#if defined(LDAP_ASSERTION_FAILED)
add_err(ASSERTION_FAILED);
#endif
+
#if defined(LDAP_PROXIED_AUTHORIZATION_DENIED)
add_err(PROXIED_AUTHORIZATION_DENIED);
#endif
@@ -171,6 +173,7 @@ add_int(OPT_TIMELIMIT);
add_int(OPT_REFERRALS);
#endif
+add_int(OPT_RESULT_CODE);
add_int(OPT_ERROR_NUMBER);
add_int(OPT_RESTART);
add_int(OPT_PROTOCOL_VERSION);
@@ -186,12 +189,18 @@ add_int(OPT_DEBUG_LEVEL);
add_int(OPT_TIMEOUT);
add_int(OPT_REFHOPLIMIT);
add_int(OPT_NETWORK_TIMEOUT);
+
+#if defined(LDAP_OPT_TCP_USER_TIMEOUT)
+add_int(OPT_TCP_USER_TIMEOUT);
+#endif
+
add_int(OPT_URI);
#if defined(LDAP_OPT_DEFBASE)
add_int(OPT_DEFBASE);
#endif
+
#if HAVE_TLS
#if defined(LDAP_OPT_X_TLS)
@@ -217,18 +226,22 @@ add_int(OPT_X_TLS_TRY);
add_int(OPT_X_TLS_VERSION);
#endif
+
#if defined(LDAP_OPT_X_TLS_CIPHER)
add_int(OPT_X_TLS_CIPHER);
#endif
+
#if defined(LDAP_OPT_X_TLS_PEERCERT)
add_int(OPT_X_TLS_PEERCERT);
#endif
+
#if defined(LDAP_OPT_X_TLS_CRLCHECK)
add_int(OPT_X_TLS_CRLCHECK);
#endif
+
#if defined(LDAP_OPT_X_TLS_CRLFILE)
add_int(OPT_X_TLS_CRLFILE);
#endif
@@ -241,18 +254,61 @@ add_int(OPT_X_TLS_CRL_ALL);
add_int(OPT_X_TLS_NEWCTX);
#endif
+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_MIN)
add_int(OPT_X_TLS_PROTOCOL_MIN);
#endif
+
#if defined(LDAP_OPT_X_TLS_PACKAGE)
add_int(OPT_X_TLS_PACKAGE);
#endif
+
+#if defined(LDAP_OPT_X_TLS_ECNAME)
+add_int(OPT_X_TLS_ECNAME);
+#endif
+
+
#if defined(LDAP_OPT_X_TLS_REQUIRE_SAN)
add_int(OPT_X_TLS_REQUIRE_SAN);
#endif
+
+#if defined(LDAP_OPT_X_TLS_PEERCERT)
+add_int(OPT_X_TLS_PEERCERT);
+#endif
+
+
+#if defined(LDAP_OPT_X_TLS_PROTOCOL_MAX)
+add_int(OPT_X_TLS_PROTOCOL_MAX);
+#endif
+
+
+#if defined(LDAP_OPT_X_TLS_PROTOCOL_SSL3)
+add_int(OPT_X_TLS_PROTOCOL_SSL3);
+#endif
+
+
+#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_0)
+add_int(OPT_X_TLS_PROTOCOL_TLS1_0);
+#endif
+
+
+#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_1)
+add_int(OPT_X_TLS_PROTOCOL_TLS1_1);
+#endif
+
+
+#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
+add_int(OPT_X_TLS_PROTOCOL_TLS1_2);
+#endif
+
+
+#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_3)
+add_int(OPT_X_TLS_PROTOCOL_TLS1_3);
+#endif
+
#endif
add_int(OPT_X_SASL_MECH);
@@ -269,22 +325,27 @@ add_int(OPT_X_SASL_SSF_MAX);
add_int(OPT_X_SASL_NOCANON);
#endif
+
#if defined(LDAP_OPT_X_SASL_USERNAME)
add_int(OPT_X_SASL_USERNAME);
#endif
+
#if defined(LDAP_OPT_CONNECT_ASYNC)
add_int(OPT_CONNECT_ASYNC);
#endif
+
#if defined(LDAP_OPT_X_KEEPALIVE_IDLE)
add_int(OPT_X_KEEPALIVE_IDLE);
#endif
+
#if defined(LDAP_OPT_X_KEEPALIVE_PROBES)
add_int(OPT_X_KEEPALIVE_PROBES);
#endif
+
#if defined(LDAP_OPT_X_KEEPALIVE_INTERVAL)
add_int(OPT_X_KEEPALIVE_INTERVAL);
#endif
@@ -309,36 +370,24 @@ add_int(OPT_SUCCESS);
add_int(URL_ERR_BADSCOPE);
add_int(URL_ERR_MEM);
-#ifdef HAVE_LIBLDAP_R
-if (PyModule_AddIntConstant(m, "LIBLDAP_R", 1) != 0)
- return -1;
-#else
-if (PyModule_AddIntConstant(m, "LIBLDAP_R", 0) != 0)
- return -1;
-#endif
-
#ifdef HAVE_SASL
-if (PyModule_AddIntConstant(m, "SASL_AVAIL", 1) != 0)
- return -1;
+if (PyModule_AddIntConstant(m, "SASL_AVAIL", 1) != 0) return -1;
#else
-if (PyModule_AddIntConstant(m, "SASL_AVAIL", 0) != 0)
- return -1;
+if (PyModule_AddIntConstant(m, "SASL_AVAIL", 0) != 0) return -1;
#endif
+
#ifdef HAVE_TLS
-if (PyModule_AddIntConstant(m, "TLS_AVAIL", 1) != 0)
- return -1;
+if (PyModule_AddIntConstant(m, "TLS_AVAIL", 1) != 0) return -1;
#else
-if (PyModule_AddIntConstant(m, "TLS_AVAIL", 0) != 0)
- return -1;
+if (PyModule_AddIntConstant(m, "TLS_AVAIL", 0) != 0) return -1;
#endif
+
#ifdef HAVE_LDAP_INIT_FD
-if (PyModule_AddIntConstant(m, "INIT_FD_AVAIL", 1) != 0)
- return -1;
+if (PyModule_AddIntConstant(m, "INIT_FD_AVAIL", 1) != 0) return -1;
#else
-if (PyModule_AddIntConstant(m, "INIT_FD_AVAIL", 0) != 0)
- return -1;
+if (PyModule_AddIntConstant(m, "INIT_FD_AVAIL", 0) != 0) return -1;
#endif
add_string(CONTROL_MANAGEDSAIT);
diff --git a/Modules/functions.c b/Modules/functions.c
index b811708f..3f7f7eca 100644
--- a/Modules/functions.c
+++ b/Modules/functions.c
@@ -1,11 +1,6 @@
/* See https://www.python-ldap.org/ for details. */
-#include "common.h"
-#include "functions.h"
-#include "LDAPObject.h"
-#include "berval.h"
-#include "constants.h"
-#include "options.h"
+#include "pythonldap.h"
/* ldap_initialize */
@@ -17,7 +12,7 @@ l_ldap_initialize(PyObject *unused, PyObject *args)
int ret;
PyThreadState *save;
- if (!PyArg_ParseTuple(args, "s:initialize", &uri))
+ if (!PyArg_ParseTuple(args, "z:initialize", &uri))
return NULL;
save = PyEval_SaveThread();
@@ -160,6 +155,222 @@ l_ldap_str2dn(PyObject *unused, PyObject *args)
return result;
}
+/* ldap_dn2str */
+
+static void
+_free_dn_structure(LDAPDN dn)
+{
+ if (dn == NULL)
+ return;
+
+ for (LDAPRDN *rdn = dn; *rdn != NULL; rdn++) {
+ for (LDAPAVA **avap = *rdn; *avap != NULL; avap++) {
+ LDAPAVA *ava = *avap;
+
+ if (ava->la_attr.bv_val) {
+ free(ava->la_attr.bv_val);
+ }
+ if (ava->la_value.bv_val) {
+ free(ava->la_value.bv_val);
+ }
+ free(ava);
+ }
+ free(*rdn);
+ }
+ free(dn);
+}
+
+/*
+ * Convert a Python list-of-list-of-(str, str, int) into an LDAPDN and
+ * call ldap_dn2bv to build a DN string.
+ *
+ * Python signature: dn2str(dn: list[list[tuple[str, str, int]]], flags: int) -> str
+ * Returns the DN string on success, or raises TypeError or RuntimeError on error.
+ */
+static PyObject *
+l_ldap_dn2str(PyObject *self, PyObject *args)
+{
+ PyObject *dn_list = NULL;
+ int flags = 0;
+ LDAPDN dn = NULL;
+ LDAPAVA *ava;
+ LDAPAVA **rdn;
+ BerValue str = { 0, NULL };
+ PyObject *py_rdn_seq = NULL, *py_ava_item = NULL;
+ PyObject *py_name = NULL, *py_value = NULL, *py_encoding = NULL;
+ PyObject *result = NULL;
+ Py_ssize_t nrdns = 0, navas = 0, name_len = 0, value_len = 0;
+ int i = 0, j = 0;
+ int ldap_err;
+ const char *name_utf8, *value_utf8;
+
+ const char *type_error_message = "expected list[list[tuple[str, str, int]]]";
+
+ if (!PyArg_ParseTuple(args, "Oi:dn2str", &dn_list, &flags)) {
+ return NULL;
+ }
+
+ if (!PySequence_Check(dn_list)) {
+ PyErr_SetString(PyExc_TypeError, type_error_message);
+ return NULL;
+ }
+
+ nrdns = PySequence_Size(dn_list);
+ if (nrdns < 0) {
+ PyErr_SetString(PyExc_TypeError, type_error_message);
+ return NULL;
+ }
+
+ /* Allocate array of LDAPRDN pointers (+1 for NULL terminator) */
+ dn = (LDAPRDN *) calloc((size_t)nrdns + 1, sizeof(LDAPRDN));
+ if (dn == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ for (i = 0; i < nrdns; i++) {
+ py_rdn_seq = PySequence_GetItem(dn_list, i); /* New reference */
+ if (py_rdn_seq == NULL) {
+ goto error_cleanup;
+ }
+ if (!PySequence_Check(py_rdn_seq)) {
+ PyErr_SetString(PyExc_TypeError, type_error_message);
+ goto error_cleanup;
+ }
+
+ navas = PySequence_Size(py_rdn_seq);
+ if (navas < 0) {
+ PyErr_SetString(PyExc_TypeError, type_error_message);
+ goto error_cleanup;
+ }
+
+ /* Allocate array of LDAPAVA* pointers (+1 for NULL terminator) */
+ rdn = (LDAPAVA **)calloc((size_t)navas + 1, sizeof(LDAPAVA *));
+ if (rdn == NULL) {
+ PyErr_NoMemory();
+ goto error_cleanup;
+ }
+
+ for (j = 0; j < navas; j++) {
+ py_ava_item = PySequence_GetItem(py_rdn_seq, j); /* New reference */
+ if (py_ava_item == NULL) {
+ goto error_cleanup;
+ }
+ /* Expect a 3‐tuple: (name: str, value: str, encoding: int) */
+ if (!PyTuple_Check(py_ava_item) || PyTuple_Size(py_ava_item) != 3) {
+ PyErr_SetString(PyExc_TypeError, type_error_message);
+ goto error_cleanup;
+ }
+
+ py_name = PyTuple_GetItem(py_ava_item, 0); /* Borrowed reference */
+ py_value = PyTuple_GetItem(py_ava_item, 1); /* Borrowed reference */
+ py_encoding = PyTuple_GetItem(py_ava_item, 2); /* Borrowed reference */
+
+ if (!PyUnicode_Check(py_name) || !PyUnicode_Check(py_value) || !PyLong_Check(py_encoding)) {
+ PyErr_SetString(PyExc_TypeError, type_error_message);
+ goto error_cleanup;
+ }
+
+ name_len = 0;
+ value_len = 0;
+ name_utf8 = PyUnicode_AsUTF8AndSize(py_name, &name_len);
+ value_utf8 = PyUnicode_AsUTF8AndSize(py_value, &value_len);
+ if (name_utf8 == NULL || value_utf8 == NULL) {
+ goto error_cleanup;
+ }
+
+ ava = (LDAPAVA *) calloc(1, sizeof(LDAPAVA));
+
+ if (ava == NULL) {
+ PyErr_NoMemory();
+ goto error_cleanup;
+ }
+
+ ava->la_attr.bv_val = (char *)malloc((size_t)name_len + 1);
+ if (ava->la_attr.bv_val == NULL) {
+ free(ava);
+ PyErr_NoMemory();
+ goto error_cleanup;
+ }
+ memcpy(ava->la_attr.bv_val, name_utf8, (size_t)name_len);
+ ava->la_attr.bv_val[name_len] = '\0';
+ ava->la_attr.bv_len = (ber_len_t) name_len;
+
+ ava->la_value.bv_val = (char *)malloc((size_t)value_len + 1);
+ if (ava->la_value.bv_val == NULL) {
+ free(ava->la_attr.bv_val);
+ free(ava);
+ PyErr_NoMemory();
+ goto error_cleanup;
+ }
+ memcpy(ava->la_value.bv_val, value_utf8, (size_t)value_len);
+ ava->la_value.bv_val[value_len] = '\0';
+ ava->la_value.bv_len = (ber_len_t) value_len;
+
+ ava->la_flags = (int)PyLong_AsLong(py_encoding);
+ if (PyErr_Occurred()) {
+ /* Encoding conversion failed */
+ free(ava->la_attr.bv_val);
+ free(ava->la_value.bv_val);
+ free(ava);
+ goto error_cleanup;
+ }
+
+ rdn[j] = ava;
+ Py_DECREF(py_ava_item);
+ py_ava_item = NULL;
+ }
+
+ /* Null‐terminate the RDN */
+ rdn[navas] = NULL;
+
+ dn[i] = rdn;
+ Py_DECREF(py_rdn_seq);
+ py_rdn_seq = NULL;
+ }
+
+ /* Null‐terminate the DN */
+ dn[nrdns] = NULL;
+
+ /* Call ldap_dn2bv to build a DN string */
+ ldap_err = ldap_dn2bv(dn, &str, flags);
+ if (ldap_err != LDAP_SUCCESS) {
+ PyErr_SetString(PyExc_RuntimeError, ldap_err2string(ldap_err));
+ goto error_cleanup;
+ }
+
+ result = PyUnicode_FromString(str.bv_val);
+ if (result == NULL) {
+ goto error_cleanup;
+ }
+
+ /* Free the memory allocated by ldap_dn2bv */
+ ldap_memfree(str.bv_val);
+ str.bv_val = NULL;
+
+ /* Free our local DN structure */
+ _free_dn_structure(dn);
+ dn = NULL;
+
+ return result;
+
+ error_cleanup:
+ /* Free any partially built DN structure */
+ _free_dn_structure(dn);
+ dn = NULL;
+
+ /* If ldap_dn2bv allocated something, free it */
+ if (str.bv_val) {
+ ldap_memfree(str.bv_val);
+ str.bv_val = NULL;
+ }
+
+ /* Cleanup Python temporaries */
+ Py_XDECREF(py_ava_item);
+ Py_XDECREF(py_rdn_seq);
+ return NULL;
+}
+
/* ldap_set_option (global options) */
static PyObject *
@@ -196,6 +407,7 @@ static PyMethodDef methods[] = {
{"initialize_fd", (PyCFunction)l_ldap_initialize_fd, METH_VARARGS},
#endif
{"str2dn", (PyCFunction)l_ldap_str2dn, METH_VARARGS},
+ {"dn2str", (PyCFunction)l_ldap_dn2str, METH_VARARGS},
{"set_option", (PyCFunction)l_ldap_set_option, METH_VARARGS},
{"get_option", (PyCFunction)l_ldap_get_option, METH_VARARGS},
{NULL, NULL}
diff --git a/Modules/functions.h b/Modules/functions.h
deleted file mode 100644
index 2aef9740..00000000
--- a/Modules/functions.h
+++ /dev/null
@@ -1,9 +0,0 @@
-/* See https://www.python-ldap.org/ for details. */
-
-#ifndef __h_functions_
-#define __h_functions_
-
-#include "common.h"
-extern void LDAPinit_functions(PyObject *);
-
-#endif /* __h_functions_ */
diff --git a/Modules/ldapcontrol.c b/Modules/ldapcontrol.c
index e287e9a3..4a37b614 100644
--- a/Modules/ldapcontrol.c
+++ b/Modules/ldapcontrol.c
@@ -1,10 +1,6 @@
/* See https://www.python-ldap.org/ for details. */
-#include "common.h"
-#include "LDAPObject.h"
-#include "ldapcontrol.h"
-#include "berval.h"
-#include "constants.h"
+#include "pythonldap.h"
/* Prints to stdout the contents of an array of LDAPControl objects */
diff --git a/Modules/ldapcontrol.h b/Modules/ldapcontrol.h
deleted file mode 100644
index 74cae423..00000000
--- a/Modules/ldapcontrol.h
+++ /dev/null
@@ -1,13 +0,0 @@
-/* See https://www.python-ldap.org/ for details. */
-
-#ifndef __h_ldapcontrol
-#define __h_ldapcontrol
-
-#include "common.h"
-
-void LDAPinit_control(PyObject *d);
-void LDAPControl_List_DEL(LDAPControl **);
-int LDAPControls_from_object(PyObject *, LDAPControl ***);
-PyObject *LDAPControls_to_List(LDAPControl **ldcs);
-
-#endif /* __h_ldapcontrol */
diff --git a/Modules/ldapmodule.c b/Modules/ldapmodule.c
index 34d5a24c..d0735356 100644
--- a/Modules/ldapmodule.c
+++ b/Modules/ldapmodule.c
@@ -1,21 +1,14 @@
/* See https://www.python-ldap.org/ for details. */
-#include "common.h"
-#include "constants.h"
-#include "functions.h"
-#include "ldapcontrol.h"
-
-#include "LDAPObject.h"
-
-#if PY_MAJOR_VERSION >= 3
-PyMODINIT_FUNC PyInit__ldap(void);
-#else
-PyMODINIT_FUNC init_ldap(void);
-#endif
+#include "pythonldap.h"
#define _STR(x) #x
#define STR(x) _STR(x)
+LDAPAPIInfo ldap_version_info = {
+ .ldapai_info_version = LDAP_API_INFO_VERSION,
+};
+
static char version_str[] = STR(LDAPMODULE_VERSION);
static char author_str[] = STR(LDAPMODULE_AUTHOR);
static char license_str[] = STR(LDAPMODULE_LICENSE);
@@ -33,27 +26,24 @@ static PyMethodDef methods[] = {
{NULL, NULL}
};
+static struct PyModuleDef ldap_moduledef = {
+ PyModuleDef_HEAD_INIT,
+ "_ldap", /* m_name */
+ "", /* m_doc */
+ -1, /* m_size */
+ methods, /* m_methods */
+};
+
/* module initialisation */
-/* Common initialization code */
-PyObject *
-init_ldap_module(void)
+PyMODINIT_FUNC
+PyInit__ldap()
{
PyObject *m, *d;
/* Create the module and add the functions */
-#if PY_MAJOR_VERSION >= 3
- static struct PyModuleDef ldap_moduledef = {
- PyModuleDef_HEAD_INIT,
- "_ldap", /* m_name */
- "", /* m_doc */
- -1, /* m_size */
- methods, /* m_methods */
- };
m = PyModule_Create(&ldap_moduledef);
-#else
- m = Py_InitModule("_ldap", methods);
-#endif
+
/* Initialize LDAP class */
if (PyType_Ready(&LDAP_Type) < 0) {
Py_DECREF(m);
@@ -78,17 +68,3 @@ init_ldap_module(void)
return m;
}
-
-#if PY_MAJOR_VERSION < 3
-PyMODINIT_FUNC
-init_ldap()
-{
- init_ldap_module();
-}
-#else
-PyMODINIT_FUNC
-PyInit__ldap()
-{
- return init_ldap_module();
-}
-#endif
diff --git a/Modules/message.c b/Modules/message.c
index 22aa313c..f1403237 100644
--- a/Modules/message.c
+++ b/Modules/message.c
@@ -1,10 +1,6 @@
/* See https://www.python-ldap.org/ for details. */
-#include "common.h"
-#include "message.h"
-#include "berval.h"
-#include "ldapcontrol.h"
-#include "constants.h"
+#include "pythonldap.h"
/*
* Converts an LDAP message into a Python structure.
diff --git a/Modules/message.h b/Modules/message.h
deleted file mode 100644
index ed73f32c..00000000
--- a/Modules/message.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/* See https://www.python-ldap.org/ for details. */
-
-#ifndef __h_message
-#define __h_message
-
-#include "common.h"
-
-extern PyObject *LDAPmessage_to_python(LDAP *ld, LDAPMessage *m, int add_ctrls,
- int add_intermediates);
-
-#endif /* __h_message_ */
diff --git a/Modules/options.c b/Modules/options.c
index db5fde3e..4577b075 100644
--- a/Modules/options.c
+++ b/Modules/options.c
@@ -1,10 +1,6 @@
/* See https://www.python-ldap.org/ for details. */
-#include "common.h"
-#include "constants.h"
-#include "LDAPObject.h"
-#include "ldapcontrol.h"
-#include "options.h"
+#include "pythonldap.h"
void
set_timeval_from_double(struct timeval *tv, double d)
@@ -40,6 +36,7 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
{
int res;
int intval;
+ unsigned int uintval;
double doubleval;
char *strval;
struct timeval tv;
@@ -56,8 +53,12 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
switch (option) {
case LDAP_OPT_API_INFO:
case LDAP_OPT_API_FEATURE_INFO:
+ case LDAP_OPT_DESC:
#ifdef HAVE_SASL
case LDAP_OPT_X_SASL_SSF:
+#endif
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+ case LDAP_OPT_X_TLS_PEERCERT:
#endif
/* Read-only options */
PyErr_SetString(PyExc_ValueError, "read-only option");
@@ -92,6 +93,9 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
#endif
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
+ case LDAP_OPT_X_TLS_PROTOCOL_MAX:
+#endif
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
case LDAP_OPT_X_TLS_REQUIRE_SAN:
#endif
@@ -112,10 +116,19 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
ptr = &intval;
break;
+#ifdef LDAP_OPT_TCP_USER_TIMEOUT
+ case LDAP_OPT_TCP_USER_TIMEOUT:
+#endif
+ if (!PyArg_Parse(value, "I:set_option", &uintval))
+ return 0;
+ ptr = &uintval;
+ break;
+
#ifdef HAVE_SASL
case LDAP_OPT_X_SASL_SSF_MIN:
case LDAP_OPT_X_SASL_SSF_MAX:
case LDAP_OPT_X_SASL_SSF_EXTERNAL:
+ case LDAP_OPT_X_SASL_MAXBUFSIZE:
if (!PyArg_Parse(value, "k:set_option", &blen))
return 0;
ptr = &blen;
@@ -140,9 +153,15 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
#ifdef LDAP_OPT_X_TLS_CRLFILE
case LDAP_OPT_X_TLS_CRLFILE:
#endif
+#ifdef LDAP_OPT_X_TLS_ECNAME
+ case LDAP_OPT_X_TLS_ECNAME:
+#endif
#endif
#ifdef HAVE_SASL
case LDAP_OPT_X_SASL_SECPROPS:
+#endif
+#ifdef LDAP_OPT_SOCKET_BIND_ADDRESSES
+ case LDAP_OPT_SOCKET_BIND_ADDRESSES:
#endif
/* String valued options */
if (!PyArg_Parse(value, "s:set_option", &strval))
@@ -183,8 +202,8 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
}
else {
PyErr_Format(PyExc_ValueError,
- "timeout must be >= 0 or -1/None for infinity, got %d",
- option);
+ "timeout must be >= 0 or -1/None for infinity, got %S",
+ value);
return 0;
}
break;
@@ -250,10 +269,12 @@ LDAP_get_option(LDAPObject *self, int option)
{
int res;
int intval;
+ unsigned int uintval;
struct timeval *tv;
LDAPAPIInfo apiinfo;
LDAPControl **lcs;
char *strval;
+ struct berval berbytes;
#if HAVE_SASL
/* unsigned long */
ber_len_t blen;
@@ -263,6 +284,7 @@ LDAP_get_option(LDAPObject *self, int option)
switch (option) {
#ifdef HAVE_SASL
+ case LDAP_OPT_X_SASL_SECPROPS:
case LDAP_OPT_X_SASL_SSF_EXTERNAL:
/* Write-only options */
PyErr_SetString(PyExc_ValueError, "write-only option");
@@ -320,6 +342,9 @@ LDAP_get_option(LDAPObject *self, int option)
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
#endif
+#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
+ case LDAP_OPT_X_TLS_PROTOCOL_MAX:
+#endif
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
case LDAP_OPT_X_TLS_REQUIRE_SAN:
#endif
@@ -343,12 +368,22 @@ LDAP_get_option(LDAPObject *self, int option)
res = LDAP_int_get_option(self, option, &intval);
if (res != LDAP_OPT_SUCCESS)
return option_error(res, "ldap_get_option");
- return PyInt_FromLong(intval);
+ return PyLong_FromLong(intval);
+
+#ifdef LDAP_OPT_TCP_USER_TIMEOUT
+ case LDAP_OPT_TCP_USER_TIMEOUT:
+#endif
+ /* unsigned int options */
+ res = LDAP_int_get_option(self, option, &uintval);
+ if (res != LDAP_OPT_SUCCESS)
+ return option_error(res, "ldap_get_option");
+ return PyLong_FromUnsignedLong(uintval);
#ifdef HAVE_SASL
case LDAP_OPT_X_SASL_SSF:
case LDAP_OPT_X_SASL_SSF_MIN:
case LDAP_OPT_X_SASL_SSF_MAX:
+ case LDAP_OPT_X_SASL_MAXBUFSIZE:
/* ber_len_t options (unsigned long)*/
res = LDAP_int_get_option(self, option, &blen);
if (res != LDAP_OPT_SUCCESS)
@@ -383,9 +418,11 @@ LDAP_get_option(LDAPObject *self, int option)
#ifdef LDAP_OPT_X_TLS_PACKAGE
case LDAP_OPT_X_TLS_PACKAGE:
#endif
+#ifdef LDAP_OPT_X_TLS_ECNAME
+ case LDAP_OPT_X_TLS_ECNAME:
+#endif
#endif
#ifdef HAVE_SASL
- case LDAP_OPT_X_SASL_SECPROPS:
case LDAP_OPT_X_SASL_MECH:
case LDAP_OPT_X_SASL_REALM:
case LDAP_OPT_X_SASL_AUTHCID:
@@ -393,6 +430,9 @@ LDAP_get_option(LDAPObject *self, int option)
#ifdef LDAP_OPT_X_SASL_USERNAME
case LDAP_OPT_X_SASL_USERNAME:
#endif
+#endif
+#ifdef LDAP_OPT_SOCKET_BIND_ADDRESSES
+ case LDAP_OPT_SOCKET_BIND_ADDRESSES:
#endif
/* String-valued options */
res = LDAP_int_get_option(self, option, &strval);
@@ -406,6 +446,19 @@ LDAP_get_option(LDAPObject *self, int option)
ldap_memfree(strval);
return v;
+#ifdef HAVE_TLS
+#ifdef LDAP_OPT_X_TLS_PEERCERT
+ case LDAP_OPT_X_TLS_PEERCERT:
+#endif
+#endif
+ /* Options dealing with raw data */
+ res = LDAP_int_get_option(self, option, &berbytes);
+ if (res != LDAP_OPT_SUCCESS)
+ return option_error(res, "ldap_get_option");
+ v = LDAPberval_to_object(&berbytes);
+ ldap_memfree(berbytes.bv_val);
+ return v;
+
case LDAP_OPT_TIMEOUT:
case LDAP_OPT_NETWORK_TIMEOUT:
/* Double-valued timeval options */
diff --git a/Modules/options.h b/Modules/options.h
deleted file mode 100644
index fd6a5ce2..00000000
--- a/Modules/options.h
+++ /dev/null
@@ -1,7 +0,0 @@
-/* See https://www.python-ldap.org/ for details. */
-
-int LDAP_optionval_by_name(const char *name);
-int LDAP_set_option(LDAPObject *self, int option, PyObject *value);
-PyObject *LDAP_get_option(LDAPObject *self, int option);
-
-void set_timeval_from_double(struct timeval *tv, double d);
diff --git a/Modules/pythonldap.h b/Modules/pythonldap.h
new file mode 100644
index 00000000..35ed0d92
--- /dev/null
+++ b/Modules/pythonldap.h
@@ -0,0 +1,133 @@
+/* common utility macros
+ * See https://www.python-ldap.org/ for details. */
+
+#ifndef pythonldap_h
+#define pythonldap_h
+
+/* *** common *** */
+#define PY_SSIZE_T_CLEAN
+
+#include "Python.h"
+
+#if defined(HAVE_CONFIG_H)
+#include "config.h"
+#endif
+
+#include
+#include
+#include
+
+#if LDAP_VENDOR_VERSION < 20400
+#error Current python-ldap requires OpenLDAP 2.4.x
+#endif
+
+#if LDAP_VENDOR_VERSION >= 20448
+ /* openldap.h with ldap_init_fd() was introduced in 2.4.48
+ * see https://bugs.openldap.org/show_bug.cgi?id=8671
+ */
+#define HAVE_LDAP_INIT_FD 1
+#include
+#elif (defined(__APPLE__) && (LDAP_VENDOR_VERSION == 20428))
+/* macOS system libldap 2.4.28 does not have ldap_init_fd symbol */
+#undef HAVE_LDAP_INIT_FD
+#else
+ /* ldap_init_fd() has been around for a very long time
+ * SSSD has been defining the function for a while, so it's probably OK.
+ */
+#define HAVE_LDAP_INIT_FD 1
+#define LDAP_PROTO_TCP 1
+#define LDAP_PROTO_UDP 2
+#define LDAP_PROTO_IPC 3
+LDAP_F(int) ldap_init_fd(ber_socket_t fd, int proto, LDAP_CONST char *url,
+ LDAP **ldp);
+#endif
+
+#if defined(MS_WINDOWS)
+#include
+#else /* unix */
+#include
+#include
+#include
+#endif
+
+#define PYLDAP_FUNC(rtype) rtype
+#define PYLDAP_DATA(rtype) extern rtype
+
+PYLDAP_FUNC(PyObject *) LDAPerror_TypeError(const char *, PyObject *);
+
+PYLDAP_FUNC(void) LDAPadd_methods(PyObject *d, PyMethodDef *methods);
+
+#define PyNone_Check(o) ((o) == Py_None)
+
+/* *** berval *** */
+PYLDAP_FUNC(PyObject *) LDAPberval_to_object(const struct berval *bv);
+PYLDAP_FUNC(PyObject *) LDAPberval_to_unicode_object(const struct berval *bv);
+
+/* *** constants *** */
+PYLDAP_FUNC(int) LDAPinit_constants(PyObject *m);
+
+PYLDAP_DATA(PyObject *) LDAPexception_class;
+PYLDAP_FUNC(PyObject *) LDAPerror(LDAP *);
+PYLDAP_FUNC(PyObject *) LDAPraise_for_message(LDAP *, LDAPMessage *m);
+PYLDAP_FUNC(PyObject *) LDAPerr(int errnum);
+
+PYLDAP_DATA(LDAPAPIInfo) ldap_version_info;
+
+#ifndef LDAP_CONTROL_PAGE_OID
+#define LDAP_CONTROL_PAGE_OID "1.2.840.113556.1.4.319"
+#endif /* !LDAP_CONTROL_PAGE_OID */
+
+#ifndef LDAP_CONTROL_VALUESRETURNFILTER
+#define LDAP_CONTROL_VALUESRETURNFILTER "1.2.826.0.1.3344810.2.3" /* RFC 3876 */
+#endif /* !LDAP_CONTROL_VALUESRETURNFILTER */
+
+/* *** functions *** */
+PYLDAP_FUNC(void) LDAPinit_functions(PyObject *);
+
+/* *** ldapcontrol *** */
+PYLDAP_FUNC(void) LDAPinit_control(PyObject *d);
+PYLDAP_FUNC(void) LDAPControl_List_DEL(LDAPControl **);
+PYLDAP_FUNC(int) LDAPControls_from_object(PyObject *, LDAPControl ***);
+PYLDAP_FUNC(PyObject *) LDAPControls_to_List(LDAPControl **ldcs);
+
+/* *** ldapobject *** */
+typedef struct {
+ PyObject_HEAD LDAP *ldap;
+ PyThreadState *_save; /* for thread saving on referrals */
+ int valid;
+} LDAPObject;
+
+PYLDAP_DATA(PyTypeObject) LDAP_Type;
+PYLDAP_FUNC(LDAPObject *) newLDAPObject(LDAP *);
+
+/* macros to allow thread saving in the context of an LDAP connection */
+
+#define LDAP_BEGIN_ALLOW_THREADS( l ) \
+ { \
+ LDAPObject *lo = (l); \
+ if (lo->_save != NULL) \
+ Py_FatalError( "saving thread twice?" ); \
+ lo->_save = PyEval_SaveThread(); \
+ }
+
+#define LDAP_END_ALLOW_THREADS( l ) \
+ { \
+ LDAPObject *lo = (l); \
+ PyThreadState *_save = lo->_save; \
+ lo->_save = NULL; \
+ PyEval_RestoreThread( _save ); \
+ }
+
+/* *** messages *** */
+PYLDAP_FUNC(PyObject *)
+LDAPmessage_to_python(LDAP *ld, LDAPMessage *m, int add_ctrls,
+ int add_intermediates);
+
+/* *** options *** */
+PYLDAP_FUNC(int) LDAP_optionval_by_name(const char *name);
+PYLDAP_FUNC(int) LDAP_set_option(LDAPObject *self, int option,
+ PyObject *value);
+PYLDAP_FUNC(PyObject *) LDAP_get_option(LDAPObject *self, int option);
+PYLDAP_FUNC(void) set_timeval_from_double(struct timeval *tv, double d);
+
+#endif /* pythonldap_h */
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..752b1394
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the latest release.
+
+## Reporting a Vulnerability
+
+If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+Please disclose it at our [security advisory](https://github.com/python-ldap/python-ldap/security/advisories/new).
+
+This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be disclosed in a best effort base.
diff --git a/Tests/__init__.py b/Tests/__init__.py
index ea28d0ce..1a6a8836 100644
--- a/Tests/__init__.py
+++ b/Tests/__init__.py
@@ -21,3 +21,4 @@
from . import t_untested_mods
from . import t_ldap_controls_libldap
from . import t_ldap_options
+from . import t_ldap_syncrepl
diff --git a/Tests/t_cext.py b/Tests/t_cext.py
index 33fbf29a..846127f8 100644
--- a/Tests/t_cext.py
+++ b/Tests/t_cext.py
@@ -280,6 +280,29 @@ def test_simple_anonymous_bind(self):
self.assertEqual(pmsg, [])
self.assertEqual(ctrls, [])
+ @unittest.skipUnless(
+ _ldap.VENDOR_VERSION >= 20500 and \
+ _ldap._VENDOR_VERSION_RUNTIME >= 20500,
+ reason="Test requires libldap 2.5+"
+ )
+ def test_connect(self):
+ l = self._open_conn(bind=False)
+ invalid_fileno = l.get_option(_ldap.OPT_DESC)
+ l.connect()
+ fileno = l.get_option(_ldap.OPT_DESC)
+ self.assertNotEqual(invalid_fileno, fileno)
+
+ self._bind_conn(l)
+
+ @unittest.skipUnless(
+ _ldap._VENDOR_VERSION_RUNTIME < 20500,
+ reason="Test requires linking to libldap < 2.5"
+ )
+ def test_connect_notimpl(self):
+ l = self._open_conn(bind=False)
+ with self.assertRaises(NotImplementedError):
+ l.connect()
+
def test_anon_rootdse_search(self):
l = self._open_conn(bind=False)
# see if we can get the rootdse with anon search (without prior bind)
diff --git a/Tests/t_ldap_dn.py b/Tests/t_ldap_dn.py
index 86d36403..c4d9cb6c 100644
--- a/Tests/t_ldap_dn.py
+++ b/Tests/t_ldap_dn.py
@@ -40,23 +40,24 @@ def test_escape_dn_chars(self):
test function escape_dn_chars()
"""
self.assertEqual(ldap.dn.escape_dn_chars('foobar'), 'foobar')
- self.assertEqual(ldap.dn.escape_dn_chars('foo,bar'), 'foo\\,bar')
- self.assertEqual(ldap.dn.escape_dn_chars('foo=bar'), 'foo\\=bar')
+ self.assertEqual(ldap.dn.escape_dn_chars('foo,bar'), r'foo\,bar')
+ self.assertEqual(ldap.dn.escape_dn_chars('foo=bar'), r'foo\=bar')
self.assertEqual(ldap.dn.escape_dn_chars('foo#bar'), 'foo#bar')
- self.assertEqual(ldap.dn.escape_dn_chars('#foobar'), '\\#foobar')
+ self.assertEqual(ldap.dn.escape_dn_chars('#foobar'), r'\#foobar')
self.assertEqual(ldap.dn.escape_dn_chars('foo bar'), 'foo bar')
- self.assertEqual(ldap.dn.escape_dn_chars(' foobar'), '\\ foobar')
- self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ ')
- self.assertEqual(ldap.dn.escape_dn_chars(' '), '\\ \\ ')
- self.assertEqual(ldap.dn.escape_dn_chars('foobar '), 'foobar\\ ')
- self.assertEqual(ldap.dn.escape_dn_chars('f+o>o,bo\\,b\\o,bo\,b\= 0.3.7",
+ "pyasn1_modules >= 0.1.5",
+]
+
+[project.urls]
+Homepage = "https://www.python-ldap.org/"
+Documentation = "https://python-ldap.readthedocs.io/"
+Repository = "https://github.com/python-ldap/python-ldap"
+Download = "https://pypi.org/project/python-ldap/"
+Changelog = "https://github.com/python-ldap/python-ldap/blob/main/CHANGES"
+
+
+
+[tool.setuptools]
+zip-safe = false
+include-package-data = true
+license-files = ["LICENCE", "LICENCE.MIT"]
+# Explicitly list all Python modules
+py-modules = ["ldapurl", "ldif"]
+
+[tool.setuptools.dynamic]
+version = {attr = "ldap.pkginfo.__version__"}
+
+[tool.setuptools.packages.find]
+where = ["Lib"]
+
+[tool.setuptools.package-dir]
+"" = "Lib"
[tool.isort]
-line_length=88
-known_first_party=['ldap', '_ldap', 'ldapurl', 'ldif', 'slapdtest']
-sections=['FUTURE', 'STDLIB', 'THIRDPARTY', 'FIRSTPARTY', 'LOCALFOLDER']
+line_length = 88
+known_first_party = ["ldap", "_ldap", "ldapurl", "ldif", "slapdtest"]
+sections = ["FUTURE", "STDLIB", "THIRDPARTY", "FIRSTPARTY", "LOCALFOLDER"]
+
+[tool.coverage.run]
+branch = true
+source = [
+ "ldap",
+ "ldif",
+ "ldapurl",
+ "slapdtest",
+]
+
+[tool.coverage.paths]
+source = [
+ "Lib/",
+ ".tox/*/lib/python*/site-packages/",
+]
+
+[tool.coverage.report]
+ignore_errors = false
+precision = 1
+exclude_lines = [
+ "pragma: no cover",
+ "raise NotImplementedError",
+ "if 0:",
+ "if __name__ == .__main__.:",
+ "if PY2",
+ "if not PY2",
+]
+
+[tool.coverage.html]
+directory = "build/htmlcov"
+title = "python-ldap coverage report"
diff --git a/setup.cfg b/setup.cfg
index 01d43a06..fdb32fbc 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -16,14 +16,16 @@ license_file = LICENCE
# These defines needs OpenLDAP built with
# ./configure --with-cyrus-sasl --with-tls
-defines = HAVE_SASL HAVE_TLS HAVE_LIBLDAP_R
+defines = HAVE_SASL HAVE_TLS
extra_compile_args =
extra_objects =
+# Uncomment this if your libldap is not thread-safe and you need libldap_r
+# instead
# Example for full-featured build:
# Support for StartTLS/LDAPS, SASL bind and reentrant libldap_r.
-libs = ldap_r lber
+#libs = ldap_r lber
# Installation options
[install]
@@ -33,7 +35,7 @@ optimize = 1
# Linux distributors/packagers should adjust these settings
[bdist_rpm]
provides = python-ldap
-requires = python libldap-2_4
+requires = python libldap-2
vendor = python-ldap project
packager = python-ldap team
distribution_name = openSUSE 11.x
diff --git a/setup.py b/setup.py
index 119b5715..f2e816be 100644
--- a/setup.py
+++ b/setup.py
@@ -1,7 +1,9 @@
"""
-setup.py - Setup package with the help Python's DistUtils
+setup.py - C extension module configuration for python-ldap
See https://www.python-ldap.org/ for details.
+This file handles only the C extension modules (_ldap) configuration,
+while pyproject.toml handles all project metadata, dependencies, and other settings.
"""
import sys,os
@@ -54,51 +56,8 @@ class OpenLDAP2:
LDAP_CLASS.extra_link_args.append('-pg')
LDAP_CLASS.libs.append('gcov')
-#-- Let distutils/setuptools do the rest
-name = 'python-ldap'
-
+#-- C extension modules configuration only
setup(
- #-- Package description
- name = name,
- license=pkginfo.__license__,
- version=pkginfo.__version__,
- description = 'Python modules for implementing LDAP clients',
- long_description = """python-ldap:
- python-ldap provides an object-oriented API to access LDAP directory servers
- from Python programs. Mainly it wraps the OpenLDAP 2.x libs for that purpose.
- Additionally the package contains modules for other LDAP-related stuff
- (e.g. processing LDIF, LDAPURLs, LDAPv3 schema, LDAPv3 extended operations
- and controls, etc.).
- """,
- author = 'python-ldap project',
- author_email = 'python-ldap@python.org',
- url = 'https://www.python-ldap.org/',
- download_url = 'https://pypi.org/project/python-ldap/',
- classifiers = [
- 'Development Status :: 5 - Production/Stable',
- 'Intended Audience :: Developers',
- 'Intended Audience :: System Administrators',
- 'Operating System :: OS Independent',
- 'Operating System :: MacOS :: MacOS X',
- 'Operating System :: Microsoft :: Windows',
- 'Operating System :: POSIX',
- 'Programming Language :: C',
-
- 'Programming Language :: Python',
- 'Programming Language :: Python :: 3',
- 'Programming Language :: Python :: 3.6',
- 'Programming Language :: Python :: 3.7',
- 'Programming Language :: Python :: 3.8',
- 'Programming Language :: Python :: 3.9',
- # Note: when updating Python versions, also change tox.ini and .github/workflows/*
-
- 'Topic :: Database',
- 'Topic :: Internet',
- 'Topic :: Software Development :: Libraries :: Python Modules',
- 'Topic :: System :: Systems Administration :: Authentication/Directory :: LDAP',
- 'License :: OSI Approved :: Python Software Foundation License',
- ],
- #-- C extension modules
ext_modules = [
Extension(
'_ldap',
@@ -114,15 +73,8 @@ class OpenLDAP2:
'Modules/berval.c',
],
depends = [
- 'Modules/LDAPObject.h',
- 'Modules/berval.h',
- 'Modules/common.h',
+ 'Modules/pythonldap.h',
'Modules/constants_generated.h',
- 'Modules/constants.h',
- 'Modules/functions.h',
- 'Modules/ldapcontrol.h',
- 'Modules/message.h',
- 'Modules/options.h',
],
libraries = LDAP_CLASS.libs,
include_dirs = ['Modules'] + LDAP_CLASS.include_dirs,
@@ -132,7 +84,6 @@ class OpenLDAP2:
extra_objects = LDAP_CLASS.extra_objects,
runtime_library_dirs = (not sys.platform.startswith("win"))*LDAP_CLASS.library_dirs,
define_macros = LDAP_CLASS.defines + \
- ('ldap_r' in LDAP_CLASS.libs or 'oldap_r' in LDAP_CLASS.libs)*[('HAVE_LIBLDAP_R',None)] + \
('sasl' in LDAP_CLASS.libs or 'sasl2' in LDAP_CLASS.libs or 'libsasl' in LDAP_CLASS.libs)*[('HAVE_SASL',None)] + \
('ssl' in LDAP_CLASS.libs and 'crypto' in LDAP_CLASS.libs)*[('HAVE_TLS',None)] + \
[
@@ -142,27 +93,4 @@ class OpenLDAP2:
]
),
],
- #-- Python "stand alone" modules
- py_modules = [
- 'ldapurl',
- 'ldif',
-
- ],
- packages = [
- 'ldap',
- 'ldap.controls',
- 'ldap.extop',
- 'ldap.schema',
- 'slapdtest',
- ],
- package_dir = {'': 'Lib',},
- data_files = LDAP_CLASS.extra_files,
- include_package_data=True,
- install_requires=[
- 'pyasn1 >= 0.3.7',
- 'pyasn1_modules >= 0.1.5',
- ],
- zip_safe=False,
- python_requires='>=3.6',
- test_suite = 'Tests',
)
diff --git a/tox.ini b/tox.ini
index aaef8b5a..0741ef29 100644
--- a/tox.ini
+++ b/tox.ini
@@ -5,19 +5,21 @@
[tox]
# Note: when updating Python versions, also change setup.py and .github/worlflows/*
-envlist = py{36,37,38,39,310},c90-py{36,37},py3-nosasltls,doc,py3-trace,pypy3
+envlist = py{39,310,311,312},py3-nosasltls,doc,py3-trace,pypy3.9
minver = 1.8
[gh-actions]
python =
- 3.6: py36
- 3.7: py37
- 3.8: py38, doc, py3-nosasltls
- 3.9: py39, py3-trace
- pypy3: pypy3
+ 3.9: py39, py3-trace, doc, py3-nosasltls
+ 3.10: py310
+ 3.11: py311
+ 3.12: py312
+ 3.13: py313
+ pypy3.9: pypy3.9
+ pypy3.10: pypy3.10
[testenv]
-deps =
+deps = setuptools
passenv = WITH_GCOV
# - Enable BytesWarning
# - Turn all warnings into exceptions.
@@ -26,6 +28,12 @@ setenv =
commands = {envpython} -bb -Werror \
-m unittest discover -v -s Tests -p 't_*' {posargs}
+[testenv:py312]
+# Python 3.12 headers are incompatible with declaration-after-statement
+setenv =
+ CFLAGS=-Wno-int-in-bool-context -Werror -std=c99
+
+
[testenv:py3-nosasltls]
basepython = python3
# don't install, install dependencies manually
@@ -90,6 +98,7 @@ deps =
markdown
sphinx
sphinxcontrib-spelling
+ setuptools
commands =
{envpython} setup.py check --restructuredtext --metadata --strict
{envpython} -m markdown README -f {envtmpdir}/README.html