Native python LDAP?
michael at stroeder.com
Mon Feb 21 18:30:31 CET 2005
nice to see you here. Sorry for following up so late. I'm swamped with
orga stuff so this rather long response took a while...
Rich Megginson wrote:
> Has anyone ever thought about doing a native (not based on ldap sdk
> binaries) python LDAP client?
Yes, every now and then I'm thinking about this. In fact the LDAPObject
wrapper class was the first step towards that. Modules ldap.schema, ldif
and ldapurl are pure Python by purpose. I wanted to reduce dependencies
on LDAP C SDKs whereever I could...
Actually there is 'ldaptor' which is a pure-Python LDAP implementation
based on Twisted. But the web site is very unclear, no docs, no release
history, no response from the author to my request of working together,
and last not least a strong dependency on Twisted. :-(
There are various good reasons for reimplementing python-ldap from the
The RFC1823-style API still looks through the LDAPObject class letting
application code look very unpythonic.
The data types returned from and passed to LDAPObject methods are not
specific to python-ldap:
- list of dicts for search results
- no clear distinction between search results and search continuations
- raw lists for change records
With LDAPControls we cannot stay away from messing with BER any longer.
Therefore we could reimplement much of the LDAP protocol stuff following
a nice object model.
Compiling the various SDKs is a mess on some platforms (e.g. building
OpenLDAP libs on Win32). The binaries are often behind the current
release although some people are really doing great work providing
up-to-date pre-built binaries.
Licensing situation not suitable for contributing python-ldap to
Python's standard lib.
> Something like Net::LDAP (which is a very
> nice object model, even though it's perl).
Don't know this since I never used Perl. If it's really a good object
model we could simply borrow from it.
> It depends on several modules being available.
Yes, that's where the sadness begins...
> For example, is there a python ASN.1 parser?
The short answer: No there's no standard ASN.1 / BER / DER module for
Python which could just be imported by python-ldap without any licensing
and installation hassles.
The long answer:
There are some BER modules in SNMP modules. Don't know how to solve the
In web2ldap I'm using a slightly modified version of pisces.asn1 which
is under old CNRI license. The author planned to work out a better
license with CNRI but got stuck.
=> It boils down to developing a ASN.1 module and contribute it to
Python's standard libs (following licensing advice by PSF from the very
> Most everything else is already available in python - sockets, ssl, etc.
Hmm, SSL support in Python's standard lib is very basic. AFAIK there's
no proper certificate and CRL checking at all. And there's also SASL,
Kerberos, etc. to think about.
Off course I'd be willing to put work into it. But it would need several
developers to reach the same functional level as today's python-ldap
within a reasonable time frame.
Let's discuss design goals...mine are:
Let's call the module 'ldap2'.
'ldap2' should go into Python's standard lib in the long run.
Drop back-ward compabilty to 'ldap'. One could try to implement a
compability class API later but this should not be a first-time
requirement which then turns out to be an obstacle for a clean object model.
Drop support for Python versions prior 2.3 (because of sets, datetime
and various other modules)
Add support for Unicode whereever suitable.
....to be continued...
More information about the python-ldap