Native python LDAP?

Michael Ströder michael at
Mon Feb 21 18:30:31 CET 2005


nice to see you here. Sorry for following up so late. I'm swamped with 
orga stuff so this rather long response took a while...

Rich Megginson wrote:
> Has anyone ever thought about doing a native (not based on ldap sdk 
> binaries) python LDAP client?

Yes, every now and then I'm thinking about this. In fact the LDAPObject 
wrapper class was the first step towards that. Modules ldap.schema, ldif 
and ldapurl are pure Python by purpose. I wanted to reduce dependencies 
on LDAP C SDKs whereever I could...

Actually there is 'ldaptor' which is a pure-Python LDAP implementation 
based on Twisted. But the web site is very unclear, no docs, no release 
history, no response from the author to my request of working together, 
and last not least a strong dependency on Twisted. :-(

There are various good reasons for reimplementing python-ldap from the 
ground up.

The RFC1823-style API still looks through the LDAPObject class letting 
application code look very unpythonic.

The data types returned from and passed to LDAPObject methods are not 
specific to python-ldap:
- list of dicts for search results
- no clear distinction between search results and search continuations
- raw lists for change records

With LDAPControls we cannot stay away from messing with BER any longer. 
Therefore we could reimplement much of the LDAP protocol stuff following 
a nice object model.

Compiling the various SDKs is a mess on some platforms (e.g. building 
OpenLDAP libs on Win32). The binaries are often behind the current 
release although some people are really doing great work providing 
up-to-date pre-built binaries.

Licensing situation not suitable for contributing python-ldap to 
Python's standard lib.


> Something like Net::LDAP (which is a very 
> nice object model, even though it's perl).

Don't know this since I never used Perl. If it's really a good object 
model we could simply borrow from it.

> It depends on several modules being available.

Yes, that's where the sadness begins...

> For example, is there a python ASN.1 parser?

The short answer: No there's no standard ASN.1 / BER / DER module for 
Python which could just be imported by python-ldap without any licensing 
and installation hassles.

The long answer:

There are some BER modules in SNMP modules. Don't know how to solve the 
licensing issues.

In web2ldap I'm using a slightly modified version of pisces.asn1 which 
is under old CNRI license. The author planned to work out a better 
license with CNRI but got stuck.

=> It boils down to developing a ASN.1 module and contribute it to 
Python's standard libs (following licensing advice by PSF from the very 

> Most everything else is already available in python - sockets, ssl, etc.

Hmm, SSL support in Python's standard lib is very basic. AFAIK there's 
no proper certificate and CRL checking at all. And there's also SASL, 
Kerberos, etc. to think about.

Off course I'd be willing to put work into it. But it would need several 
developers to reach the same functional level as today's python-ldap 
within a reasonable time frame.

Let's discuss design goals...mine are:

Let's call the module 'ldap2'.

'ldap2' should go into Python's standard lib in the long run.

Drop back-ward compabilty to 'ldap'. One could try to implement a 
compability class API later but this should not be a first-time 
requirement which then turns out to be an obstacle for a clean object model.

Drop support for Python versions prior 2.3 (because of sets, datetime 
and various other modules)

Add support for Unicode whereever suitable. be continued...

Ciao, Michael.

More information about the python-ldap mailing list