[python-ldap] ldap.initialize() URLs must only contain scheme and hostport components: Commas break inside OpenLDAP

Michael Ströder michael at stroeder.com
Wed Aug 16 06:39:56 EDT 2017

Karl Kornel wrote:
> On Wednesday, August 16, 2017 at 1:28 AM, Michael Ströder said:
>> Hmm, maybe we should just repeat the wording from ldap_initialize(3):
>> "The uri parameter may be a comma- or whitespace-separated list of URIs containing
>> only the schema, the host, and the port fields."
> I think that would be fine, with one note: For ReconnectLDAPObject, I think it should
> note what the behavior is when you initialize it with multiple URLs.  For example,
> would it only try to reconnect to the initial URL that is used, or would it re-try all
> URLs?

It simply passes the very same uri value to C wrapper method _ldap.initialize() no matter
whether it contains multiple URIs or not.

Generally I try to avoid (Reconnect)LDAPObject to be too smart. Therefore I don't
recommend passing mutiple comma-/space-separated URIs to ldap.initialize() or
ReconnectLDAPObject.__init__() without careful consideration. Because with such an
implicit fail-over under the hood you could run into subtle read-after-write issues when
accessing multiple writeable replicas (multi-master replication).


1. You can safely use ReconnectLDAPObject with multiple uri values if your application
always reads and accepts replication latency (no strictly fresh LDAP data).

2. You should use ReconnectLDAPObject only accessing a single replica for robust write
access. Do the fail-over in the calling application if needed/possible so you can reset
your process to a well-defined entry point for avoiding read-after-write issues.

>> LDAPUrl.initializeUrl() to ldap.initialize().
> Ah, I was not aware of that method!  I don't see it mentioned anywhere in the online
> ldapurl module documentation, so I didn't know it was there.

Yes, unfortuately the docs are note complete. :-(
More doc patches would be highly appreciated.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20170816/d5e85dd0/attachment.bin>

More information about the python-ldap mailing list