From eloi.rivard at aquilenet.fr Mon Nov 16 11:10:30 2020 From: eloi.rivard at aquilenet.fr (=?ISO-8859-1?Q?=C9loi?= Rivard) Date: Mon, 16 Nov 2020 17:10:30 +0100 Subject: [python-ldap] Overlays and python-ldap Message-ID: Hi. I would like to check what overlays are installed and enabled in a slapd instance (for instance ppolicy or memberof). I am not really sure how to achieve this, and was hopping to find some clues here. Also,?by playing with the ObjectClass [1] class and the subschema module, I can find all the available attributes for a given class, say inetOrgPerson. Enabling the memberof module would allow a new virtual 'memberof' attribute. However I could not manage to get the information "the memberof attribute is available on that class" in a pythonic way. Do you have some clues? Should I open a feature request ticket? Thank you [1] https://www.python-ldap.org/en/python-ldap-3.3.0/reference/ldap-schema.html?highlight=objectclass#ldap.schema.models.ObjectClass From ondra at mistotebe.net Tue Nov 17 10:45:06 2020 From: ondra at mistotebe.net (=?utf-8?B?T25kxZllaiBLdXpuw61r?=) Date: Tue, 17 Nov 2020 16:45:06 +0100 Subject: [python-ldap] Overlays and python-ldap In-Reply-To: References: Message-ID: <20201117154506.GK22418@mistotebe.net> On Mon, Nov 16, 2020 at 05:10:30PM +0100, ?loi Rivard wrote: > Hi. > > I would like to check what overlays are installed and enabled in a > slapd instance (for instance ppolicy or memberof). I am not really sure > how to achieve this, and was hopping to find some clues here. Hi ?loi, to see what overlays are enabled on a backend, you need read access to cn=config or cn=monitor to tell. If you just want to use a control, see if it's listed in the rootDSE, if you want to use an objectClass, see if it's listed in the schema subentry. > Also,?by playing with the ObjectClass [1] class and the subschema > module, I can find all the available attributes for a given class, say > inetOrgPerson. Enabling the memberof module would allow a new virtual > 'memberof' attribute. However I could not manage to get the information > "the memberof attribute is available on that class" in a pythonic way. Depends on the attribute. If memberof is marked operational (which the OpenLDAP overlay does), it is managed by the server and operates outside objectClass restrictions. > Do you have some clues? Should I open a feature request ticket? From christian at python.org Tue Nov 17 13:18:16 2020 From: christian at python.org (Christian Heimes) Date: Tue, 17 Nov 2020 19:18:16 +0100 Subject: [python-ldap] Overlays and python-ldap In-Reply-To: References: Message-ID: On 16/11/2020 17.10, ?loi Rivard wrote: > Hi. > > I would like to check what overlays are installed and enabled in a > slapd instance (for instance ppolicy or memberof). I am not really sure > how to achieve this, and was hopping to find some clues here. > > Also,?by playing with the ObjectClass [1] class and the subschema > module, I can find all the available attributes for a given class, say > inetOrgPerson. Enabling the memberof module would allow a new virtual > 'memberof' attribute. However I could not manage to get the information > "the memberof attribute is available on that class" in a pythonic way. > > Do you have some clues? Should I open a feature request ticket? As Ond?ej already explained, supported controls are listed in the root DSE entry. Supported controls, extensions, features, and other flags are available for anonymous binds. The attribute names and OIDs are standardized. Example: >>> import ldap >>> from ldap.controls import SimplePagedResultsControl >>> oid = SimplePagedResultsControl.controlType.encode('ascii') >>> oid b'1.2.840.113556.1.4.319' >>> conn = ldap.initialize("ldap://localhost") >>> oid in conn.read_rootdse_s()['supportedControl'] True Features like memberOf plugin are implementation specific. 389-DS has its configuration in "cn=MemberOf Plugin,cn=plugins,cn=config". The entry is only accessible by "cn=Directory Manager" user. OpenLDAP may store the plugin configuration somewhere else. In 389-DS the "memberOf" attribute must be defined in one or more objectClasses of an entry. For example 389-DS defines nsMemberOf class: ( 2.16.840.1.113730.3.2.329 NAME 'nsMemberOf' DESC 'Allow memberOf assignment on groups for nesting and users' SUP top AUXILIARY MAY memberOf X-ORIGIN ( '389 Directory Server Project' 'user defined' ) ) Fun fact: The "ns" prefixes stands for Netscape. Christian