使用包ldap3進行Python的LDAP操做

背景：個人管理平臺系統須要在權限驗證方面與ldap集成，因此須要使用python操做LDAP。

原本想使用python-ldap，可是安裝過程當中出現以下問題，並且花費不少時間精力沒有解決該問題，因此放棄python-ldap，而使用ldap3。

E:\>pip install python-ldap
Collecting python-ldap
D:\app\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\util\ssl_.py:318: SNIMissingWarning: An HTTPS re
quest has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may
cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newe
r version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#sni
missingwarning.
  SNIMissingWarning

省略。。。
    C:\Users\zhaoxp2\AppData\Local\Programs\Common\Microsoft\Visual C++ for Python\9.0\VC\Bin\amd64\cl.exe /c /nologo /O
x /MD /W3 /GS- /DNDEBUG -DHAVE_SASL -DHAVE_TLS -DHAVE_LIBLDAP_R -DHAVE_LIBLDAP_R -DLDAPMODULE_VERSION=2.4.27 -IModules -
I/usr/include -I/usr/include/sasl -I/usr/local/include -I/usr/local/include/sasl -ID:\app\Python27\include -ID:\app\Pyth
on27\PC /TcModules/LDAPObject.c /Fobuild\temp.win-amd64-2.7\Release\Modules/LDAPObject.obj
    LDAPObject.c
    c:\users\zhaoxp2\appdata\local\temp\pip-build-kecixv\python-ldap\modules\errors.h(8) : fatal error C1083: Cannot ope
n include file: 'lber.h': No such file or directory
    error: command 'C:\\Users\\zhaoxp2\\AppData\\Local\\Programs\\Common\\Microsoft\\Visual C++ for Python\\9.0\\VC\\Bin
\\amd64\\cl.exe' failed with exit status 2

    ----------------------------------------
Command "D:\app\Python27\python.exe -u -c "import setuptools, tokenize;__file__='c:\\users\\zhaoxp2\\appdata\\local\\tem
p\\pip-build-kecixv\\python-ldap\\setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n'
, '\n'), __file__, 'exec'))" install --record c:\users\zhaoxp2\appdata\local\temp\pip-f4qvel-record\install-record.txt -
-single-version-externally-managed --compile" failed with error code 1 in c:\users\zhaoxp2\appdata\local\temp\pip-build-
kecixv\python-ldap\

安裝ldap3

安裝ldap3很簡單，pip install ldap3便可。地址：https://pypi.python.org/pypi/ldap3

爲何使用ldap3？下面是給出的緣由：

A strictly RFC 4510 conforming LDAP V3 pure Python client library. The same codebase works with Python 2, Python 3, PyPy, PyPy3 and Nuikta.

使用ldap3訪問LDAP服務器

接下來是ldap3的使用介紹。

參考：http://ldap3.readthedocs.io/tutorial.html

3種鏈接方法：

1 anonymous

2 simple password

3 SASL(simple authentication and security layer)

這裏注意文檔中說明了longin就是bind（後面代碼中會有相關參數）。

在API的Connection中定義了5中策略：

	策略	同步否？	Return
1	SYNC	synchronous	True/False
2	ASYNC	asynchronous	Integer
3	LDIF
4	RESTARTABLE	synchronous	True/False
5	REUSABLE	asynchronous	Integer

在異步模式下，將返回message_id而不是True或者False。另外異步模式下將會調用Connection的get_response(message_id)方法。還能夠設置timeout參數。

LDIF模式用來建立LDIF-CHANGEs流。The LDIF strategy is used to create a stream of LDIF-CHANGEs.

默認模式是SYNC。

鏈接：

>>> server = Server('ipa.demo1.freeipa.org')
>>> conn = Connection(server)
>>> conn.bind()
True

或者

>> conn = Connection('ipa.demo1.freeipa.org', auto_bind=True)
True

查看鏈接信息：

print server
print conn

獲取服務器信息：

>>> server = Server('ipa.demo1.freeipa.org', get_info=ALL)
>>> conn = Connection(server, auto_bind=True)
>>> server.info
DSA info (from DSE):
  Supported LDAP Versions: 2, 3
  Naming Contexts:
    cn=changelog
省略

>>> server.schema
DSA Schema from: cn=schema
  Attribute types:{'ipaNTTrustForestTrustInfo': Attribute type: 2.16.840.1.113730.3.8.11.17
  Short name: ipaNTTrustForestTrustInfo
  Description: Forest trust information for a trusted domain object
省略

登陸：

>>> # import class and constants
>>> from ldap3 import Server, Connection, ALL, NTLM

>>> # define the server and the connection
>>> server = Server('10.99.201.86', get_info=ALL)
>>> conn = Connection(server, user="Domain\\User", password="password", authentication=「NTLM」)

查看登陸信息：

>>> conn.extend.standard.who_am_i()

若是是匿名登陸那麼返回空。

因此使用用戶名密碼登陸：

>>> conn = Connection(server, 'uid=admin, cn=users, cn=accounts, dc=demo1, dc=freeipa, dc=org', 'Secret123', auto_bind=True)
>>> conn.extend.standard.who_am_i()
'dn: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org'

使用安全方式登陸，兩種：LDAP over TLS or the StartTLS extended operation。這裏不作詳細說明，具體參考官方文檔。下面只列出相關代碼：

>>> server = Server('ipa.demo1.freeipa.org', use_ssl=True, get_info=ALL)
>>> conn = Connection(server, 'uid=admin, cn=users, cn=accounts, dc=demo1, dc=freeipa, dc=org', 'Secret123', auto_bind=True)
>>> print(conn)
ldaps://ipa.demo1.freeipa.org:636 - ssl - user: uid=admin, cn=users, cn=accounts, dc=demo1, dc=freeipa, dc=org - bound - open - <local: 192.168.1.101:51438 - remote: 209.132.178.99:636> - tls not started - listening - SyncStrategy - internal decoder

>>> from ldap3 import Server, Connection, Tls
>>> import ssl
>>> tls_configuration = Tls(validate=ssl.CERT_REQUIRED, version=ssl.PROTOCOL_TLSv1)
>>> server = Server('ipa.demo1.freeipa.org', use_ssl=True, tls=tls_configuration)
>>> conn = Connection(server)
>>> conn.open()
...
ldap3.core.exceptions.LDAPSocketOpenError: (LDAPSocketOpenError('socket ssl wrapping error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)',),)

訪問數據

這裏介紹同步和異步兩種方式。讀文檔說明，異步是使用獨立線程完成操做的。同步的就是發送消息而後等待接受消息。

異步常常用於event-driven，事件驅動。

另外還有一種Compare操做。它既是用來驗證一個attribute是否有一個value。這個操做能夠用來作密碼驗證（不用bind操做）。

任何同步操做後Connection對象中都會有一些attribute被populated。

• result: the result of the last operation (as returned by the server)
• response: the entries found (if the last operation is a Search)
• entries: the entries found exposed via the abstraction layer (if the last operation is a Search)
• last_error: the error occurred in the last operation, if any
• bound: True if the connection is bound to the server
• listening: True if the socket is listening to the server
• closed: True if the socket is not open

搜索操做

搜索操做須要三個參數，可是隻有兩個是必須：

• search_base: the location in the DIT where the search will start
• search_filter: what are you searching

 這裏的search_filter有特殊的語法。它是基於assertion，而assertion是一個bracketed expression。assertion是true false或者undefined（等同於false）。assertion使用& | ! 組織，能夠包含 = <= >= =* ~=等。另外注意，這裏沒有 < 和 > 符號。

例如：

(&
    (|
        (givenName=Fred)
        (givenName=John)
    )
    (mail=*@example.org)
)

代碼示例：

搜索全部person，即objectclass=persono。

>>> from ldap3 import Server, Connection, ALL
>>> server = Server('ipa.demo1.freeipa.org', get_info=ALL)
>>> conn = Connection(server, 'uid=admin, cn=users, cn=accounts, dc=demo1, dc=freeipa, dc=org', 'Secret123', auto_bind=True)
>>> conn.search('dc=demo1, dc=freeipa, dc=org', '(objectclass=person)')
True
>>> conn.entries
[DN: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
, DN: uid=manager,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
, DN: uid=employee,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
, DN: uid=helpdesk,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
]

請求獲取部分屬性。

>>> conn.search('dc=demo1, dc=freeipa, dc=org', '(&(objectclass=person)(uid=admin))', attributes=['sn','krbLastPwdChange', 'objectclass'])
True
>>> conn.entries[0]
DN: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
    krbLastPwdChange: 2015-09-30 04:06:59+00:00
    objectclass: top
                 person
                 posixaccount
                 krbprincipalaux
                 krbticketpolicyaux
                 inetuser
                 ipaobject
                 ipasshuser
                 ipaSshGroupOfPubKeys
    sn: Administrator

屬性獲取方法：

>>> entry = entries[0]
>>> entry.krbLastPwdChange
krbLastPwdChange: 2015-09-30 04:06:59+00:00
>>> entry.KRBLastPwdCHANGE
krbLastPwdChange: 2015-09-30 04:06:59+00:00
>>> entry['krbLastPwdChange']
krbLastPwdChange: 2015-09-30 04:06:59+00:00
>>> entry['KRB LAST PWD CHANGE']
krbLastPwdChange: 2015-09-30 04:06:59+00:00

>>> entry.krbLastPwdChange.values
[datetime.datetime(2015, 9, 30, 4, 6, 59, tzinfo=OffsetTzInfo(offset=0, name='UTC'))]
>>> entry.krbLastPwdChange.raw_values
[b'20150930040659Z']

一點要注意，那就是search_scope表示了搜索範圍，有三種。默認SUBTREE。

1	BASE	A base search limits the search to the base object 通常用來檢查object的存在與否。
2	LEVEL	A one-level search is restricted to the immediate children of a base object, but excludes the base object itself.
3	SUBTREE	A subtree search (or a deep search) includes all child objects as well as the base object.

 

關於LDIF：

>>> print(conn.entries[0].entry_to_ldif())
version: 1
dn: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
objectclass: top
objectclass: person
objectclass: posixaccount
objectclass: krbprincipalaux
objectclass: krbticketpolicyaux
objectclass: inetuser
objectclass: ipaobject
objectclass: ipasshuser
objectclass: ipaSshGroupOfPubKeys
krbLastPwdChange: 20150930040659Z
sn: Administrator
# total number of entries: 1

或者使用JSON表示：

>>> print(entry.entry_to_json())
{
    "attributes": {
        "krbLastPwdChange": [
            "2015-09-30 04:06:59+00:00"
        ],
        "objectclass": [
            "top",
            "person",
            "posixaccount",
            "krbprincipalaux",
            "krbticketpolicyaux",
            "inetuser",
            "ipaobject",
            "ipasshuser",
            "ipaSshGroupOfPubKeys"
        ],
        "sn": [
            "Administrator"
        ]
    },
    "dn": "uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org"

另外關於binary values：

>>> from ldap3.utils.conv import escape_bytes
>>> unique_id = b'\xca@\xf2k\x1d\x86\xcaL\xb7\xa2\xca@\xf2k\x1d\x86'
>>> search_filter = '(nsUniqueID=' + escape_bytes(unique_id) + ')'
>>> conn.search('dc=demo1, dc=freeipa, dc=org', search_filter, attributes=['nsUniqueId'])

關於connection context manager：

>>> with Connection(server, 'uid=admin, cn=users, cn=accounts, dc=demo1, dc=freeipa, dc=org', 'Secret123') as conn:
        conn.search('dc=demo1, dc=freeipa, dc=org', '(&(objectclass=person)(uid=admin))', attributes=['sn','krbLastPwdChange', 'objectclass'])
        entry = conn.entries[0]
True
>>> conn.bound
False
>>> entry
DN: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
krbLastPwdChange: 2015-09-30 04:06:59+00:00
objectclass: top
             person
             posixaccount
             krbprincipalaux
             krbticketpolicyaux
             inetuser
             ipaobject
             ipasshuser
             ipaSshGroupOfPubKeys
sn: Administrator

增長操做

>>> # Create a container for our new entries
>>> conn.add('ou=ldap3-tutorial, dc=demo1, dc=freeipa, dc=org', 'organizationalUnit')
>>> True
>>> # Add some users
>>> conn.add('cn=b.young,ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org', 'inetorgperson', {'givenName': 'Beatrix', 'sn': 'Young', 'departmentNumber':'DEV', 'telephoneNumber': 1111})
>>> True
>>> conn.add('cn=j.smith,ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org', 'inetorgperson', {'givenName': 'John', 'sn': 'Smith', 'departmentNumber':'DEV',  'telephoneNumber': 2222})
>>> True
>>> conn.add('cn=m.smith,ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org', 'inetorgperson', {'givenName': 'Marianne', 'sn': 'Smith', 'departmentNumber':'QA',  'telephoneNumber': 3333})
>>> True
>>> conn.add('cn=quentin.cat,ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org', 'inetorgperson', {'givenName': 'Quentin', 'sn': 'Cat', 'departmentNumber':'CC',  'telephoneNumber': 4444})