[Twisted-Python] ldaptor and bind

[Ottavio Campana]

Tommi Virtanen ha scritto:
> On Mon, Jan 07, 2008 at 11:52:52PM +0100, Ottavio Campana wrote:
>> 1) how do I get the username and password used to bind in function
>> def _cbSearchGotBase(self, base, dn, request, reply):
>> ? with request.dn and request.auth?
> 
> LDAPServer's self.boundUser. And the password isn't stored any
> longer than is required to process the LDAPBindRequest.
> 
>> 2) how do I modify request.filter? can I just append text?
> 
> It's an LDAPFilter instance. No, it's not a string.
> 
>> In this case, after having biding working I would be done. It's not full 
>> acl support, but it would be enough.
> 
> Umm, if you didn't even realize you need to protect against
> modification, do you really think you can manage to implement
> it securely?

well, considering that data provided through ldap is for readonly use, 
that ldap exports information saved in a database which is protected, 
that clients access the ldap server only read only and the network is 
not hostile, I think it could be acceptable.

I can't run openldap on that hardware and I need a way to separate 
public and private address books and I need to be able to look in both 
address books with only one search, so they have to be nested.

I know acls would do the job, I know the solution is not perfect, but do 
you have any other idea?

PS: going on with my idea, I could overwrite handle_LDAPModifyDNRequest 
by always rising ldaperrors.LDAPUnwillingToPerform. The same for all 
other add/delete/modify request...

-- 
Non c'e' piu' forza nella normalita', c'e' solo monotonia.