Tag Archives: ldap

About the “_s” in the LDAP library (Python and others)

If you have coded using LDAP libraries you should have noticed about functions that ends with and without “_s”. That “s” means synchronous: the functions return when the operation is finished. The functions without the “s” are asynchronous: the functions return instantaneously without waiting for the end of the operation. The idea behind async functions is that you can call several LDAP functions to do different things and then you can pick the results when you need them,  without blocking the program.

I’m writing this post because you should be careful using these functions. Today I was writing a small Python script to modify some object from a DIT and I lost 30 minutes trying to figure out why the script wasn’t working. I was using the function “bind()” and then “search_s()”. The second didn’t return anything but If I searched using the command line tools with the same parameters I got the objects. What was the problem? I missed the “_s” at the end of “bind()”. I was using the async version so I was calling “search_s()” before the end of the bind operation. 🙁

Post to Twitter

Apache Directory Studio

One of the tools that I’ve looked for in Linux was a good graphical LDAP client. I had ADS (Apache Directory Studio) in my list but I’ve never tried until today. It’s very complete and the interface is very good. It’s a pure LDAP client, it’s not a frontend for LDAP user administration or things like that. One of the great things that I found using it today is the “intelligent copy&paste” . If you copy and paste an entry in the same container ADS opens a windows called “Select copy strategy” with the following options:

  • Stop copy process
  • Ignore entry and continue
  • Overwrite entry and continue
  • Rename entry and continue: This is great, because you can use an object as templete and then you copy it with the new name in two-clicks.
Another great things are the connection wizard, attribute auto-completion, etc, etc… I’ve been using it for a few minutes and I’ve found a lot of useful things.

Post to Twitter

Crypt, 8 bytes, password policy y LDAP

Hoy estaba probando en un cliente el módulo de ppolicy de OpenLDAP. Su función es agregar políticas de password como bloqueo de cuentas por ingreso de contraseña inválido, caducidad de claves, forzar complejidad de claves en el cambio de las mismas, etc. Haciendo las pruebas cree un usuario “diegows” con password “lanux123” y empezó a loguearme con la clave “lanux1234” para ver si la cuenta se bloqueaba. Supuestamente se tenía que bloquear a los 3 intentos y yo iba por 20 y nada. Es más, me el login (bind en lenguaje LDAP) funcionaba perfecto.

Luego de revisar la configuración 20 veces, me doy cuenta de un detalle, algo que ya me había pasado hace un tiempo. Las claves estaban guardadas en el LDAP cifradas con Crypt. Ésta algoritmo usa solamente los 8 primeros caractéres para encriptar la clave. Intentar loguearme con “lanux123” era lo mismo que loguearme usando “lanux1234567890”.

La moraleja es: no usar nunca CRYPT!!!! Además de ser inseguro, te hace perder el tiempo.

Si le pasa, ya saben…

Post to Twitter