Quickstart#
After we installed the Bonsai module, let’s see the basic functions to communicate with an LDAP server.
Connecting#
First we are connecting to the LDAP server at “example.org” using an LDAPClient
object:
>>> from bonsai import LDAPClient
>>> client = LDAPClient("ldap://example.org")
>>> conn = client.connect()
If we want to use a secure connection over SSL/TLS we can change the URL to ldaps://:
>>> client = LDAPClient("ldaps://example.org")
Or set the tls parameter to True for the LDAPClient:
>>> client = LDAPClient("ldap://example.org", True)
>>> conn = client.connect()
Note
Use either the ldaps:// scheme or the tls parameter set to True for secure connection, but it’s ill-advise to use both. If both present the client will set the tls attribute to False to avoid connection error.
Note
When you encounter “unknown error code”-errors thrown by the exception
ConnectionError
when setting up SSL/TLS-connections with OpenLDAP, use the
bonsai-Debug-function bonsai.set_debug()
. Set the first parameter to True and the
second to -1. Then you will see the calls (and probably errormessages) of the underlying
OpenLDAP-Library in the output.
If we want to use a filesocket connection point the URL to ldapi://:
>>> client = LDAPClient("ldapi://%2Frun%2Fslapd%2Fldapi")
(Please note that in this case the file location has to be URL-encoded.)
Now, we have an anonym bind to the server, so LDAP whoami operation - which helps to get the identity about the authenticated user - will return with the following:
>>> conn.whoami()
'anonymous'
To connect with a certain user to the server we have to set credentials before connection:
>>> client = LDAPClient("ldaps://example.org")
>>> client.set_credentials("SIMPLE", user="cn=test,dc=bonsai,dc=test", password="secret")
>>> conn = client.connect()
>>> conn.whoami()
'cn=test,dc=bonsai,dc=test'
Searching#
To execute a simple search in the dictionary we have to use the LDAPConnection.search()
method. The function’s first parameter - the base DN - sets where we would like to start the search
in the dictionary tree, the second parameter - the search scope - can have the following values:
0 (base): searching only the base DN.
1 (one): searching only one tree level under the base DN.
2 (sub): searching of all entries at all levels under, including the base DN.
The scope parameter is replaceable with an LDAPSearchScope
enumeration, for e.g.
LDAPSearchScope.ONE
for one level search.
The third parameter is a standard LDAP filter string.
The result will be a list of LDAPEntry objects or an empty list, if no object is found.
>>> conn = client.connect()
>>> conn.search("ou=nerdherd,dc=bonsai,dc=test", bonsai.LDAPSearchScope.ONE, "(objectclass=*)")
[{'dn': <LDAPDN cn=chuck,ou=nerdherd,dc=bonsai,dc=test>, 'sn': ['Bartowski'],
'cn': ['chuck'], 'givenName': ['Chuck'], 'objectClass': ['inetOrgPerson',
'organizationalPerson', 'person', 'top']}, {'dn': <LDAPDN cn=lester,ou=nerdherd,dc=bonsai,dc=test>,
'sn': ['Patel'], cn': ['lester'], 'givenName': ['Laster'], 'objectClass': ['inetOrgPerson',
'organizationalPerson', 'person', 'top']}, {'dn': <LDAPDN cn=jeff,ou=nerdherd,dc=bonsai,dc=test>,
'sn': ['Barnes'], 'cn': ['jeff'], 'givenName': ['Jeff'], 'objectClass': ['inetOrgPerson',
'organizationalPerson', 'person', 'top']}]
>>> conn.search("ou=nerdherd,dc=bonsai,dc=test", 0, "(objectclass=*)")
[{'dn': <LDAPDN ou=nerdherd,dc=bonsai,dc=test>, 'objectClass': ['organizationalUnit', 'top'],
'ou': ['nerdherd']}]
The other possible parameters are listed on the API page of LDAPConnection.search()
.
Note
As you can see every key - or LDAP attribute - in the entry has a list for clarity, even if only one value belongs to the attribute. As most of the attributes could have more than one value, it would be confusing, if some of the keys had string value and the others had list.
Add and modify LDAP entry#
To add a new entry to our dictionary we need to create an LDAPEntry
object with a valid new
LDAP DN:
>>> from bonsai import LDAPEntry
>>> anna = LDAPEntry("cn=anna,ou=nerdherd,dc=bonsai,dc=test")
>>> anna['objectClass'] = ['top', 'inetOrgPerson'] # Must set schemas to get a valid LDAP entry.
>>> anna['sn'] = "Wu" # Must set a surname attribute because inetOrgPerson schema requires.
>>> anna['mail'] = "anna@nerdherd.com"
>>> anna.dn
<LDAPDN cn=anna,ou=nerdherd,dc=bonsai,dc=test>
>>> anna
{'dn': <LDAPDN cn=anna,ou=nerdherd,dc=bonsai,dc=test>, 'objectClass': ['top', 'inetOrgPerson'],
'sn': ['Wu'], 'mail': ['anna@nerdherd.com']}
then call LDAPConnection.add()
to add to the server:
>>> conn.add(anna)
True
It’s important, that we must set the schemas and every other attribute, that the schemas require.
If we miss a required attribute, the server will not finish the operation and return with an
bonsai.ObjectClassViolation
error.
To modify an entry we need to have one that is already in the dictionary (got it back after a
search or added it by ourselves previously), then we can easily add new attributes or modify
already existing ones like we usually do with a Python dict, the only difference is that we need to
call LDAPEntry.modify()
method at the end to save our modifications on the server side.
>>> anna['givenName'] = "Anna" # Set new givenName attribute.
>>> anna['cn'].append('wu') # Add new common name attribute without remove the already set ones.
>>> del anna['mail'] # Remove all values of the mail attribute.
>>> anna.modify()
True
In certain cases, an LDAP entry can have write-only attribute (e.g. password) that cannot be
represented in an LDAPEntry or we just want to change the value of an attribute without reading
it first. The LDAPEntry.change_attribute()
method expects an attribute name, the type
of the modification (as an integer or an LDAPModOp
enum) and the values as parameters
to change an entry:
>>> from bonsai import LDAPEntry, LDAPModOp
>>> anna = LDAPEntry("cn=anna,ou=nerdherd,dc=bonsai,dc=test")
>>> anna.change_attribute("userPassword", LDAPModOp.REPLACE, "newsecret")
>>> anna.modify()
True
Delete an LDAP entry#
To delete an entry we’ve got two options: LDAPConnection.delete()
and
LDAPEntry.delete()
:
>>> conn.delete("cn=anna,ou=nerdherd,dc=bonsai,dc=test") # We have to know the DN of the entry.
True
>>> # Or we have a loaded LDAPEntry object, then
>>> anna.delete()
True
In the second case the entry is removed on the server, but we still have the data on the client-side.
Rename an LDAP entry#
To rename an existing entry call the LDAPEntry.rename()
method with the new DN on an already
loaded LDAPEntry
object:
>>> anna.dn
<LDAPDN cn=anna,ou=nerdherd,dc=bonsai,dc=test>
>>> anna.rename("cn=wu,ou=nerdherd,dc=bonsai,dc=test")
True
>>> anna.dn
<LDAPDN cn=wu,ou=nerdherd,dc=bonsai,dc=test>
Be aware that if you would like to move the entry into a different subtree of the directory, then the stated subtree needs to already exist.
Close connection#
After we finished our work with the directory server we should close the connection:
>>> conn.close()
The LDAPConnection
object can be used with a context manager that will implicitly call the
LDAPConnection.close()
method:
import bonsai
cli = bonsai.LDAPClient("ldap://localhost")
with cli.connect() as conn:
res = conn.search("ou=nerdherd,dc=bonsai,dc=test", 1)
print(res)
print(conn.whoami())
To find out more about the Bonsai module functionality read the Advanced Usage and the API documentation.