kakwa / ldapcherry Goto Github PK

Hello,

First, thanks for your work.
I have some problem with the ldap.group_filter_tmpl parameter. When i pass something with bracket, for exemple
ldap.group_filter_tmpl = "(uniqueMember=cn=Toto Toto (toto),o=Toto,dc=tata,dc=local)"
cn=Toto Toto (toto),o=Toto,dc=tata,dc=local is the DN of all my users
I get an error :
ldap.FILTER_ERROR: {'result': -7, 'desc': 'Bad search filter', 'ctrls': []}
I see that you have a filter.py but i don't know if it's used for this filter.
Thanks to read me

OS = Centos 7.x
Python = 2.7.5

$ pip install ldapcherry

This is producing the foll. error :

gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DHAVE_SASL -DHAVE_TLS -DHAVE_LIBLDAP_R -DHAVE_LIBLDAP_R -DLDAPMODULE_VERSION=3.2.0 -DLDAPMODULE_AUTHOR=python-ldap project -DLDAPMODULE_LICENSE=Python style -IModules -I/usr/include/python2.7 -c Modules/LDAPObject.c -o build/temp.linux-x86_64-2.7/Modules/LDAPObject.o
In file included from Modules/LDAPObject.c:3:0:
Modules/common.h:9:20: fatal error: Python.h: No such file or directory
#include "Python.h"
^
compilation terminated.
error: command 'gcc' failed with exit status 1

----------------------------------------

Command "/usr/bin/python2 -u -c "import setuptools, tokenize;file='/tmp/pip-build-2JMU2I/python-ldap/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-gleCRl-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-2JMU2I/python-ldap/

The documentation is quite short on explaining the role of key: True, presenting it only as the tag for marking the reconciliation key between backends.

It has in fact a far greater impact as it also marks the field that will be used in the various links to redirect to a users modification page or the id passed for it's deletion.

Hi everyone,

I had an issue with the modify user feature (not self modify).

When updating a user, an error ldap.ALREADY_EXIST is raised, this is because in the function set_attrs (file backend_ldap.py l480) the test to see if we are trying to update the username is failing. So we try to update the uid, with the same uid, raising an error

I changed this test a bit from
if attr.lower() == self.dn_user_attr.lower():
to :
if attr.lower() == self.dn_user_attr.lower() and old_attrs[attr][0] != attrs[attr]:

I am not making a pr as i know that this can be improved. Im posting this as an issue to let you know about it and the way i solved it.

Cheers

Hello,

Is there a reason why self modify for admin users is limited to specific fields while admin can find itself and modify all fields?
Should admin self modify use non restricted modify page?

There exists an example for the Demo Backend for the INI file, but there are none that show the setup for the attributes.yml and roles.yml file.

Presumably these would be the same as the demo at https://ldapcherry.kakwalab.ovh/.

This would be helpful when setting up an integration testing or user acceptance environment where an LDAP connection is impossible or at least unwanted. This could also be used in dockerized environments for a self-contained backend (non-production). It is also helpful for testing custom javascript and templates.

I set up the application with all of the settings in ldapcherry.ini for the demo backend, and switched all of the ldap backend attributes to demo. The problem that I'm running into is that https://github.com/kakwa/ldapcherry/blob/master/ldapcherry/backend/backendDemo.py does not show what attributes are available (cn, uidNumber, etc.)

Are the attributes and users (admin and user) already set up in the Demo backend, or does it need to be populated before use? Which ones are available?

I guess there was an attempt to make this app responsive to fit different screen sizes.

1. Top menu links ideally become icons.
2. Result rows should also at least overflow.

Email regex does not match [email protected] oder an other Adresse with valid "-" before @

It should be

def _is_email(self, email):
    pattern = r'[\-\.\w]+@[-\.\w]+\.\w+'
    if re.fullmatch(pattern, email):
        return True

It takes a while to realize that the LC_admins flag should be defined and set to true if one want to have a user with administrator privilidges.
I suggest that the flag is defined in the roles.yml file as a comment at least.

admin-lv3:
display_name: Administrators Level 3
description: Super administrators of the system
//LC_admins: True

[root@ZZ-LDAP01 ~]# /usr/local/bin/ldapcherryd
Traceback (most recent call last):
File "/usr/local/bin/ldapcherryd", line 11, in
load_entry_point('ldapcherry==1.1.1', 'console_scripts', 'ldapcherryd')()
File "/usr/local/lib/python2.7/site-packages/pkg_resources/init.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/local/lib/python2.7/site-packages/pkg_resources/init.py", line 2852, in load_entry_point
return ep.load()
File "/usr/local/lib/python2.7/site-packages/pkg_resources/init.py", line 2443, in load
return self.resolve()
File "/usr/local/lib/python2.7/site-packages/pkg_resources/init.py", line 2449, in resolve
module = import(self.module_name, fromlist=['name'], level=0)
File "/usr/local/lib/python2.7/site-packages/ldapcherry-1.1.1-py2.7.egg/ldapcherry/init.py", line 20, in
from ldapcherry.exceptions import *
File "/usr/local/lib/python2.7/site-packages/ldapcherry-1.1.1-py2.7.egg/ldapcherry/exceptions.py", line 9, in
import cherrypy
File "/usr/local/lib/python2.7/site-packages/CherryPy-17.4.2-py2.7.egg/cherrypy/init.py", line 66, in
from ._cperror import (
File "/usr/local/lib/python2.7/site-packages/CherryPy-17.4.2-py2.7.egg/cherrypy/_cperror.py", line 129, in
from more_itertools import always_iterable
File "build/bdist.linux-x86_64/egg/more_itertools/init.py", line 1, in
File "/usr/local/lib/python2.7/site-packages/more_itertools-7.2.0-py2.7.egg/more_itertools/more.py", line 340
def _collate(*iterables, key=lambda a: a, reverse=False):

How to fix it ,please

The README.md says:

A demo is accessible here: https://ldapcherry.kakwalab.ovh/

However, this link returns a 502 Bad Gateway response.

According to the Wayback Machine, the 502 responses began around March 31, 2022.

had to set auth to none to be able to edit a user to add as admin, when I try to modify a user I get the following:
uncaught exception: ['value']
Python Exception:
Traceback (most recent call last):

File "/usr/local/lib/python3.8/dist-packages/ldapcherry-1.1.1-py3.8.egg/ldapcherry/exceptions.py", line 229, in ret
return func(self, *args, **kwargs)

File "/usr/local/lib/python3.8/dist-packages/ldapcherry-1.1.1-py3.8.egg/ldapcherry/init.py", line 1140, in modify
form = self.temp['form.tmpl'].render(

File "/usr/local/lib/python3.8/dist-packages/Mako-1.1.3-py3.8.egg/mako/template.py", line 476, in render
return runtime.render(self, self.callable, args, data)

File "/usr/local/lib/python3.8/dist-packages/Mako-1.1.3-py3.8.egg/mako/runtime.py", line 878, in _render
_render_context(

File "/usr/local/lib/python3.8/dist-packages/Mako-1.1.3-py3.8.egg/mako/runtime.py", line 920, in _render_context
_exec_template(inherit, lclcontext, args=args, kwargs=kwargs)

File "/usr/local/lib/python3.8/dist-packages/Mako-1.1.3-py3.8.egg/mako/runtime.py", line 947, in exec_template
callable(context, *args, **kwargs)

File "form_tmpl", line 47, in render_body

File "form_tmpl", line 23, in form_col

File "form_tmpl", line 225, in render_form_col

KeyError: 'value'

[18/Jan/2024:15:51:07] loading templates from dir '/usr/share/ldapcherry/templates/'
[18/Jan/2024:15:51:07] uncaught exception: [Can't locate template for uri 'index.tmpl']
[18/Jan/2024:15:51:07]
Traceback (most recent call last):
File "/Users/nenne-ai/Library/Python/3.12/lib/python/site-packages/mako/lookup.py", line 240, in get_template
return self._check(uri, self._collection[uri])
~~~~~~~~~~~~~~~~^^^^^
KeyError: 'index.tmpl'

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/ldapcherry-1.1.1-py3.12.egg/ldapcherry/init.py", line 418, in reload
self._load_templates(config)
File "/Library/Frameworks/Python.framework/Versions/3.12/lib/python3.12/site-packages/ldapcherry-1.1.1-py3.12.egg/ldapcherry/init.py", line 394, in _load_templates
self.temp[t] = self.temp_lookup.get_template(t)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/nenne-ai/Library/Python/3.12/lib/python/site-packages/mako/lookup.py", line 253, in get_template
raise exceptions.TopLevelLookupException(
mako.exceptions.TopLevelLookupException: Can't locate template for uri 'index.tmpl'
[18/Jan/2024:15:51:07] application failed to start

➜ ldapcherry DATAROOTDIR=/usr/local/Cellar/python/3.7.4_1/Frameworks/Python.framework/Versions/3.7/share/ ldapcherryd -c /etc/ldapcherry/ldapcherry.ini -D
[23/Oct/2019:10:16:14] loading templates from dir '/usr/share/ldapcherry/templates/'
[23/Oct/2019:10:16:14] uncaught exception: [Cant locate template for uri 'index.tmpl']
[23/Oct/2019:10:16:14]
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/Mako-1.1.0-py3.7.egg/mako/lookup.py", line 249, in get_template
return self._check(uri, self._collection[uri])
KeyError: 'index.tmpl'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/ldapcherry-1.1.1-py3.7.egg/ldapcherry/init.py", line 417, in reload
self._load_templates(config)
File "/usr/local/lib/python3.7/site-packages/ldapcherry-1.1.1-py3.7.egg/ldapcherry/init.py", line 393, in _load_templates
self.temp[t] = self.temp_lookup.get_template(t)
File "/usr/local/lib/python3.7/site-packages/Mako-1.1.0-py3.7.egg/mako/lookup.py", line 263, in get_template
"Cant locate template for uri %r" % uri
mako.exceptions.TopLevelLookupException: Cant locate template for uri 'index.tmpl'
[23/Oct/2019:10:16:14] application failed to start

I have following setup:

- ldap.group_attr.member = "%(dn)s"
+ ldap.group_attr.memberUid = "%(uid)s"

There is a user with Uid "max.wellgrand" in my ldap. I have a role with a single group attached to it, when I'm trying to add the user to a role (to group), I'm getting following:

So "[u'max.wellgrand']" is a string, should be just "max.wellgrand".

Per my investigation I found that this bug related to following:
File: backendLdap.py function: add_to_groups string attrs = tmp[1]

attrs = 
{
u'cn': [u'Max Wellgrand'],
u'objectClass': [u'hostObject', u'person',u'organizationalPerson',u'posixAccount',u'inetOrgPerson', u'shadowAccount', u'ldapPublicKey'],
u'loginShell': [u'/bin/bash'],
u'userPassword': [u'ELaa7oav1aep6z'],
u'uidNumber': [u'9001'],
u'gidNumber': [u'9001'],
u'sn': [u'max.wellgrand'],
u'homeDirectory': [u'/home/max.wellgrand'],
u'mail': [u'[email protected]'],
u'sshPublicKey': [u'mie7xeePiphiok111111'],
u'uid': [u'max.wellgrand']
}

So uid key is actually a list, what's happening here:

>>> attr
'memberUid'
>>> group_attrs[attr] % attrs
"[u'max.wellgrand']"

python's format part does not convert list to string and as a result it becomes broken

It works out of box because default configuration uses dn and dn = tmp[0] is string and not list.

I'm not sure what the best fix for this yet, for know I just hardcoded fix for myself like following:
attrs['uid'] = attrs['uid'][0]

So as far as I understood, python-ldap lib returns values as a list and not string (feature).

Hi,

Trying to add a user to my ldap, I met an "Error occured". Looking at stdout, I found that the email wasn't recognize as valid (format was [email protected]). I found that the '-' was the problem. Digging into the code I found that _is_email function in /usr/lib/python3.8/site-packages/ldapcherry-1.1.1-py3.8.egg/ldapcherry/attributes.py file was the problem.

So I modified it to :

def _is_email(self, email):                        
      #  pattern = r'[\+\.\w]+@[-\.\w]+\.\w+'          
      #  if re.match(pattern, email):                   
            return True                                      
      #  else:                                           
      #      return False      

Email is not checked at all now but it works, user may be more vigilent now ...

I think the pattern is too basic and this function deserves a better algo ;)

I'm don't know Python at all so I can't do the modification myself :s

Regards

Traceback (most recent call last): 
File "/snap/users/x1/python/bin/ldapcherryd", line 11, in <module> 
load_entry_point('ldapcherry==1.1.1', 'console_scripts', 'ldapcherryd')() 
File "/snap/users/x1/python/lib/python2.7/site-packages/pkg_resources/__init__.py", line 487, in load_entry_point 
return get_distribution(dist).load_entry_point(group, name) 
File "/snap/users/x1/python/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2728, in load_entry_point 
return ep.load() 
File "/snap/users/x1/python/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2346, in load 
return self.resolve() 
File "/snap/users/x1/python/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2352, in resolve 
module = __import__(self.module_name, fromlist=['__name__'], level=0) 
File "/snap/users/x1/python/lib/python2.7/site-packages/ldapcherry-1.1.1-py2.7.egg/ldapcherry/__init__.py", line 19, in <module> 
from ldapcherry.exceptions import * 
File "/snap/users/x1/python/lib/python2.7/site-packages/ldapcherry-1.1.1-py2.7.egg/ldapcherry/exceptions.py", line 9, in <module> 
import cherrypy 
File "/snap/users/x1/python/lib/python2.7/site-packages/CherryPy-17.4.1-py2.7.egg/cherrypy/__init__.py", line 66, in <module> 
from ._cperror import ( 
File "/snap/users/x1/python/lib/python2.7/site-packages/CherryPy-17.4.1-py2.7.egg/cherrypy/_cperror.py", line 129, in <module> 
from more_itertools import always_iterable 
File "build/bdist.linux-x86_64/egg/more_itertools/__init__.py", line 1, in <module> 
File "/snap/users/x1/python/lib/python2.7/site-packages/more_itertools-7.0.0-py2.7.egg/more_itertools/more.py", line 333 
def _collate(*iterables, key=lambda a: a, reverse=False): 
^ 
SyntaxError: invalid syntax

Maybe related to: https://stackoverflow.com/questions/54648246/invalid-syntax-in-more-itertools-when-running-pytest

Because my user's account is in different OU, how can I list account in different OU ?
And can I create user in different OU ?

Hello,

Would like to know if ldapcherry was using the users/admins credentials to perform actions like update/restart password of other users or is it the service account speficied in the config file who perform updates.

If not, does this feature will be available ?

Is it possible to not show fields (like uid, uidNumber, gidNumber) on UI but still save values to ldap server (auto-increment)?

I am not sure if it is Ldap server feature or ldap cherry.

With the security improvements from 1.0.0, mako templates escaping is now used, but it overlaps with a previous escaping, leading to some data being escape twice.

Hi, everyone.

I have an issue with my ldapcherry docker, when i try to perform the login i get Unavalaible service

but i configured allready the ldap config

# global parameters
[global]

# listing interface
server.socket_host = '0.0.0.0'
# port
server.socket_port = 8080

# it's also possible to run bound to a unix socket
#server.socket_file = '/tmp/lc.sock'

# number of threads
server.thread_pool = 8
#don't show traceback on error
request.show_tracebacks = False

# log configuration
# /!\ you can't have multiple log handlers
#####################################
#   configuration to log in files   #
#####################################
## logger 'file' for access log 
#log.access_handler = 'file'
## logger syslog for error and ldapcherry log 
#log.error_handler = 'file'
## access log file
#log.access_file = '/tmp/ldapcherry_access.log'
## error and ldapcherry log file
#log.error_file = '/tmp/ldapcherry_error.log'

#####################################
#  configuration to log to stdout   #
#####################################
## logger stdout for access log
#log.access_handler = 'stdout'
## logger stdout for error and ldapcherry log
#log.error_handler = 'stdout'

#####################################
#  configuration to log in syslog   #
#####################################
# logger syslog for access log 
#log.access_handler = 'syslog'
## logger syslog for error and ldapcherry log 
log.error_handler = 'syslog'

#####################################
#  configuration to not log at all  #
#####################################
# logger none for access log 
log.access_handler = 'none'
# logger none for error and ldapcherry log 
#log.error_handler = 'none'

# log level
log.level = 'info'

# session configuration
# activate session
tools.sessions.on = True
# session timeout
tools.sessions.timeout = 10
# file session storage(to use if multiple processes, 
# default is in RAM and per process)
#tools.sessions.storage_type = "file"
# session 
#tools.sessions.storage_path = "/var/lib/ldapcherry/sessions"

[attributes]

# file discribing form content
attributes.file = '/etc/ldapcherry/attributes.yml'

[roles]

# file listing roles
roles.file = '/etc/ldapcherry/roles.yml'

[backends]

#####################################
#   configuration of ldap backend   #
#####################################

# name of the module
ldap.module = 'ldapcherry.backend.backendLdap'
# display name of the ldap
ldap.display_name = 'My Ldap Directory'

# uri of the ldap directory
ldap.uri = 'ldap://192.168.1.53'
# ca to use for ssl/tls connexion
#ldap.ca = '/etc/dnscherry/TEST-cacert.pem'
# use start tls
#ldap.starttls = 'off'
# check server certificate (for tls)
#ldap.checkcert = 'off'
# bind dn to the ldap
ldap.binddn = 'cn=admin,dc=blackdragon,dc=tv'
# password of the bind dn
ldap.password = '*******'
# timeout of ldap connexion (in second)
ldap.timeout = 1

# groups dn
ldap.groupdn = 'ou=Groups,dc=blackdragon,dc=tv'
# users dn
ldap.userdn = 'ou=Users,dc=blackdragon,dc=tv'

# ldapsearch filter to get one specific user
# %(username)s is content of the attribute marked 'key: True' in the attributes.file config file
ldap.user_filter_tmpl = '(uid=%(username)s)'
# ldapsearch filter to get groups of a user
# %(username)s is content of the attribute marked 'key: True' in the attributes.file config file
ldap.group_filter_tmpl = '(member=uid=%(username)s,ou=People,dc=example,dc=org)'
# filter to search users
# %(searchstring)s is the content passed through the search box
ldap.search_filter_tmpl = '(|(uid=%(searchstring)s*)(sn=%(searchstring)s*))'

# ldap group attributes and how to fill them
# 'member' is the name of the attribute
# for the template, any of the user's ldap attributes can be user
ldap.group_attr.member = "%(dn)s"
# same with memverUid and the uid user's attribute
#ldap.group_attr.memberUid = "%(uid)s"

# object classes of a user entry
ldap.objectclasses = 'top, person, posixAccount, inetOrgPerson'
# dn entry attribute for an ldap user
ldap.dn_user_attr = 'uid'

#####################################
#   configuration of ad backend     #
#####################################
 
## Name of the backend
#ad.module = 'ldapcherry.backend.backendAD'
## display name of the ldap
#ad.display_name = 'My Active Directory'
## ad domain
#ad.domain = 'dc.ldapcherry.org'
## ad login
#ad.login  = 'administrator'
## ad password 
#ad.password = 'qwertyP455'
## ad uri
#ad.uri = 'ldap://ldap.ldapcherry.org'

## ca to use for ssl/tls connexion
#ad.ca = '/etc/dnscherry/TEST-cacert.pem'
## use start tls
#ad.starttls = 'off'
## check server certificate (for tls)
#ad.checkcert = 'off'

#####################################
#   configuration of demo backend   #
#####################################
 
## Name of the backend
#demo.module = 'ldapcherry.backend.backendDemo'
## Display name of the Backend
#demo.display_name  = 'Demo Backend'
## Groups of admin user
#demo.admin.groups  = 'DnsAdmins'
## Groups of basic user
#demo.basic.groups  = 'Test 2, Test 1'
## Password attribute name
#demo.pwd_attr = 'userPassword'
## Attribute to use for the search
#demo.search_attributes = 'cn, sn, givenName, uid'
## Login of default admin user
#demo.admin.user = 'admin'
## Password of default admin user
#demo.admin.password = 'admin'
## Login of default basic user
#demo.basic.user = 'user'
## Password of default basic user
#demo.basic.password = 'user'

[ppolicy]

# password policy module
ppolicy.module = 'ldapcherry.ppolicy.simple'

# parameters of the module
min_length = 8
min_upper = 1
min_digit = 1

# authentification parameters
[auth]

# Auth mode
# * and: user must authenticate on all backends
# * or:  user must authenticate on one of the backend
# * none: disable authentification
# * custom: custom authentification module (need auth.module param)
auth.mode = 'or'

# custom auth module to load
#auth.module = 'ldapcherry.auth.modNone'

# resources parameters
[resources]
# templates directory
templates.dir = '/usr/share/ldapcherry/templates/'

[/static]
# enable serving static file through ldapcherry
# set to False if files served directly by an
# http server for better performance
tools.staticdir.on = True
# static resources directory (js, css, images...)
tools.staticdir.dir = '/usr/share/ldapcherry/static/'

## custom javascript files
#[/custom]
#
## enable serving static file through ldapcherry
## set to False if files served directly by an
## http server for better performance
#tools.staticdir.on = True

## path to directory containing js files
## use it to add custom auto-fill functions
#tools.staticdir.dir = '/etc/ldapcherry/custom_js/'

So i don't understand what is wrong here ?

Is this an error or is python 3 not supported?

[ 56s] + /usr/bin/python3 setup.py build '--executable=/usr/bin/python3 -s'
[ 57s] Traceback (most recent call last):
[ 57s] File "setup.py", line 44, in
[ 57s] description = f.read()
[ 57s] File "/usr/lib64/python3.6/encodings/ascii.py", line 26, in decode
[ 57s] return codecs.ascii_decode(input, self.errors)[0]
[ 57s] UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 1152: ordinal not in range(128)

I have attempted to install in ubuntu 18.04LTS and within a docker image of 16.04 but keep running into errors trying to start LDAPCHERRY although it seems everything installed. I am probably missing a prerequisite. Is there a running docker image out there? Here is the error I get when attempting to start:

root@5ee084e76c6b:/ldapcherry# ldapcherryd -c /etc/ldapcherry/ldapcherry.ini -D
Traceback (most recent call last):
File "/usr/local/bin/ldapcherryd", line 11, in
load_entry_point('ldapcherry==1.1.1', 'console_scripts', 'ldapcherryd')()
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 489, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 2792, in load_entry_point
raise ImportError("Entry point %r not found" % ((group, name),))
ImportError: Entry point ('console_scripts', 'ldapcherryd') not found
root@5ee084e76c6b:/ldapcherry#

I used a fresh checkout and I get the following error when trying to run ldapcherry with fastcgi:

Python Exception:
Traceback (most recent call last):

  File "/home/ubuntu/ldapcherry/ldapcherry/exceptions.py", line 228, in ret
    return func(self, *args, **kwargs)

TypeError: default() takes at most 2 arguments (7 given)

uncaught exception: [default() takes at most 2 arguments (7 given)]

Command used:

sudo ldapcherryd -c conf/ldapcherry.ini -D -f

I used the ldapcherry.ini that came with the checkout but changed the following attributes:

# listing interface
server.socket_host = '0.0.0.0'

I also changed the templates and static dir attributes to point to the correct place for the Nginx configuration but I don't think that should matter.

I have an issue with starting ldapcherry with:
root@09ee463a4295:/app# ldapcherryd -c /etc/ldapcherry/ldapcherry.ini -D
root@09ee463a4295:/app#

I just got nothing and no errors/logs. the docker image is based on python2.7 and installation passed successfully:

"Installing collected packages: six, pytz, more-itertools, backports.functools-lru-cache, jaraco.functools, tempora, portend, cheroot, CherryPy, pyasn1, pyasn1-modules, python-ldap, PyYAML, MarkupSafe, Mako, ldapcherry
Running setup.py install for python-ldap: started
Running setup.py install for python-ldap: finished with status 'done'
Running setup.py install for PyYAML: started
Running setup.py install for PyYAML: finished with status 'done'
Running setup.py install for MarkupSafe: started
Running setup.py install for MarkupSafe: finished with status 'done'
Running setup.py install for Mako: started
Running setup.py install for Mako: finished with status 'done'
Running setup.py install for ldapcherry: started
Running setup.py install for ldapcherry: finished with status 'done'
Successfully installed CherryPy-17.0.0 Mako-1.0.7 MarkupSafe-1.0 PyYAML-3.13 backports.functools-lru-cache-1.5 cheroot-6.3.3 jaraco.functools-1.20 ldapcherry-0.5.0 more-itertools-4.2.0 portend-2.3 pyasn1-0.4.3 pyasn1-modules-0.2.2 python-ldap-3.1.0 pytz-2018.5 six-1.11.0 tempora-1.13"

When I try to run the "python setup.py" in a docker container, I will get an error like below

root@f9993426d228:/ldapcherry# python setup.py
/usr/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'entry_points'
warnings.warn(msg)
/usr/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'install_requires'
warnings.warn(msg)
/usr/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'zip_safe'
warnings.warn(msg)
/usr/lib/python2.7/distutils/dist.py:267: UserWarning: Unknown distribution option: 'tests_require'
warnings.warn(msg)
usage: setup.py [global_opts] cmd1 [cmd1_opts] [cmd2 [cmd2_opts] ...]
or: setup.py --help [cmd1 cmd2 ...]
or: setup.py --help-commands
or: setup.py cmd --help

error: no commands supplied

What would be the reason for this?

Does this mean multiple instances of the software can run with different backend configurations to manage multiple and different server types be it ldap/mysql etc?

It kind of sounds like you could have one instance for managing multiple ldap domains. But when I look at the config, I am not seeing this.

I have a nontraditional setup where I have LDAP DOMAIN -> domains -> invidividual domains -> users etc kind of a setup. This allows me to host multiple email domains easily using dovecot's ldap features.

It looks like even if I can manage to filter down with a search parameter in the ldapcherry config, I can only manage one of the said "domains" in this app.

A more generic client would be able to attach the domains/users anywhere in the tree.

Good project but it seems it makes some assumptions that limit its capability.

Am I mistaken as to how it works?

Various links generated through the application look like that:
https://ldapcherry.kakwalab.ovh/modify?user=

but is not properly escaped/encoded to be introduced in the querystring, this needs to be fixed.

We are using LdapCherry to manage user roles, we need to assign user to some roles temporary, so we need to review the users in particular roles, is it possible to make the role clickable, so that we can list the users in each AD group.

It would be great to be able to start ldapcherryd with only listening on unix socket file instead of tcp port.

Hello,

i'm trying to create systemd config file:

[Service]
WorkingDirectory=/opt/ldapcherry
ExecStart=/usr/local/bin/ldapcherryd -c /etc/ldapcherry/ldapcherry.ini -d -p /var/run/ldapcherry.pid
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=ldapcherry
User=ldapcherry
Group=ldapcherry
PIDFile=/var/run/ldapcherry.pid


[Install]
WantedBy=multi-user.target

but it doesn't work... syslog says next:

Mar 26 18:18:04 apple ldapcherry[30258]: application started
Mar 26 18:18:04 apple ldapcherry[30258]: ENGINE Listening for SIGTERM.
Mar 26 18:18:04 apple ldapcherry[30258]: ENGINE Listening for SIGHUP.
Mar 26 18:18:04 apple ldapcherry[30258]: ENGINE Listening for SIGUSR1.
Mar 26 18:18:04 apple ldapcherry[30258]: ENGINE Bus STARTING
Mar 26 18:18:04 apple ldapcherry[30258]: ENGINE Forking once.
Mar 26 18:18:04 apple ldapcherry[30279]: ENGINE Caught signal SIGTERM.
Mar 26 18:18:04 apple ldapcherry[30280]: ENGINE Caught signal SIGTERM.
Mar 26 18:18:04 apple ldapcherry[30280]: ENGINE Bus STOPPING
Mar 26 18:18:04 apple ldapcherry[30279]: ENGINE Bus STOPPING
Mar 26 18:18:04 apple ldapcherry[30280]: ENGINE HTTP Server None already shut down
Mar 26 18:18:04 apple ldapcherry[30280]: ENGINE Bus STOPPED
Mar 26 18:18:04 apple ldapcherry[30279]: ENGINE HTTP Server None already shut down
Mar 26 18:18:04 apple ldapcherry[30280]: ENGINE Bus EXITING
Mar 26 18:18:04 apple ldapcherry[30279]: ENGINE Bus STOPPED
Mar 26 18:18:04 apple ldapcherry[30279]: ENGINE Bus EXITING
Mar 26 18:18:04 apple ldapcherry[30280]: ENGINE Bus EXITED
Mar 26 18:18:04 apple ldapcherry[30279]: ENGINE Bus EXITED
Mar 26 18:18:04 apple systemd[1]: ldapcherry.service: Service hold-off time over, scheduling restart.
Mar 26 18:18:04 apple systemd[1]: ldapcherry.service: Scheduled restart job, restart counter is at 5.
Mar 26 18:18:04 apple systemd[1]: Stopped ldapcherry.service.
Mar 26 18:18:04 apple systemd[1]: ldapcherry.service: Start request repeated too quickly.
Mar 26 18:18:04 apple systemd[1]: ldapcherry.service: Failed with result 'start-limit-hit'.
Mar 26 18:18:04 apple systemd[1]: Failed to start ldapcherry.service.

what is missed?
how to handle it with systemd?

if custom javascript is enabled, ldapcherry doesn't start:

uncaught exception: [name 'os' is not defined]
application failed to start

The reason is this line:

When accessed using: https://example.com
Redirected to: http://example.com/signin?url=http%3A%2F%2Fexample.com

Here is my nginx configuration:

...
location / {
    proxy_http_version 1.1; 
    proxy_set_header Upgrade $http_upgrade; 
    proxy_set_header Connection "upgrade"; 
    proxy_set_header Host $http_host; 
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; 
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Nginx-Proxy true;
    proxy_pass       $scheme://unix:/var/snap/users/19051950/ldapcherry.socket: ;
    proxy_redirect   off; 
}
...

is it possible to use ldapcherry to manage sudoers in ldap? i looked at the code and and it seems it supports custom "backends". ldap sudo only need 4 attributes ('cn', 'sudoUser', 'sudoCommand', 'sudoHost') and one objectclass (SudoRole). as someone with no python background, how hard would it be to make up something?

Hi,
I'm wondering whether ldapcherry supports Python 3 (I guess not?) and if this is still maintained in some way.

Thanks!
David

Hello! Almost all attributes in LDAP can have multiple values. E.g. Email attribute has many values: [email protected], [email protected], [email protected], however only one (first) email is displayed in the form when editing the field.

Is it possible to change the form to be able to edit multi value attributes? For example use <textarea> for mail and place each value into new line.

Hello,
what i can see, right now new user has password saved as plaintext, is there possibility to add encryption? (interested mostly in SSHA), or maybe you can pinpoint me where I could implement that :D

Some logs showing the actual query filter content in the ldap searches could be really helpful as a Debug log when troubleshooting ldapcherry configuration.

Similar to coleifer/sqlite-web@62be325 I want to put this service behind a reverse proxy that puts this service in a subdirectory.

Expected Behavior

The service has a configurable option to set the subdirectory that it operates in.

Actual Behavior

An NGINX config like the following is required to have the application operate in a subdirectory:

location /ldapcherry/ {         
    proxy_pass http://ldapcherry:8080/;        
    proxy_redirect default;                 
}                                                                                                                      
                                                           
location /static/ {                   
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 64;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Front-End-Https on;             
    proxy_pass http://ldapcherry:8080;      
}                                                                                                                      
                                                           
location /selfmodify/ {               
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 64;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Front-End-Https on;             
    proxy_pass http://ldapcherry:8080;      
}                                                                                                                      
                                                           
location /selfmodify {                
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 64;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Front-End-Https on;             
    proxy_pass http://ldapcherry:8080;      
}

location /searchuser/ {
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 64;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Front-End-Https on;
    proxy_pass http://ldapcherry:8080;
}

location /checkppolicy {
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 64;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Front-End-Https on;
    proxy_pass http://ldapcherry:8080;
}

location /logout {
    proxy_headers_hash_max_size 512;
    proxy_headers_hash_bucket_size 64;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    add_header Front-End-Https on;
    proxy_pass http://ldapcherry:8080;
}

Where ldapcherry:8080 is the host and the port behind the reverse proxy.

OS : Centos 7.2
Python : 2.7.5
ldapcherry : 1.1.1

I obtained the foll. error while installing ldapcherry.

$ pip install ldapcherry

gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DHAVE_SASL -DHAVE_TLS -DHAVE_LIBLDAP_R -DHAVE_LIBLDAP_R -DLDAPMODULE_VERSION=3.2.0 -DLDAPMODULE_AUTHOR=python-ldap project -DLDAPMODULE_LICENSE=Python style -IModules -I/usr/include/python2.7 -c Modules/LDAPObject.c -o build/temp.linux-x86_64-2.7/Modules/LDAPObject.o
In file included from Modules/LDAPObject.c:8:0:
Modules/constants.h:7:18: fatal error: lber.h: No such file or directory
#include "lber.h"
^
compilation terminated.
error: command 'gcc' failed with exit status 1

----------------------------------------

Command "/usr/bin/python2 -u -c "import setuptools, tokenize;file='/tmp/pip-build-yVznKq/python-ldap/setup.py';exec(compile(getattr(tokenize, 'open', open)(file).read().replace('\r\n', '\n'), file, 'exec'))" install --record /tmp/pip-PAw1yB-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-yVznKq/python-ldap/

Getting these errors installing under python 2.7

File "/drone/src/github.com/syncloud/users/build/users/python/lib/python2.7/site-packages/CherryPy-18.0.1-py2.7.egg/cherrypy/lib/httputil.py", line 214
    ) from val_err
         ^
SyntaxError: invalid syntax

error: The 'tempora>=1.8' distribution was not found and is required by portend

Is this python 3 only project?

Hi @kakwa
I am trying to login to ldapcherry as admin but I am not getting any idea about it. I want to create and delete users from admin account. Currently, i am able to login as normal user.

I have already setup openldap server, i have used phpldapadmin to setup some users and groups and organizational unit. The structure is something like below:

How should I add or use admin account for ldapcherry?

It would be cool if we could automatically generate passwords for new users or password changes.