[Freeipa-devel] Using the new LDAP code

Petr Viktorin pviktori at redhat.com
Wed Feb 27 11:46:44 UTC 2013 

Hello,
A big refactoring of our LDAP code should be merged soon-ish now. Here's 
a summary for developers.


If you see these outside ipaldap.py, you're looking at deprecated API:
- methods with camelCaseNames
- methods with _s and _ext postfixes (modify_s, search_ext, ...)

The exception is client code and places where we don't want to read the 
schema (migration, AD). These are still limited to raw python-ldap for now.



The LDAPEntry class represents LDAP entries. It behaves like a 
dictionary of lists: entry.get(attrname) or entry[attrname] should 
always give you a list.

LDAPEntry.dn will give you the entry's DN.

Single-value attributes are represented as lists with a single value. 
(For now, some code still puts bare values instead of lists in entries, 
in that case you'll still get a bare value from get()/__getitem__. That 
should be fixed eventually.)
The "single_value" method gets a single value, with checking. Always use 
`entry.single_value('abc')` instead of `entry.get('abc')[0]`.
Also, single_value allows a default: `entry.single_value('abc', None)`.

LDAPEntry is case-insensitive and handles attributes with multiple 
names: entry['cn'] and entry['CN'] and entry['CommonName'] are equivalent.

IPA plugins traditionally use (dn, entry_attrs) pairs to represent 
entries. To make that work, iterating over an LDAPEntry will, for now, 
yield the DN and the entry itself. Always use keys() or values() when 
iterating over an entry.

LDAPEntry objects are tied to a connection. Do not create them directly, 
use a connection method like make_entry() or get_entry().


Speaking of connections, there still are two classes for those: ldap2 
and IPAdmin.
ldap2 is an API plugin created using the IPA settings. It works in 
Apache (per-thread connections). It also applies the default IPA 
settings (time & records limit).
Use IPAdmin if IPA is not installed yet (or when it's being 
uninstalled), or if you need to connect to a non-default server or bind 
as a user like the DM.

Besides the connecting code, both of these (will ideally) have the same 
API, based on the old ldap2. A rough summary:

- make_entry(dn, attrs)
- get_entry(dn)
- add_entry(entry)
- update_entry(entry)
- delete_entry(entry_or_dn)

- get_entries(base_dn, [scope, [filter, [attrs_list]]]): simple search
- find_entries: more powerful (and backwards-compatible) search
- make_filter & friends, unchanged from ldap2


ldap2's DN normalization – appending the suffix to DNs that don't end 
with it ­– is gone, you need to do that manually now.



That should be it, if you don't intend to hack on ipaldap itself or the 
ldapupdater. If you have any questions, ask! (Or look at the code :)

-- 
Petr³

More information about the Freeipa-devel mailing list