3.4.4

Released 3.4.4 2023-11-17

Fixes:

• Reconnect race condition in ReconnectLDAPObject is now fixed
• Socket ownership is now claimed once we've passed it to libldap
• LDAP_set_option string formats are now compatible with Python 3.12

Doc/

• Security Policy was created
• Broken article links are fixed now
• Bring Conscious Language improvements

Infrastructure:

• Add testing and document support for Python 3.10, 3.11, and 3.12

3.4.3

Released 3.4.3 2022-09-15

This is a minor release to bring back the removed OPT_X_TLS option.
Please note, it's still a deprecated option and it will be removed in 3.5.0.

The following deprecated option has been brought back:

• OPT_X_TLS

Fixes:

• Sphinx documentation is now successfully built
• pypy3 tests stability was improved
• setup.py deprecation warning is now resolved

3.4.2

Released 3.4.2 2022-07-06

This is a minor release to provide out-of-the-box compatibility with the merge
of libldap and libldap_r that happened with OpenLDAP's 2.5 release.

The following undocumented functions are deprecated and scheduled for removal:

• ldap.cidict.strlist_intersection
• ldap.cidict.strlist_minus
• ldap.cidict.strlist_union

The following deprecated option has been removed:

• OPT_X_TLS

Doc/

• SASL option usage has been clarified

Lib/

• ppolicy control definition has been updated to match Behera draft 11

Modules/

• By default, compile against libldap, checking whether it provides a
  threadsafe implementation at runtime
• When decoding controls, the module can now distinguish between no value
  (now exposed as None) and an empty value (exposed as b'')
• Several new OpenLDAP options are now supported:
  • OPT_SOCKET_BIND_ADDRESSES
  • OPT_TCP_USER_TIMEOUT
  • OPT_X_SASL_MAXBUFSIZE
  • OPT_X_SASL_SECPROPS
  • OPT_X_TLS_ECNAME
  • OPT_X_TLS_PEERCERT
  • OPT_X_TLS_PROTOCOL-related options and constants

Fixes:

• Encoding/decoding of boolean controls has been corrected
• ldap.schema.models.Entry is now usable
• method keyword to ReconnectLDAPObject.bind_s is now usable

3.4.0

This release requires Python 3.6 or above,
and is tested with Python 3.6 to 3.10.
Python 2 is no longer supported.

New code in the python-ldap project is available under the MIT licence
(available in LICENCE.MIT in the source). Several contributors have agreed
to apply this licence their previous contributions as well.
See the README for details.

The following undocumented functions are deprecated and scheduled for removal:

• ldap.cidict.strlist_intersection
• ldap.cidict.strlist_minus
• ldap.cidict.strlist_union

Security fixes:

• Fix inefficient regular expression which allows denial-of-service attacks
  when parsing specially-crafted LDAP schema.
  (GHSL-2021-117)

Changes:

• On MacOS, remove option to make LDAP connections from a file descriptor
  when built with the system libldap (which lacks the underlying function,
  ldap_init_fd)
• Attribute values of the post read control are now bytes
  instead of ISO8859-1 decoded str
• LDAPUrl now treats urlscheme as case-insensitive
• Several OpenLDAP options are now supported:
  • OPT_X_TLS_REQUIRE_SAN
  • OPT_X_SASL_SSF_EXTERNAL
  • OPT_X_TLS_PEERCERT

Fixes:

• The copy() method of cidict was added back. It was unintentionally
  removed in 3.3.0
• Fixed getting/setting SASL options on big endian platforms
• Unknown LDAP result code are now converted to LDAPexception,
  rather than raising a SystemError.

slapdtest:

• Show stderr of slapd -Ttest
• SlapdObject uses directory-based configuration of slapd
• SlapdObject startup is now faster

Infrastructure:

• CI now runs on GitHub Actions rather than Travis CI.

3.3.1

Released 3.3.1 2020-06-29

Changes:

• On MacOS, remove option to make LDAP connections from a file descriptor when built wit the system libldap (which lacks the underlying function, ldap_init_fd)

3.3.0

Released 3.3.0 2020-06-18

Highlights:

• LDAPError now contains additional fields, such as ctrls, result, msgid
• passwd_s can now extract the newly generated password
• LDAP connections can now be made from a file descriptor

This release is tested on Python 3.8, and the beta of Python 3.9.

The following undocumented functions are deprecated and scheduled for removal:

• ldap.cidict.strlist_intersection
• ldap.cidict.strlist_minus
• ldap.cidict.strlist_union

Modules/

• Ensure ReconnectLDAPObject is not left in an inconsistent state after
  a reconnection timeout
• Syncrepl now correctly parses SyncInfoMessage when the message is a syncIdSet
• Release GIL around global get/set option call
• Do not leak serverctrls in result functions
• Don't overallocate memory in attrs_from_List()
• Fix thread support check for Python 3
• With OpenLDAP 2.4.48, use the new header openldap.h

Lib/

• Fix some edge cases regarding quoting in the schema tokenizer
• Fix escaping a single space in ldap.escape_dn_chars
• Fix string formatting in ldap.compare_ext_s
• Prefer iterating dict instead of calling dict.keys()

Doc/

• Clarify the relationship between initialize() and LDAPObject()
• Improve documentation of TLS options
• Update FAQ to include Samba AD-DC error message
  "Operation unavailable without authentication"
• Fix several incorrect examples and demos
  (but note that these are not yet tested)
• Update Debian installation instructions for Debian Buster
• Typo fixes in docs and docstrings

Test/

• Test and document error cases in ldap.compare_s
• Test if reconnection is done after connection loss
• Make test certificates valid for the far future
• Use slapd -Tt instead of slaptest

Infrastructure:

• Mark the LICENCE file as a license for setuptools
• Use "unittest discover" rather than "setup.py test" to run tests

3.2.0

Released 3.2.0 2019-03-13

Lib/

• Add support for X-ORIGIN in ldap.schema's ObjectClass
• Make initialize() pass extra keyword arguments to LDAPObject
• ldap.controls.sss: use str instead of basestring on Python 3
• Provide ldap.trace* atributes in non-debug mode

Doc/

• Fix ReST syntax for links to set_option and get_option

Tests/

• Use intersphinx to link to Python documentation
• Correct type of some attribute values to bytes
• Use system-specific ENOTCONN value

Infrastructure:

• Add testing and document support for Python 3.7
• Add Python 3.8-dev to Tox and CI configuration
• Add Doc/requirements.txt for building on Read the Docs

3.1.0

Released 3.1.0 2018-05-25

This release brings two minor API changes:

• Long-deprecated functions ldap.open() and ldap.init() are removed
• LDAPObject.compare_s() and compare_ext_s return bool instead of 0 or 1

All changes since 3.0.0:

Lib/

• Remove long deprecated functions ldap.open() and ldap.init()
• LDAPObject.compare_s() and LDAPObject.compare_ext_s() now return a bool
  instead of 1 or 0.
• Make iteration over cidict yield same values as keys()
• Fail if pyasn1 is not installed
• Fix parsing of PPolicyControl ASN.1 structure
• Use items() when appropriate in dict iteration
• Add support for tracing LDAP calls. Tracing can now be enabled with
  the env var PYTHON_LDAP_TRACE_LEVEL and redirected to a file with
  PYTHON_LDAP_TRACE_FILE.
  (This is mainly intended for debugging and internal testing; the
  configuration or output may change in future versions.)

Modules/

• Fix ref counting bug in LDAPmessage_to_python

Doc/

• Remove warning about unreleased version
• Doc: Replace Mac OS X -> macOS

Tests/

• Add tests and coverage for tracing
• Disable warnings-as-errors for Python 3.4
• Fix assertTrue to assertEqual
• Mark several test values as bytes

Lib/slapdtest/

• Fix error message for missing commands
• Make SlapdObject a context manager
• Disable SASL external when missing SASL support
• Make SlapdObject.root_dn a property
• In SlapdObject, build include directives dynamically
• Move import statements to top level

Code style:

• Add Makefile rules for automatic formatting of C and Python code
• Reformat and indent all C files
• Trim white space throughout the project

Infrastructure:

• Add py3-trace tox environment to Travis CI config
• Add new Pytest cache directory to gitignore

General:

• Update all pypi.python.org URLs to pypi.org

3.0.0

Notable changes since 2.4.45 (please see detailed logs below):

• Python 3 support and bytes_mode
  see: https://python-ldap.readthedocs.io/en/latest/bytes_mode.html
• The module ldap.async is renamed to ldap.asyncsearch
• New dependencies: pyasn1, pyasn1_modules
• Dropped support for Python 2.6 and 3.3

---

Released 3.0.0 2018-03-12

Changes since 3.0.0b4:

Lib/

• Add bytes_strictness to allow configuring behavior on bytes/text mismatch

Modules/

• Add argument name to bytes mode TypeError
• Use correct integer types for BER encode/decode (fix for big endian machines)

Test/

• Set $LDAPNOINIT in all tests
• Add test for secure TLS default
• Ignore SASL methods in DSE test (fix for restricted environments)
• Remove filterstr workaround from syncrepl test
• Explicitly set TLS_REQUIRE_CERT option to TLS_HARD in test_tls_ext_noca

Doc/

• Link to bytes mode from text-string arguments in the ldap module

Infrastructure:

• Include lber in list of libraries in setup.cfg

---

Released 3.0.0b4 2018-01-10

Changes since 3.0.0b3:

Removed support for Python 3.3, which reached its end-of-life 2017-09-29.

Lib/

• Make default argument values work under bytes_mode
• Update use of map() to use list/set comprehensions instead

Test/

• Refactor syncrepl tests to run with bytes_mode

Doc/

• Document all_records attribute of LDIFRecordList

---

Released 3.0.0b3 2017-12-20

Changes since 3.0.0b2:

The functions ldap.open(), ldap.init(), ldif.CreateLDIF()
and ldif.ParseLDIF(), which were deprecated for over a decade,
are scheduled for removal in python-ldap 3.1.

Infrastructure:

• Require setuptools to build
• Start running automatic tests on PyPy

Lib/

• When raising LDAPBytesWarning, give helpful code locations
• Use modern Python idioms in several places
• Avoid reimplementing UserDict.get() in cidict and models.Entry

Doc/

• Use https links

Test/

• Add reproducer for openldap's NSS shutdown/restart issue
• Make testing on non-Linux platforms easier

---

Released 3.0.0b2 2017-12-11

Changes since 3.0.0b1:

The module ldap.async is renamed to ldap.asyncsearch, due to
async becoming a keyword in Python 3.7.
The old module name is deprecated, but will be available as long
as Python 3.6 is supported.

Lib/

• Use custom ldap.LDAPBytesWarning class
• Rename ldap.async to ldap.asyncsearch

Modules/

• Support None for set_option(OPT_TIMEOUT) and OPT_NETWORK_TIMEOUT
• Fix error reporting of LDAPObject.set_option()
• Change memory handling in attrs_from_List()

Test/

• Remove workaround for OpenLDAP NSS issue

Demo/

• Use uniform shebang in all demos

Doc/

• Provide build deps for Alpine and CentOS
• Move sample workflow out of the main Contributing guide

Infrastructure:

• Add valgrind target to check for memory leaks
• Minimal configuration for pytest

---

Released 3.0.0b1 2017-12-04

Changes since 2.4.45:
(this list includes changes from 2.5.x)

New dependencies (automatically installed when using pip):

• pyasn1 0.3.7+
• pyasn1_modules 0.1.5+

Python 3 support and bytes_mode:

• merged from the pyldap fork (https://github.com/pyldap)
• please see documentation on bytes_mode and text/bytes handling:
  https://python-ldap.readthedocs.io/en/latest/bytes_mode.html

Removed support for Python 2.6.

Infrastructure:

• Move to Git
• Don't define search path for includes and libs in the default setup.cfg
• Include sasl/sasl.h from the standard path
• Re-format README to ReStructured Text
• Setup for automatic testing using Travis CI
• Add coverage reporting for Python and C
• Add install requires into setup.py
• Remove distclean.sh in favor of make clean
• Use package, depends, install_requires in setup.py
• Add make target for scan-build (static analysis using clang)
• Add make target and suppression file for Valgrind (memory checker)

Modules/

• Remove unused LDAPberval helper functions
• Fix type conversion in page control
• Fix multiple ref leaks in error-handling code
• Fix reference leak in result4
• Fix several compiler warnings
• Fix memory leak in whoami
• Fix internal error handling of LDAPControl_to_List()
• Fix two memory leaks and release GIL in encode_assertion_control
• Allow set_option() to set timeouts to infinity
  and, thanks to Michael Ströder:
• removed unused code schema.c
• moved code from version.c to ldapmodule.c
• removed obsolete back-ward compability constants from common.h
• build checks whether LDAP_API_VERSION is OpenLDAP 2.4.x
• _ldap.author and _ldap.license also set from ldap.pkginfo
• assume C extension API for Python 2.7+

Lib/

• Avoid eval() for getting module-level variables to fix running under pytest
• Compability changes for pyasn1 0.3 or newer
  and, thanks to Michael Ströder:
• ldap.version, ldap.author and ldap.license now
  imported from new sub-module ldap.pkginfo also to setup.py
• Added safety assertion when importing _ldap:
  ldap.pkginfo.version must match _ldap.version
• removed stand-alone module dsml
• slapdtest.SlapdObject.restart() just restarts slapd
  without cleaning any data
• The methods SSSResponseControl.decodeControlValue() and
  VLVResponseControl.decodeControlValue() now follow the coding
  convention to use camel-cased ASN.1 name as class attribute name.
  The old class names are still set for back-ward compability
  but should not be used in new code because they might be removed
  in a later release.
• removed SSSRequestControl from ldap.controls.KNOWN_RESPONSE_CONTROLS
• removed all dependencies on modules string and types
• removed use of .has_key()
• removed class ldap.ldapobject.NonblockingLDAPObject
• new global constant ldap.LIBLDAP_API_INFO
• right after importing _ldap there is a call into libldap to initialize it
• method .decodeControlValue() of SSSResponseControl and VLVResponseControl
  does not set class attribute result_code anymore
• always use bytes() for UUID() constructor in ldap.syncrepl
• module ldif now uses functions b64encode() and b64decode()
• fixed pickling and restoring of ReconnectLDAPObject

Lib/slapdtest

• Automatically try some common locations for SCHEMADIR
• Ensure server is stopped when the process exits
• Check for LDAP schema and slapd binaries
• slapdtest is now a package and includes testing certificates

Tests/

• Expand cidict membership test
• Add test suite for binds
• Add test suite for edits
• Add a smoke-check for listall() and attribute_types()
• Add test case for SASL EXTERNAL auth
• Add tests for start_tls
• In CI, treat compiler warnings as fatal errors
• Added tests for ldap.syncrepl
  and, thanks to Michael Ströder:
• added explicit reconnect tests for ReconnectLDAPObject
• scripts do not directly call SlapdTestCase.setUpClass() anymore
• added LDIF test with folded, base64-encoded attribute
• added more tests for sub-module ldap.dn

Doc/

• Build documentation without the compiled C extension
• Merge contents from python-ldap.org
• Move reference documentation in its own section
• Document return value of {modify,add,delete}_ext_s() as a tuple
• Add tests for documentation (build & spelling)
• Link to documentation of old versions
• Add a contributing guide

3.0.0b4

Released 3.0.0b4 2018-01-10

Changes since 3.0.0b3:

Removed support for Python 3.3, which reached its end-of-life 2017-09-29.

Lib/

• Make default argument values work under bytes_mode
• Update use of map() to use list/set comprehensions instead

Test/

• Refactor syncrepl tests to run with bytes_mode

Doc/

• Document all_records attribute of LDIFRecordList