ldap-ui 0.9.9__py3-none-any.whl → 0.9.11__py3-none-any.whl

ldap_ui/__init__.py

@@ -1 +1 @@
-__version__ = "0.9.9"
+__version__ = "0.9.11"

ldap_ui/app.py

@@ -13,9 +13,16 @@ import binascii
 import logging
 import sys
 from http import HTTPStatus
-from typing import AsyncGenerator, Optional
-
-import ldap
+from typing import Optional
+
+from ldap import (
+    INSUFFICIENT_ACCESS,  # pyright: ignore[reportAttributeAccessIssue]
+    INVALID_CREDENTIALS,  # pyright: ignore[reportAttributeAccessIssue]
+    SCOPE_BASE,  # pyright: ignore[reportAttributeAccessIssue]
+    SCOPE_SUBTREE,  # pyright: ignore[reportAttributeAccessIssue]
+    UNWILLING_TO_PERFORM,  # pyright: ignore[reportAttributeAccessIssue]
+    LDAPError,  # pyright: ignore[reportAttributeAccessIssue]
+)
 from ldap.ldapobject import LDAPObject
 from pydantic import ValidationError
 from starlette.applications import Starlette
@@ -28,7 +35,7 @@ from starlette.authentication import (
 from starlette.exceptions import HTTPException
 from starlette.middleware import Middleware
 from starlette.middleware.authentication import AuthenticationMiddleware
-from starlette.middleware.base import BaseHTTPMiddleware
+from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
 from starlette.middleware.gzip import GZipMiddleware
 from starlette.requests import HTTPConnection, Request
 from starlette.responses import Response
@@ -37,15 +44,42 @@ from starlette.staticfiles import StaticFiles
 
 from . import settings
 from .ldap_api import api
-from .ldap_helpers import empty, ldap_connect, unique
+from .ldap_helpers import WITH_OPERATIONAL_ATTRS, empty, ldap_connect, unique
 
 LOG = logging.getLogger("ldap-ui")
 
+
+def ldap_exception_message(exc: LDAPError) -> str:
+    args = exc.args[0]
+    if "info" in args:
+        return args.get("info", "") + ": " + args.get("desc", "")
+    return args.get("desc", "")
+
+
+if not settings.BASE_DN or not settings.SCHEMA_DN:
+    # Try auto-detection from root DSE
+    try:
+        with ldap_connect() as connection:
+            _dn, attrs = connection.search_s(  # pyright: ignore[reportAssignmentType, reportOptionalSubscript]
+                "", SCOPE_BASE, attrlist=WITH_OPERATIONAL_ATTRS
+            )[0]
+            base_dns = attrs.get("namingContexts", [])
+            if len(base_dns) == 1:
+                settings.BASE_DN = settings.BASE_DN or base_dns[0].decode()
+            else:
+                LOG.warning("No unique base DN: %s", base_dns)
+            schema_dns = attrs.get("subschemaSubentry", [])
+            settings.SCHEMA_DN = settings.SCHEMA_DN or schema_dns[0].decode()
+    except LDAPError as err:
+        LOG.error(ldap_exception_message(err), exc_info=err)
+
 if not settings.BASE_DN:
     LOG.critical("An LDAP base DN is required!")
     sys.exit(1)
 
-LOG.debug("Base DN: %s", settings.BASE_DN)
+if not settings.SCHEMA_DN:
+    LOG.critical("An LDAP schema DN is required!")
+    sys.exit(1)
 
 
 async def anonymous_user_search(connection: LDAPObject, username: str) -> Optional[str]:
@@ -55,7 +89,7 @@ async def anonymous_user_search(connection: LDAPObject, username: str) -> Option
             connection,
             connection.search(
                 settings.BASE_DN,
-                ldap.SCOPE_SUBTREE,
+                SCOPE_SUBTREE,
                 settings.GET_BIND_DN_FILTER(username),
             ),
         )
@@ -67,7 +101,7 @@ async def anonymous_user_search(connection: LDAPObject, username: str) -> Option
 
 class LdapConnectionMiddleware(BaseHTTPMiddleware):
     async def dispatch(
-        self, request: Request, call_next: AsyncGenerator[Request, Response]
+        self, request: Request, call_next: RequestResponseEndpoint
     ) -> Response:
         "Add an authenticated LDAP connection to the request"
 
@@ -93,23 +127,23 @@ class LdapConnectionMiddleware(BaseHTTPMiddleware):
                     request.state.ldap = connection
                     return await call_next(request)
 
-        except ldap.INVALID_CREDENTIALS:
+        except INVALID_CREDENTIALS:
             pass
 
-        except ldap.INSUFFICIENT_ACCESS as err:
+        except INSUFFICIENT_ACCESS as err:
             return Response(
                 ldap_exception_message(err),
                 status_code=HTTPStatus.FORBIDDEN.value,
             )
 
-        except ldap.UNWILLING_TO_PERFORM:
+        except UNWILLING_TO_PERFORM:
             LOG.warning("Need BIND_DN or BIND_PATTERN to authenticate")
             return Response(
                 HTTPStatus.FORBIDDEN.phrase,
                 status_code=HTTPStatus.FORBIDDEN.value,
             )
 
-        except ldap.LDAPError as err:
+        except LDAPError as err:
             LOG.error(ldap_exception_message(err), exc_info=err)
             return Response(
                 ldap_exception_message(err),
@@ -126,13 +160,6 @@ class LdapConnectionMiddleware(BaseHTTPMiddleware):
         )
 
 
-def ldap_exception_message(exc: ldap.LDAPError) -> str:
-    args = exc.args[0]
-    if "info" in args:
-        return args.get("info", "") + ": " + args.get("desc", "")
-    return args.get("desc", "")
-
-
 class LdapUser(SimpleUser):
     "LDAP credentials"
 
@@ -166,7 +193,7 @@ class CacheBustingMiddleware(BaseHTTPMiddleware):
     "Forbid caching of API responses"
 
     async def dispatch(
-        self, request: Request, call_next: AsyncGenerator[Request, Response]
+        self, request: Request, call_next: RequestResponseEndpoint
     ) -> Response:
         response = await call_next(request)
         if request.url.path.startswith("/api"):
@@ -195,7 +222,7 @@ async def http_422(_request: Request, e: ValidationError) -> Response:
 # Main ASGI entry
 app = Starlette(
     debug=settings.DEBUG,
-    exception_handlers={
+    exception_handlers={  # pyright: ignore[reportArgumentType]
         HTTPException: http_exception,
         ValidationError: http_422,
     },

ldap_ui/ldap_api.py

@@ -10,10 +10,15 @@ Asynchronous LDAP operations are used as much as possible.
 import base64
 import io
 from http import HTTPStatus
-from typing import Any, Optional, Tuple, Union
+from typing import Any, Optional, Tuple, Union, cast
 
-import ldap
 import ldif
+from ldap import (
+    INVALID_CREDENTIALS,  # pyright: ignore[reportAttributeAccessIssue]
+    SCOPE_BASE,  # pyright: ignore[reportAttributeAccessIssue]
+    SCOPE_ONELEVEL,  # pyright: ignore[reportAttributeAccessIssue]
+    SCOPE_SUBTREE,  # pyright: ignore[reportAttributeAccessIssue]
+)
 from ldap.ldapobject import LDAPObject
 from ldap.modlist import addModlist, modifyModlist
 from ldap.schema import SubSchema
@@ -60,34 +65,59 @@ async def whoami(request: Request) -> JSONResponse:
     return JSONResponse(request.state.ldap.whoami_s().replace("dn:", ""))
 
 
+class TreeItem(BaseModel):
+    dn: str
+    structuralObjectClass: str
+    hasSubordinates: bool
+    level: int
+
+
 @api.route("/tree/{basedn}")
 async def tree(request: Request) -> JSONResponse:
     "List directory entries"
 
     basedn = request.path_params["basedn"]
-    scope = ldap.SCOPE_ONELEVEL
+    base_level = len(basedn.split(","))
+    scope = SCOPE_ONELEVEL
     if basedn == "base":
-        scope = ldap.SCOPE_BASE
+        scope = SCOPE_BASE
         basedn = settings.BASE_DN
 
-    return JSONResponse(await _tree(request, basedn, scope))
-
+    connection = request.state.ldap
+    entries = result(
+        connection, connection.search(basedn, scope, attrlist=WITH_OPERATIONAL_ATTRS)
+    )
+    return JSONResponse(
+        [
+            _tree_item(dn, attrs, base_level, request.app.state.schema).model_dump()
+            async for dn, attrs in entries
+        ]
+    )
 
-async def _tree(request: Request, basedn: str, scope: int) -> list[dict[str, Any]]:
-    "Get all nodes below a DN (including the DN) within the given scope"
 
-    connection = request.state.ldap
-    return [
-        {
-            "dn": dn,
-            "structuralObjectClass": attrs["structuralObjectClass"][0].decode(),
-            "hasSubordinates": b"TRUE" == attrs["hasSubordinates"][0],
-        }
-        async for dn, attrs in result(
-            connection,
-            connection.search(basedn, scope, attrlist=WITH_OPERATIONAL_ATTRS),
+def _tree_item(
+    dn: str, attrs: dict[str, Any], level: int, schema: SubSchema
+) -> TreeItem:
+    structuralObjectClass = next(
+        iter(
+            filter(
+                lambda oc: oc.kind == OC.Kind.structural.value,  # pyright: ignore[reportOptionalMemberAccess]
+                map(
+                    lambda o: schema.get_obj(ObjectClass, o.decode()),
+                    attrs["objectClass"],
+                ),
+            )
         )
-    ]
+    )
+
+    return TreeItem(
+        dn=dn,
+        structuralObjectClass=structuralObjectClass.names[0],
+        hasSubordinates=attrs["hasSubordinates"][0] == b"TRUE"
+        if "hasSubordinates" in attrs
+        else bool(attrs.get("numSubordinates")),
+        level=len(dn.split(",")) - level,
+    )
 
 
 class Meta(BaseModel):
@@ -110,12 +140,12 @@ def _entry(schema: SubSchema, res: Tuple[str, Any]) -> Entry:
     ocs = set([oc.decode() for oc in attrs["objectClass"]])
     must_attrs, _may_attrs = schema.attribute_types(ocs)
     soc = [
-        oc.names[0]
+        oc.names[0]  # pyright: ignore[reportOptionalMemberAccess]
         for oc in map(lambda o: schema.get_obj(ObjectClass, o), ocs)
-        if oc.kind == OC.Kind.structural.value
+        if oc.kind == OC.Kind.structural.value  # pyright: ignore[reportOptionalMemberAccess]
     ]
     aux = set(
-        schema.get_obj(ObjectClass, a).names[0]
+        schema.get_obj(ObjectClass, a).names[0]  # pyright: ignore[reportOptionalMemberAccess]
         for a in schema.get_applicable_aux_classes(soc[0])
     )
 
@@ -130,7 +160,7 @@ def _entry(schema: SubSchema, res: Tuple[str, Any]) -> Entry:
 
         # Octet strings are not used consistently.
         # Try to decode as text and treat as binary on failure
-        if not obj.syntax or obj.syntax == OCTET_STRING:
+        if not obj.syntax or obj.syntax == OCTET_STRING:  # pyright: ignore[reportOptionalMemberAccess]
             try:
                 for val in attrs[attr]:
                     assert val.decode().isprintable()
@@ -138,18 +168,20 @@ def _entry(schema: SubSchema, res: Tuple[str, Any]) -> Entry:
                 binary.add(attr)
 
         else:  # Check human-readable flag in schema
-            syntax = schema.get_obj(LDAPSyntax, obj.syntax)
-            if syntax.not_human_readable:
+            syntax = schema.get_obj(LDAPSyntax, obj.syntax)  # pyright: ignore[reportOptionalMemberAccess]
+            if syntax.not_human_readable:  # pyright: ignore[reportOptionalMemberAccess]
                 binary.add(attr)
 
     return Entry(
         attrs={
-            k: [base64.b64encode(val) if k in binary else val for val in values]
+            k: [
+                base64.b64encode(val).decode() if k in binary else val for val in values
+            ]
             for k, values in attrs.items()
         },
         meta=Meta(
             dn=dn,
-            required=[schema.get_obj(AttributeType, a).names[0] for a in must_attrs],
+            required=[schema.get_obj(AttributeType, a).names[0] for a in must_attrs],  # pyright: ignore[reportOptionalMemberAccess]
             aux=sorted(aux - ocs),
             binary=sorted(binary),
             autoFilled=[],
@@ -160,7 +192,7 @@ def _entry(schema: SubSchema, res: Tuple[str, Any]) -> Entry:
 Attributes = TypeAdapter(dict[str, list[bytes]])
 
 
-@api.route("/entry/{dn}", methods=("GET", "POST", "DELETE", "PUT"))
+@api.route("/entry/{dn}", methods=["GET", "POST", "DELETE", "PUT"])
 async def entry(request: Request) -> Response:
     "Edit directory entries"
 
@@ -175,10 +207,18 @@ async def entry(request: Request) -> Response:
         )
 
     if request.method == "DELETE":
-        for entry in reversed(
-            sorted(await _tree(request, dn, ldap.SCOPE_SUBTREE), key=_dn_order)
+        for entry_dn in sorted(
+            [
+                dn
+                async for dn, _attrs in result(
+                    connection,
+                    connection.search(dn, SCOPE_SUBTREE),
+                )
+            ],
+            key=len,
+            reverse=True,
         ):
-            await empty(connection, connection.delete(entry["dn"]))
+            await empty(connection, connection.delete(entry_dn))
         return NO_CONTENT
 
     # Copy JSON payload into a dictionary of non-empty byte strings
@@ -206,8 +246,10 @@ async def entry(request: Request) -> Response:
             await empty(connection, connection.add(dn, modlist))
         return JSONResponse({"changed": ["dn"]})  # Dummy
 
+    raise HTTPException(HTTPStatus.METHOD_NOT_ALLOWED)
 
-@api.route("/blob/{attr}/{index:int}/{dn}", methods=("GET", "DELETE", "PUT"))
+
+@api.route("/blob/{attr}/{index:int}/{dn}", methods=["GET", "DELETE", "PUT"])
 async def blob(request: Request) -> Response:
     "Handle binary attributes"
 
@@ -236,16 +278,16 @@ async def blob(request: Request) -> Response:
         async with request.form() as form_data:
             blob = form_data["blob"]
             if type(blob) is UploadFile:
-                data = await blob.read(blob.size)
+                data = await blob.read(cast(int, blob.size))
                 if attr in attrs:
                     await empty(
                         connection,
                         connection.modify(
-                            dn, [(1, attr, None), (0, attr, data + attrs[attr])]
+                            dn, [(1, attr, None), (0, attr, attrs[attr] + [data])]
                         ),
                     )
                 else:
-                    await empty(connection, connection.modify(dn, [(0, attr, data)]))
+                    await empty(connection, connection.modify(dn, [(0, attr, [data])]))
         return NO_CONTENT
 
     if request.method == "DELETE":
@@ -259,6 +301,8 @@ async def blob(request: Request) -> Response:
             await empty(connection, connection.modify(dn, [(0, attr, data)]))
         return NO_CONTENT
 
+    raise HTTPException(HTTPStatus.METHOD_NOT_ALLOWED)
+
 
 @api.route("/ldif/{dn}")
 async def ldifDump(request: Request) -> PlainTextResponse:
@@ -269,9 +313,7 @@ async def ldifDump(request: Request) -> PlainTextResponse:
     writer = ldif.LDIFWriter(out)
     connection = request.state.ldap
 
-    async for dn, attrs in result(
-        connection, connection.search(dn, ldap.SCOPE_SUBTREE)
-    ):
+    async for dn, attrs in result(connection, connection.search(dn, SCOPE_SUBTREE)):
         writer.unparse(dn, attrs)
 
     file_name = dn.split(",")[0].split("=")[1]
@@ -282,7 +324,7 @@ async def ldifDump(request: Request) -> PlainTextResponse:
 
 
 class LDIFReader(ldif.LDIFParser):
-    def __init__(self, input: str, con: LDAPObject):
+    def __init__(self, input: bytes, con: LDAPObject):
         ldif.LDIFParser.__init__(self, io.BytesIO(input))
         self.count = 0
         self.con = con
@@ -292,7 +334,7 @@ class LDIFReader(ldif.LDIFParser):
         self.count += 1
 
 
-@api.route("/ldif", methods=("POST",))
+@api.route("/ldif", methods=["POST"])
 async def ldifUpload(
     request: Request,
 ) -> Response:
@@ -309,8 +351,8 @@ async def ldifUpload(
 Rdn = TypeAdapter(str)
 
 
-@api.route("/rename/{dn}", methods=("POST",))
-async def rename(request: Request) -> JSONResponse:
+@api.route("/rename/{dn}", methods=["POST"])
+async def rename(request: Request) -> Response:
     "Rename an entry"
 
     dn = request.path_params["dn"]
@@ -332,8 +374,8 @@ class CheckPasswordRequest(BaseModel):
 PasswordRequest = TypeAdapter(Union[ChangePasswordRequest, CheckPasswordRequest])
 
 
-@api.route("/entry/password/{dn}", methods=("POST",))
-async def passwd(request: Request) -> JSONResponse:
+@api.route("/entry/password/{dn}", methods=["POST"])
+async def passwd(request: Request) -> Response:
     "Update passwords"
 
     dn = request.path_params["dn"]
@@ -344,10 +386,10 @@ async def passwd(request: Request) -> JSONResponse:
             try:
                 con.simple_bind_s(dn, args.check)
                 return JSONResponse(True)
-            except ldap.INVALID_CREDENTIALS:
+            except INVALID_CREDENTIALS:
                 return JSONResponse(False)
 
-    else:
+    elif type(args) is ChangePasswordRequest:
         connection = request.state.ldap
         if args.new1:
             await empty(
@@ -359,7 +401,9 @@ async def passwd(request: Request) -> JSONResponse:
 
         else:
             await empty(connection, connection.modify(dn, [(1, "userPassword", None)]))
-            return JSONResponse(None)
+            return NO_CONTENT
+
+    raise HTTPException(HTTPStatus.UNPROCESSABLE_ENTITY)
 
 
 def _cn(entry: dict) -> Optional[str]:
@@ -386,7 +430,7 @@ async def search(request: Request) -> JSONResponse:
     res = []
     connection = request.state.ldap
     async for dn, attrs in result(
-        connection, connection.search(settings.BASE_DN, ldap.SCOPE_SUBTREE, query)
+        connection, connection.search(settings.BASE_DN, SCOPE_SUBTREE, query)
     ):
         res.append({"dn": dn, "name": _cn(attrs) or dn})
         if len(res) >= settings.SEARCH_MAX:
@@ -394,23 +438,26 @@ async def search(request: Request) -> JSONResponse:
     return JSONResponse(res)
 
 
-def _dn_order(node):
-    "Reverse DN parts for tree ordering"
-    return tuple(reversed(node["dn"].lower().split(",")))
-
-
 @api.route("/subtree/{dn}")
 async def subtree(request: Request) -> JSONResponse:
     "List the subtree below a DN"
 
-    dn = request.path_params["dn"]
-    result, start = [], len(dn.split(","))
-    for node in sorted(await _tree(request, dn, ldap.SCOPE_SUBTREE), key=_dn_order):
-        if node["dn"] == dn:
-            continue
-        node["level"] = len(node["dn"].split(",")) - start
-        result.append(node)
-    return JSONResponse(result)
+    root_dn = request.path_params["dn"]
+    start = len(root_dn.split(","))
+    connection = request.state.ldap
+    return JSONResponse(
+        sorted(
+            [
+                _tree_item(dn, attrs, start, request.app.state.schema).model_dump()
+                async for dn, attrs in result(
+                    connection,
+                    connection.search(root_dn, SCOPE_SUBTREE),
+                )
+                if root_dn != dn
+            ],
+            key=lambda item: tuple(reversed(item["dn"].lower().split(","))),
+        )
+    )
 
 
 @api.route("/range/{attribute}")
@@ -428,7 +475,7 @@ async def attribute_range(request: Request) -> JSONResponse:
                 connection,
                 connection.search(
                     settings.BASE_DN,
-                    ldap.SCOPE_SUBTREE,
+                    SCOPE_SUBTREE,
                     f"({attribute}=*)",
                     attrlist=(attribute,),
                 ),
@@ -462,7 +509,7 @@ async def json_schema(request: Request) -> JSONResponse:
             connection,
             connection.search(
                 settings.SCHEMA_DN,
-                ldap.SCOPE_BASE,
+                SCOPE_BASE,
                 attrlist=WITH_OPERATIONAL_ATTRS,
             ),
         )

ldap_ui/ldap_helpers.py

@@ -14,8 +14,16 @@ import contextlib
 from http import HTTPStatus
 from typing import AsyncGenerator, Generator, Tuple
 
-import ldap
 from anyio import sleep
+from ldap import (
+    NO_SUCH_OBJECT,  # pyright: ignore[reportAttributeAccessIssue]
+    OPT_X_TLS_DEMAND,  # pyright: ignore[reportAttributeAccessIssue]
+    OPT_X_TLS_NEVER,  # pyright: ignore[reportAttributeAccessIssue]
+    OPT_X_TLS_NEWCTX,  # pyright: ignore[reportAttributeAccessIssue]
+    OPT_X_TLS_REQUIRE_CERT,  # pyright: ignore[reportAttributeAccessIssue]
+    SCOPE_BASE,  # pyright: ignore[reportAttributeAccessIssue]
+    initialize,
+)
 from ldap.ldapobject import LDAPObject
 from starlette.exceptions import HTTPException
 
@@ -40,17 +48,15 @@ def ldap_connect() -> Generator[LDAPObject, None, None]:
     "Open an LDAP connection"
 
     url = settings.LDAP_URL
-    connection = ldap.initialize(url)
+    connection = initialize(url)
 
     # #43 TLS, see https://stackoverflow.com/a/8795694
     if settings.USE_TLS or settings.INSECURE_TLS:
-        cert_level = (
-            ldap.OPT_X_TLS_NEVER if settings.INSECURE_TLS else ldap.OPT_X_TLS_DEMAND
-        )
+        cert_level = OPT_X_TLS_NEVER if settings.INSECURE_TLS else OPT_X_TLS_DEMAND
 
-        connection.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, cert_level)
+        connection.set_option(OPT_X_TLS_REQUIRE_CERT, cert_level)
         # See https://stackoverflow.com/a/38136255
-        connection.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+        connection.set_option(OPT_X_TLS_NEWCTX, 0)
         if not url.startswith("ldaps://"):
             connection.start_tls_s()
     yield connection
@@ -59,7 +65,7 @@ def ldap_connect() -> Generator[LDAPObject, None, None]:
 
 async def result(
     connection: LDAPObject, msgid: int
-) -> AsyncGenerator[Tuple[str, dict[str, list[bytes]]], None]:
+) -> AsyncGenerator[tuple[str, dict[str, list[bytes]]], None]:
     "Stream LDAP result entries without blocking other tasks"
 
     while True:
@@ -69,7 +75,7 @@ async def result(
         elif r_data == []:  # Operation completed
             break
         else:
-            yield r_data[0]
+            yield r_data[0]  # pyright: ignore[reportOptionalSubscript, reportReturnType]
 
 
 async def unique(
@@ -111,6 +117,6 @@ async def get_entry_by_dn(
     "Asynchronously retrieve an LDAP entry by its DN"
 
     try:
-        return await unique(connection, connection.search(dn, ldap.SCOPE_BASE))
-    except ldap.NO_SUCH_OBJECT:
+        return await unique(connection, connection.search(dn, SCOPE_BASE))
+    except NO_SUCH_OBJECT:
         raise HTTPException(HTTPStatus.NOT_FOUND.value, f"DN not found: {dn}")

ldap_ui/schema.py

@@ -7,17 +7,17 @@ to the user.
 """
 
 from enum import IntEnum
-from typing import Generator, Optional, Type, TypeVar, Union
+from typing import Generator, Optional, TypeVar, Union, cast
 
 from ldap.schema import SubSchema
-from ldap.schema.models import AttributeType, SchemaElement
+from ldap.schema.models import AttributeType
 from ldap.schema.models import LDAPSyntax as LDAPSyntaxType
 from ldap.schema.models import ObjectClass as ObjectClassType
 from pydantic import BaseModel, Field, field_serializer
 
 __all__ = ("frontend_schema", "Attribute", "ObjectClass")
 
-T = TypeVar("T", bound=SchemaElement)
+T = TypeVar("T")
 
 
 class Element(BaseModel):
@@ -90,14 +90,14 @@ def lowercase_dict(attr: str, items: list[T]) -> dict[str, T]:
 
 
 def extract_type(
-    sub_schema: SubSchema, schema_class: Type[T]
+    sub_schema: SubSchema, schema_class: type[T]
 ) -> Generator[T, None, None]:
     "Get non-obsolete objects from the schema for a type"
 
     for oid in sub_schema.listall(schema_class):
         obj = sub_schema.get_obj(schema_class, oid)
-        if schema_class is LDAPSyntaxType or not obj.obsolete:
-            yield obj
+        if schema_class is LDAPSyntaxType or not obj.obsolete:  # pyright: ignore[reportOptionalMemberAccess]
+            yield cast(T, obj)
 
 
 class Schema(BaseModel):

ldap_ui/settings.py

@@ -14,7 +14,20 @@ SECRET_KEY = os.urandom(16)
 # LDAP settings
 #
 LDAP_URL = config("LDAP_URL", default="ldap:///")
-BASE_DN = config("BASE_DN", default=None)  # Required
+
+# Directory base DN.
+# If unset, auto-detection from the root DSE is attempted.
+# This works under the following conditions:
+# - The root DSE is readable with anonymous binding
+# - `namingContexts` contains exactly one entry
+# Otherwise, manual configuration is required.
+BASE_DN = config("BASE_DN", default=None)
+
+# DN to obtain the directory schema.
+# If unset, auto-detection from the root DSE is attempted.
+# This works if root DSE is readable with anonymous binding.
+# Otherwise, manual configuration is required.
+SCHEMA_DN = config("SCHEMA_DN", default=None)
 
 USE_TLS = config(
     "USE_TLS",
@@ -29,11 +42,6 @@ INSECURE_TLS = config(
     default=False,
 )
 
-# OpenLdap default DN to obtain the schema.
-# Change as needed for other directories.
-SCHEMA_DN = config("SCHEMA_DN", default="cn=subschema")
-
-
 #
 # Binding
 #

{ldap_ui-0.9.9.dist-info → ldap_ui-0.9.11.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: ldap-ui
-Version: 0.9.9
+Version: 0.9.11
 Summary: A fast and versatile LDAP editor
 Author: dnknth
 License: MIT License
@@ -44,14 +44,22 @@ The app always requires authentication, even if the directory permits anonymous
 
 ### Environment variables
 
-LDAP access is controlled by these environment variables, possibly from a `.env` file:
+LDAP access is controlled by the following optional environment variables, possibly from a `.env` file:
 
-* `LDAP_URL` (optional): Connection URL, defaults to `ldap:///`.
-* `BASE_DN` (required): Search base, e.g. `dc=example,dc=org`.
-* `LOGIN_ATTR` (optional): User name attribute, defaults to `uid`.
+* `LDAP_URL`: Connection URL, defaults to `ldap:///`.
+* `BASE_DN`: Search base, e.g. `dc=example,dc=org`.
+* `SCHEMA_DN`: # DN to obtain the directory schema, e.g. `cn=subSchema`.
+* `LOGIN_ATTR`: User name attribute, defaults to `uid`.
 
-* `USE_TLS` (optional): Enable TLS, defaults to true for `ldaps` connections. Set it to a non-empty string to force `STARTTLS` on `ldap` connections.
-* `INSECURE_TLS` (optional): Do not require a valid server TLS certificate, defaults to false, implies `USE_TLS`.
+* `USE_TLS`: Enable TLS, defaults to true for `ldaps` connections. Set it to a non-empty string to force `STARTTLS` on `ldap` connections.
+* `INSECURE_TLS`: Do not require a valid server TLS certificate, defaults to false, implies `USE_TLS`.
+
+if `BASE_DN` or `SCHEMA_DN` are not provided explicitly, auto-detection from the root DSE is attempted.
+For this to work, the root DSE must be readable anonymously, e.g. with the following ACL line for OpenLDAP:
+
+```text
+access to dn.base="" by * read
+```
 
 For finer-grained control, see [settings.py](settings.py).
 
@@ -61,8 +69,7 @@ For the impatient: Run it with
 
 ```shell
 docker run -p 127.0.0.1:5000:5000 \
-    -e LDAP_URL=ldap://your.ldap.server/ \
-    -e BASE_DN=dc=example,dc=org dnknth/ldap-ui
+    -e LDAP_URL=ldap://your.openldap.server/
 ```
 
 For the even more impatient: Start a demo with
@@ -143,7 +150,8 @@ Additionally, arbitrary attributes can be searched with an LDAP filter specifica
 
 ### Caveats
 
-* The software works with [OpenLdap](http://www.openldap.org) using simple bind. Other directories have not been tested, and SASL authentication schemes are presently not supported.
+* The software works with [OpenLdap](http://www.openldap.org) using simple bind. Other directories have not been tested much, although [389 DS](https://www.port389.org) works to some extent.
+* SASL authentication schemes are presently not supported.
 * Passwords are transmitted as plain text. The LDAP server is expected to hash them (OpenLdap 2.4 does). I strongly recommend to expose the app through a TLS-enabled web server.
 * HTTP *Basic Authentication* is triggered unless the `AUTHORIZATION` request variable is already set by some upstream HTTP server.
 

{ldap_ui-0.9.9.dist-info → ldap_ui-0.9.11.dist-info}/RECORD

@@ -1,10 +1,10 @@
-ldap_ui/__init__.py,sha256=nhsA3KKA-CXSYpbzuChuLyxpDepY_-JffnUNClcYEaU,22
+ldap_ui/__init__.py,sha256=hCWvJmnndbpxCyOQ7z-g5qleaxwixXNqkmkxuORqf1I,23
 ldap_ui/__main__.py,sha256=s2jFbC2y2LpvcTY8yXOFVisKXSFG079hc9IVgrJ49vY,1849
-ldap_ui/app.py,sha256=wmsRa2Ufzhb7BEVWoavh6rv5NTyOBegDE4n8NAG02SQ,6859
-ldap_ui/ldap_api.py,sha256=tGFC8wWnnfpwYiP560K5cGElzEm5mgDmrVg_YDPIT08,14206
-ldap_ui/ldap_helpers.py,sha256=KTgvwKH8ZNiO1Ccy8TVt8Rr9Q8D2ft334wQJMfBj6Ek,3236
-ldap_ui/schema.py,sha256=gdfqIpRRgMj4CtrqFrzQcmfduJOyceOWqLD58dGFezE,4495
-ldap_ui/settings.py,sha256=wvAvxhULIDAocpwVqHutSDsEtNxcg_uazuzIpgBY5-A,2476
+ldap_ui/app.py,sha256=eLRed3iVyrE56CeYBmE0nW09LKh_3Ztc1_ZON37dv8Q,8161
+ldap_ui/ldap_api.py,sha256=j8llIyXkd51g-MDHtN-9XyUvVS8Z_wvQb9Z7uTMyoNU,15897
+ldap_ui/ldap_helpers.py,sha256=1Sq2hwndwzETb3cPpCoHBF8r-JmAaWh87-Pl2inZRy8,3675
+ldap_ui/schema.py,sha256=LNIHTlkcJYPdtZ0RZ9a_-KejVGWCGuMwtDDD8tSaprY,4515
+ldap_ui/settings.py,sha256=UjCB24epLLUF0ECLb5MulfHPNGjEG57ZS2HXVFJ_k3Y,2844
 ldap_ui/statics/favicon.ico,sha256=_PMMM_C1ER5cpJTXZcRgISR4igj44kA4u8Trl-Ko3L0,4286
 ldap_ui/statics/index.html,sha256=_QF-25WH6wEK2MfhAmccRRlzpbk8btozMhhct9ro-do,827
 ldap_ui/statics/assets/fontawesome-webfont-B-jkhYfk.woff2,sha256=Kt78vAQefRj88tQXh53FoJmXqmTWdbejxLbOM9oT8_4,77160
@@ -16,9 +16,9 @@ ldap_ui/statics/assets/index-BOlMrt1N.js,sha256=GpM_tl2FLHwau7eFtlh82sN3x_YhjemR
 ldap_ui/statics/assets/index-BOlMrt1N.js.gz,sha256=8LOcgG-YTp4c0kCIw9QzQzM59a_PlRy7eBOhTnHsmvY,43711
 ldap_ui/statics/assets/index-Cw9TEv0d.css,sha256=sa0JhzpsjJhP3Bi2nJpG6Shn3yKI9hl_7I9kVY5E3Zs,48119
 ldap_ui/statics/assets/index-Cw9TEv0d.css.gz,sha256=qE_XQEa7HH54vGvQR78l5eeTcXVWmiqU_d7Go80X_S0,11533
-ldap_ui-0.9.9.dist-info/LICENSE.txt,sha256=UpJ0sDIqHxbOtzy1EG4bCHs9R_99ODxxPDK4NZ0g3I0,1042
-ldap_ui-0.9.9.dist-info/METADATA,sha256=vtXeS4unz0_7g5HFyhuhhefAghVkeZEbhepBekUOD6U,7557
-ldap_ui-0.9.9.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
-ldap_ui-0.9.9.dist-info/entry_points.txt,sha256=TGxMkXYeZP5m5NjZxWmgzITYWhSdj2mR_GGUYmHhGws,50
-ldap_ui-0.9.9.dist-info/top_level.txt,sha256=t9Agyig1nDdJuQvx_UVuk1n28pgswc1BIYw8E6pWado,8
-ldap_ui-0.9.9.dist-info/RECORD,,
+ldap_ui-0.9.11.dist-info/LICENSE.txt,sha256=UpJ0sDIqHxbOtzy1EG4bCHs9R_99ODxxPDK4NZ0g3I0,1042
+ldap_ui-0.9.11.dist-info/METADATA,sha256=iCnt7S7SOTENEPXYzIG5zlU_LjQP503DIHhzV31EFvQ,7872
+ldap_ui-0.9.11.dist-info/WHEEL,sha256=PZUExdf71Ui_so67QXpySuHtCi3-J3wvF4ORK6k_S8U,91
+ldap_ui-0.9.11.dist-info/entry_points.txt,sha256=TGxMkXYeZP5m5NjZxWmgzITYWhSdj2mR_GGUYmHhGws,50
+ldap_ui-0.9.11.dist-info/top_level.txt,sha256=t9Agyig1nDdJuQvx_UVuk1n28pgswc1BIYw8E6pWado,8
+ldap_ui-0.9.11.dist-info/RECORD,,