ldap.dn
LDAP Distinguished Name handling¶
See also
For LDAPv3 DN syntax see:
RFC 4514 - Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names
See also
For deprecated LDAPv2 DN syntax (obsoleted by LDAPv3) see:
RFC 1779 - A String Representation of Distinguished Names
The ldap.dn
module defines the following functions:
-
ldap.dn.
escape_dn_chars
(s) → string¶ This function escapes characters in string s which are special in LDAP distinguished names. You should use this function when building LDAP DN strings from arbitrary input.
-
ldap.dn.
str2dn
(s[, flags=0]) → list¶ This function takes s and breaks it up into its component parts down to AVA level. The optional parameter flags describes the DN format of s (see DN format flags). Note that hex-encoded non-ASCII chars are decoded to the raw bytes.
Internally this function is implemented by calling OpenLDAP C function ldap_str2dn(3).
-
ldap.dn.
dn2str
(dn) → string¶ This function takes a decomposed DN in dn and returns a single string. It’s the inverse to
str2dn()
. Special characters are escaped with the help of functionescape_dn_chars()
.
-
ldap.dn.
explode_dn
(dn[, notypes=False[, flags=0]]) → list¶ This function takes dn and breaks it up into its component parts. Each part is known as an RDN (Relative Distinguished Name). The optional notypes parameter is used to specify that only the RDN values be returned and not their types. The optional parameter flags describes the DN format of s (see DN format flags). This function is emulated by function
str2dn()
since the function ldap_explode_dn() in the C library is deprecated.
-
ldap.dn.
explode_rdn
(rdn[, notypes=False[, flags=0]]) → list¶ This function takes a (multi-valued) rdn and breaks it up into a list of characteristic attributes. The optional notypes parameter is used to specify that only the RDN values be returned and not their types. The optional flags parameter describes the DN format of s (see DN format flags). This function is emulated by function
str2dn()
since the function ldap_explode_rdn() in the C library is deprecated.
-
ldap.dn.
is_dn
(dn[, flags=0]) → boolean¶ This function checks whether dn is a valid LDAP distinguished name by passing it to function
str2dn()
.
Examples¶
Splitting a LDAPv3 DN to AVA level. Note that both examples have the same result but in the first example the non-ASCII chars are passed as is (byte buffer string) whereas in the second example the hex-encoded DN representation are passed to the function.
>>> ldap.dn.str2dn('cn=Michael Str\xc3\xb6der,dc=example,dc=com',flags=ldap.DN_FORMAT_LDAPV3)
[[('cn', 'Michael Str\xc3\xb6der', 4)], [('dc', 'example', 1)], [('dc', 'com', 1)]]
>>> ldap.dn.str2dn('cn=Michael Str\C3\B6der,dc=example,dc=com',flags=ldap.DN_FORMAT_LDAPV3)
[[('cn', 'Michael Str\xc3\xb6der', 4)], [('dc', 'example', 1)], [('dc', 'com', 1)]]
Splitting a LDAPv2 DN into RDN parts:
>>> ldap.dn.explode_dn('cn=John Doe;dc=example;dc=com',flags=ldap.DN_FORMAT_LDAPV2)
['cn=John Doe', 'dc=example', 'dc=com']
Splitting a multi-valued RDN:
>>> ldap.dn.explode_rdn('cn=John Doe+mail=john.doe@example.com',flags=ldap.DN_FORMAT_LDAPV2)
['cn=John Doe', 'mail=john.doe@example.com']
Splitting a LDAPv3 DN with a multi-valued RDN into its AVA parts:
>>> ldap.dn.str2dn('cn=John Doe+mail=john.doe@example.com,dc=example,dc=com')
[[('cn', 'John Doe', 1), ('mail', 'john.doe@example.com', 1)], [('dc', 'example', 1)], [('dc', 'com', 1)]]