I am looking for a good ldap library on Django, that would allow me to manage my ldap server :
adding, modifying, deleting entries
for groups, users, and all kind of objects
The library django-ldapdb looked promising, it offers a Model base class that can be used to declare ldap objects in a Django fashion (which is what we ideally want), however we've had some bugs with it, and furthermore it seems like it is not maintained any more.
Does somebody know a good library that could do the trick ? Otherwise I guess I'll just try to improve and debug django-ldapdb ...
Thanks !
sebpiq, you say you applied "one or two fixes" to django-ldapdb, would you care to share them? So far django-ldapdb meets my needs, but I'd be happy to integrate any fixes you might have.
When using ldapdb to query ldap with more results than the server allows instead of getting the partial list (of say the first 500 users) I get SIZELIMIT_EXCEEDED exception. Trying to change the code to catch that exception resulted in an empty result objects.
Anyone else had that problem?
I fixed that problem by changing the search_s function to use search_ext and read the results one by one until the exception happens.
http://www.python-ldap.org/doc/html/index.html
The beauty of Django is that you can use any python module within your application.
There is also django-auth-ldap which claims
LDAP configuration can be as simple as a single distinguished name template, but there are many rich options for working with User objects, groups, and permissions.
Actually, I have found out that with one or two fixes, django-ldapdb is a pretty good library. The only bad point is that it is not very actively maintained... I will use it anyways, because it is the best solution I have found.
Related
From the documentation: "Django’s comment framework has been deprecated and is no longer supported. Most users will be better served with a custom solution, or a hosted product like Disqus. The code formerly known as django.contrib.comments is still available in an external repository."
Is the move to django-contrib-comments only a fallback for existing projects that use django.contrib.comments? Should I use django-contrib-comments in new projects and why (not)?
I have been developing comments for our site using django.contrib.comments and found it to be quite a simple module and nothing else. If you are building a "just" commenting app to engage people, disqus might be a nice option. For instance, if you are building something like what stackoverflow is doing, you need to do by yourself.
For that, you can pretty well use django.contrib.comments and built your rest of the code on the top of it. I have been doing this and the following are points I would like to note
Very good chance that you are going to write all Views again for Ajax support or any other custom support
The app does not authenticate users. So, you might need to tweak this too
Add some special fields in comments, remove some provided
You might want to provide users to delete comments.. The built-in delete is just a flag where its marked "deleted" but not deleted exactly..
Regarding administration of commments, there might be lot you are going to improve.
It goes on, when you start doing it, you continue to tweak almost everything and make fit for your site. Probably if your tweaks seems to look too huge, I guess, start from scratch or take only parts of that django.contrib.comments where ever needed..
The Google Groups Django developers has the proposal:
"... if you don't really care much about how comments work but just want something easy, then Disqus (and its competitors) are easier to use and have much better features (spam prevents, moderation, etc.). If you want something complex and specific, on the other hand, you're better off writing something from scratch."
And the django-contrib-comments (the new home) is intended as a boneyard.
I am building an application that will send, read, and respond to emails. The problem is that if an email is part of a thread, it is likely to contain history information. Unfortunately, there is no consistency in how history information is displayed (sometimes it's marked with arrows >>>> sometimes with a rule, etc.) so it's not easily found by regular expression.
I am currently using several regexs that solve many cases, and adding new ones as they arise. Is this the best way to handle the problem?
Does anyone have a better solution?
In all honesty, there is no good way to handle this problem. Most email systems have a default way of doing this. Setting using regular expressions for the most common ones will get you pretty far because most email systems run on default settings for this. But you have to understand that this can be customized very easily from one email server to another meaning that there is no one-size-fits-all solution.
But...if good enough is good enough, just keep doing what you're doing or don't use forwards/replies.
I visited http://guides.rubyonrails.org/active_record_querying.html after talking with a peer regarding N+1 and the serious performance implications of bad DB queries.
ActiveRecord (Rails):
clients = Client.includes(:address).limit(10)
Where client's have addresses, and I intend to access them while looping through the clients, Rails provides includes to let it know to go ahead and add them to the query, which eliminates 9 queries right off the bat.
Django:
https://github.com/lilspikey/django-batch-select provides batch query support. Do you know of other libraries or tricks to achieve what Rails provides above, but in a less verbose manor (as in the rails example wherein just 19 chars fix N+1 and is very clear)? Also, does batch-select address the concern in the same way, or are these two different things?
BTW, I'm not asking about select_related, though it may seem to be the answer at first glance. I'm speaking of a situation where address has a forign key to client.
You can do it with prefetch_related since Django 1.4:
https://docs.djangoproject.com/en/dev/ref/models/querysets/#prefetch-related
If you're using < 1.4, have a look at this module:
https://github.com/ionelmc/django-prefetch
It claims to be more flexible than Django's prefetch_related. Verbose but works great.
Unfortunately, Django's ORM as of yet has no way of doing this.
Fortunately, it is possible to do it in only 2 queries, with a bit of work done in Python.
clients = list(Client.objects.all()[:10])
addresses = dict((x.client_id, x) for x in
Address.objects.filter(client__in=clients))
for client in clients:
print client, addresses[client.id]
django-batch-select is supposed to provide an answer to this problem, though I haven't tried it out. Ignacio's answer above seems best to me.
I sometimes get
Could not find the ColdFusion Component or Interface Answer.
and simply doing a refresh fixes the problem.
This is not case where the program is being refreshed from ftp while I try to browse from it: no development is being done. But every once in a while I'll get it while trying to do a createobject.
Q: Is there a best practice for sleeping and trying again if instantiating a component fails?
Are you using a cluster of servers? If so perhaps you have one server misconfigured - perhaps a missing mapping - and when you get served from that server you see the issue? That might explain the way it seems to only sometimes happen.
By the way, instansiation of CFCs should always work - you should not be trying to code around this issue by sleeping and trying again.
Phillip, any chance this is on cf 9.0.1, and you're using the "import" keyword?
The reason I ask is that I've seen behavior -- and logged a bug report on it -- where if I have two different object creations on the same page (or in another CFC... doesn't matter), both from the same package, and I'm not using the fully qualified CFC name but instead am using import, then the first createObject() will succeed and the second will fail with the "could not find ... " error.
I wonder if something like that could be at work here.
I've recently found this blog entry on a tool that writes XSS attacks directly to the database. It looks like a terribly good way to scan an application for weaknesses in my applications.
I've tried to run it on Mono, since my development platform is Linux. Unfortunately it crashes with a System.ArgumentNullException deep inside Microsoft.Practices.EnterpriseLibrary and I seem to be unable to find sufficient information about the software (it seems to be a single-shot project, with no homepage and no further development).
Is anyone aware of a similar tool? Preferably it should be:
cross-platform (Java, Python, .NET/Mono, even cross-platform C is ok)
open source (I really like being able to audit my security tools)
able to talk to a wide range of DB products (the big ones are most important: MySQL, Oracle, SQL Server, ...)
Edit: I'd like to clarify my goal: I'd like a tool that directly writes the result of a successful XSS/SQL injection attack into the database. The idea is that I want to check that every place in my app does correct output encoding. Detecting and avoiding the data getting there in the first place is an entirely different thing (and might not be possible when I display data that's written to the DB by a third-party application).
Edit 2: Corneliu Tusnea, the author of the tool I linked to above, has since released the tool as free software on codeplex: http://xssattack.codeplex.com/
I think metasploit has most of the attributes you are looking for. It may even be the only one that has all of what you specify, since all the others I can think of are closed source. There are a few existing modules that deal with XSS and one in particular that you should take a peek at: HTTP Microsoft SQL Injection Table XSS Infection. From the sounds of that module it is capable of doing exactly what you are wanting to do.
The framework is written in Ruby I believe, and is supposed to be easy to extend with your own modules which you may need/want to do.
I hope that helps.
http://www.metasploit.com/
Not sure if this is what you're after, its a parameter fuzzer for HTTP/HTTPS.
I haven't used it in a while, but IIRC it acts a proxy between you and the web application in question - and will insert XSS/SQL Injection attack strings into any input fields before deeming whether the response was "interesting" or not, thus whether the application is vulnerable or not.
http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
From your question I'm guessing it is a type of fuzzer you're looking for, and one specifically for XSS and web applications; if I'm right - then that might help you!
Its part of the Open Web Application Security Project (OWASP) that "jah" has linked you to above.
There are some Firefox plugins to do some XSS testing here:
http://labs.securitycompass.com/index.php/exploit-me/
A friend of mine keeps saying, that php-ids is pretty good. I haven't tried it myself, but it sounds as if it could approximately match your description:
Open Source (LGPL),
Cross Platform - PHP is not in your list, but maybe it's ok?
Detects "all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks" (this is from the FAQ)
Logs to databases.
I don't think there is such a tool, other than the one you pointed us to. I think there's a good reason for that: It's probably not the best way to test that each and every output is properly encoded for the applicable context.
From reading about that tool it seems the premise is to insert random xss vectors into the database and then you browse your application to see if any of those vectors succeed. This is rather a hit and miss methodology, to say the least.
A much better idea, I think, would be to perform code reviews.
You may find it helpful to have a look at some of the resources available at http://owasp.org - namely the Application Security Verification Standard (ASVS), the Testing Guide and the Code Review Guide.