python-ldap · droideck · Oct 10, 2025 · Nov 27, 2023 · Feb 22, 2024 · Feb 27, 2024
diff --git a/.coveragerc b/.coveragerc
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -20,18 +20,16 @@ jobs:
       fail-fast: false
       matrix:
         python-version:
-          - "3.7"
           - "3.8"
           - "3.9"
           - "3.10"
           - "3.11"
           - "3.12"
+          - "3.13"
           - "pypy3.9"
+          - "pypy3.10"
         image: 
           - "ubuntu-22.04"
-        include:
-          - python-version: "3.6"
-            image: "ubuntu-20.04"
     steps:
       - name: Checkout
         uses: "actions/checkout@v4"
@@ -43,7 +41,7 @@ jobs:
       - name: Disable AppArmor
         run: sudo aa-disable /usr/sbin/slapd
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           allow-prereleases: true

diff --git a/.github/workflows/tox-fedora.yml b/.github/workflows/tox-fedora.yml
@@ -9,31 +9,28 @@ jobs:
   tox_test:
     name: Tox env "${{matrix.tox_env}}" on Fedora
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Run Tox tests
       uses: fedora-python/tox-github-action@main
       with:
         tox_env: ${{ matrix.tox_env }}
         dnf_install: >
             @c-development openldap-devel python3-devel
             openldap-servers openldap-clients lcov clang-analyzer valgrind
-            enchant
+            enchant python3-setuptools
     strategy:
       matrix:
         tox_env:
-        - py36
-        - py37
         - py38
         - py39
         - py310
         - py311
         - py312
-        - c90-py36
-        - c90-py37
+        - py313
         - py3-nosasltls
         - py3-trace
         - pypy3
         - doc
 
     # Use GitHub's Linux Docker host
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
diff --git a/.gitignore b/.gitignore
@@ -3,8 +3,6 @@
 *.pyc
 __pycache__/
 .tox
-.coverage*
-!.coveragerc
 /.cache
 /.pytest_cache
 

diff --git a/.readthedocs.yaml b/.readthedocs.yaml
@@ -0,0 +1,22 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Set the version of Python and other tools you might need
+build:
+ os: ubuntu-22.04
+ tools:
+ python: "3.11"
+
+# Build documentation in the docs/ directory with Sphinx
+sphinx:
+ configuration: Doc/conf.py
+
+# We recommend specifying your dependencies to enable reproducible builds:
+# https://docs.readthedocs.io/en/stable/guides/reproducible-builds.html
+python:
+ install:
+  - requirements: Doc/requirements.txt
diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,32 @@
+Released 3.4.5 2025-10-10
+
+Security fixes:
+* CVE-2025-61911 (GHSA-r7r6-cc7p-4v5m): Enforce ``str`` input in
+  ``ldap.filter.escape_filter_chars`` with ``escape_mode=1``; ensure proper
+  escaping. (thanks to lukas-eu)
+* CVE-2025-61912 (GHSA-p34h-wq7j-h5v6): Correct NUL escaping in
+  ``ldap.dn.escape_dn_chars`` to ``\00`` per RFC 4514. (thanks to aradona91)
+
+Fixes:
+* ReconnectLDAPObject now properly reconnects on UNAVAILABLE, CONNECT_ERROR
+  and TIMEOUT exceptions (previously only SERVER_DOWN), fixing reconnection
+  issues especially during server restarts
+* Fixed syncrepl.py to use named constants instead of raw decimal values
+  for result types
+* Fixed error handling in SearchNoOpMixIn to prevent a undefined variable error
+
+Tests:
+* Added comprehensive reconnection test cases including concurrent operation
+  handling and server restart scenarios
+
+Doc/
+* Updated installation docs and fixed various documentation typos
+* Added ReadTheDocs configuration file
+
+Infrastructure:
+* Add testing and document support for Python 3.13
+
+----------------------------------------------------------------
 Released 3.4.4 2022-11-17
 
 Fixes:

diff --git a/Demo/pyasn1/syncrepl.py b/Demo/pyasn1/syncrepl.py
@@ -76,7 +76,7 @@ def syncrepl_entry(self, dn, attributes, uuid):
         logger.debug('Detected %s of entry %r', change_type, dn)
         # If we have a cookie then this is not our first time being run,
         # so it must be a change
-        if 'ldap_cookie' in self.__data:
+        if 'cookie' in self.__data:
             self.perform_application_sync(dn, attributes, previous_attributes)
 
     def syncrepl_delete(self,uuids):
@@ -98,7 +98,7 @@ def syncrepl_present(self,uuids,refreshDeletes=False):
                 deletedEntries = [
                     uuid
                     for uuid in self.__data.keys()
-                    if uuid not in self.__presentUUIDs and uuid != 'ldap_cookie'
+                    if uuid not in self.__presentUUIDs and uuid != 'cookie'
                 ]
                 self.syncrepl_delete( deletedEntries )
             # Phase is now completed, reset the list

diff --git a/Doc/contributing.rst b/Doc/contributing.rst
@@ -19,7 +19,7 @@ Communication
 
 Always keep in mind that python-ldap is developed and maintained by volunteers.
 We're happy to share our work, and to work with you to make the library better,
-but (until you pay someone), there's obligation to provide assistance.
+but (until you pay someone), there's no obligation to provide assistance.
 
 So, keep it friendly, respectful, and supportive!
 

diff --git a/Doc/installing.rst b/Doc/installing.rst
@@ -63,8 +63,8 @@ to get up to date information which versions are available.
 Windows
 -------
 
-Unofficial packages for Windows are available on
-`Christoph Gohlke's page <https://www.lfd.uci.edu/~gohlke/pythonlibs/>`_.
+Unofficial binary builds for Windows are provided by Christoph Gohlke, available at
+`python-ldap-build <https://github.com/cgohlke/python-ldap-build/releases>`_.
 
 
 `FreeBSD <https://www.freebsd.org/>`_
@@ -76,12 +76,23 @@ The CVS repository of FreeBSD contains the package
 macOS
 -----
 
-You can install directly with pip::
+You can install directly with pip. First install Xcode command line tools::
 
     $ xcode-select --install
-    $ pip install python-ldap \
-        --global-option=build_ext \
-        --global-option="-I$(xcrun --show-sdk-path)/usr/include/sasl"
+
+Then install python-ldap::
+
+    $ pip install python-ldap
+
+For custom installations, you may need to set environment variables::
+
+    $ export CPPFLAGS="-I$(xcrun --show-sdk-path)/usr/include/sasl"
+    $ pip install python-ldap
+
+If using Homebrew::
+
+    $ brew install openldap
+    $ pip install python-ldap
 
 
 .. _install-source:
@@ -90,11 +101,14 @@ Installing from Source
 ======================
 
 
-python-ldap is built and installed using the Python setuptools.
-From a source repository::
+python-ldap is built and installed using modern Python packaging standards
+with pyproject.toml configuration. From a source repository::
 
-    $ python -m pip install setuptools
-    $ python setup.py install
+    $ pip install .
+
+For development installation with editable mode::
+
+    $ pip install -e .
 
 If you have more than one Python interpreter installed locally, you should
 use the same one you plan to use python-ldap with.
@@ -143,10 +157,15 @@ Packages for building::
 Debian
 ------
 
+Packages for building::
+
+   # apt-get install build-essential ldap-utils \
+       libldap2-dev libsasl2-dev
+
 Packages for building and testing::
 
-   # apt-get install build-essential python3-dev \
-       libldap2-dev libsasl2-dev slapd ldap-utils tox \
+   # apt-get install build-essential ldap-utils \
+       libldap2-dev libsasl2-dev slapd python3-dev tox \
        lcov valgrind
 
 .. note::

diff --git a/Doc/reference/ldap.rst b/Doc/reference/ldap.rst
@@ -604,13 +604,13 @@ The module defines the following exceptions:
 .. py:exception:: COMPARE_FALSE
 
    A compare operation returned false.
-   (This exception should only be seen asynchronous operations, because
+   (This exception should only be seen in asynchronous operations, because
    :py:meth:`~LDAPObject.compare_s()` returns a boolean result.)
 
 .. py:exception:: COMPARE_TRUE
 
    A compare operation returned true.
-   (This exception should only be seen asynchronous operations, because
+   (This exception should only be seen in asynchronous operations, because
    :py:meth:`~LDAPObject.compare_s()` returns a boolean result.)
 
 .. py:exception:: CONFIDENTIALITY_REQUIRED
@@ -1364,7 +1364,7 @@ and wait for and return with the server's result, or with
    This synchronous method implements the LDAP "Who Am I?"
    extended operation.
 
-   It is useful for finding out to find out which identity
+   It is useful for finding out which identity
    is assumed by the LDAP server after a SASL bind.
 
    .. seealso::

diff --git a/Doc/spelling_wordlist.txt b/Doc/spelling_wordlist.txt
@@ -25,6 +25,7 @@ changeNumber
 changesOnly
 changeType
 changeTypes
+Christoph
 cidict
 clientctrls
 conf
@@ -56,8 +57,10 @@ filterstr
 filterStr
 formatOID
 func
+Gohlke
 GPG
 Heimdal
+Homebrew
 hostport
 hrefTarget
 hrefText
@@ -105,6 +108,7 @@ previousDN
 processResultsCount
 Proxied
 py
+pyproject
 pytest
 rdn
 readthedocs
@@ -145,6 +149,7 @@ syncrepl
 syntaxes
 timelimit
 TLS
+toml
 tracebacks
 tuple
 tuples
@@ -161,5 +166,6 @@ userPassword
 usr
 uuids
 Valgrind
+Xcode
 whitespace
 workflow
diff --git a/INSTALL b/INSTALL
@@ -1,8 +1,7 @@
 Quick build instructions:
 
     edit setup.cfg (see Build/ for platform-specific examples)
-    python setup.py build
-    python setup.py install
+    pip install .
 
 Detailed instructions are in Doc/installing.rst, or online at:
 

diff --git a/Lib/ldap/cidict.py b/Lib/ldap/cidict.py
@@ -85,7 +85,7 @@ def strlist_minus(a,b):
   a,b are supposed to be lists of case-insensitive strings.
   """
   warnings.warn(
-    "strlist functions are deprecated and will be removed in 3.5",
+    "strlist functions are deprecated and will be removed in 4.0",
     category=DeprecationWarning,
     stacklevel=2,
   )
@@ -105,7 +105,7 @@ def strlist_intersection(a,b):
   Return intersection of two lists of case-insensitive strings a,b.
   """
   warnings.warn(
-    "strlist functions are deprecated and will be removed in 3.5",
+    "strlist functions are deprecated and will be removed in 4.0",
     category=DeprecationWarning,
     stacklevel=2,
   )
@@ -125,7 +125,7 @@ def strlist_union(a,b):
   Return union of two lists of case-insensitive strings a,b.
   """
   warnings.warn(
-    "strlist functions are deprecated and will be removed in 3.5",
+    "strlist functions are deprecated and will be removed in 4.0",
     category=DeprecationWarning,
     stacklevel=2,
   )

diff --git a/Lib/ldap/controls/openldap.py b/Lib/ldap/controls/openldap.py
@@ -51,6 +51,7 @@ class SearchNoOpMixIn:
   """
 
  def noop_search_st(self,base,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)',timeout=-1):
+ msg_id = None
  try:
  msg_id = self.search_ext(
  base,
@@ -66,9 +67,10 @@ def noop_search_st(self,base,scope=ldap.SCOPE_SUBTREE,filterstr='(objectClass=*)
  ldap.TIMELIMIT_EXCEEDED,
  ldap.SIZELIMIT_EXCEEDED,
  ldap.ADMINLIMIT_EXCEEDED
-    ) as e:
- self.abandon(msg_id)
- raise e
+    ):
+ if msg_id is not None:
+ self.abandon(msg_id)
+ raise
  else:
  noop_srch_ctrl = [
  c

diff --git a/Lib/ldap/dn.py b/Lib/ldap/dn.py
@@ -26,7 +26,8 @@ def escape_dn_chars(s):
     s = s.replace('>' ,'\\>')
     s = s.replace(';' ,'\\;')
     s = s.replace('=' ,'\\=')
-    s = s.replace('\000' ,'\\\000')
+    # RFC 4514 requires NULL (U+0000) to be escaped as hex pair "\00"
+    s = s.replace('\x00' ,'\\00')
     if s[-1]==' ':
       s = ''.join((s[:-1],'\\ '))
     if s[0]=='#' or s[0]==' ':