Connect to IBM's LDAP, Bluepages, with Python
Steve Martinelli
by Steve Martinelli

Tags

  • software
  • ibm
  • python
  • ldap

If you’ve ever worked at IBM then you know what Bluepages is, for those who don’t, it’s the company’s LDAP server. It’s most commonly used via a web interface where employees can look up other employees. Check it out below.

bluepages

As part of my day job I help run the IBM Developer site, which lists a bunch of our Developer Advocates. Recently someone left the company and their page remained until someone made a PR to remove it. I saw this as an opportunity to ideate how I would improve things. A bit of Python and a travis job that runs daily to remove users that are not found should do the trick!

So I quickly wrote some python code using the python-ldap project, which wraps the openLDAP client, so ensure you have those two installed before looking at the Python code below.

# I use a Mac, so brew it is
brew install openldap
pip install python-ldap

Then fire up your favorite editor and write a few lines of code to anonymously bind and look up a user. You can look up a user by email using the email=* query or by name using cn=*.

import ldap

ldap_uri = 'ldap://bluepages.ibm.com'
ldap_base = 'ou=bluepages,o=ibm.com'
#query = "(cn=Steve Martinelli)"
query = "(email=stevemar@caibm.com)"

conn = ldap.initialize(ldap_uri)
result = conn.search_s(ldap_base, ldap.SCOPE_SUBTREE, query)
print(result)

You’ll get back something like this:

{
  "ou": ["bluepages"],
  "o": ["ibm.com"],
  "co": ["Canada"],
  "emailAddress": ["stevemar@ca.ibm.com"],
  "cn": ["Steve Martinelli"]
}

What I like about the python-ldap library is that it makes things simple. Even after working for years on OpenStack’s Identity service I still scratch my head if given too many prompts.

Hope this helps other IBMers looking to whip up a quick prototype or two!

UPDATE: How to authenticate

I’ve had a few requests internally about why folks can’t authenticate to our LDAP with pyldap. It was the same problem every time. Folks were trying to authenticate with their email address instead of the full DN. Here’s some sample code with comments to show how to authenticate.

import ldap

ldap_uri  = 'ldap://bluepages.ibm.com'
ldap_base = 'ou=bluepages,o=ibm.com'
conn = ldap.initialize(ldap_uri)

# Assume you get an email address and password as input...
user_email = 'stevemar@ca.ibm.com'
pw = "mypassword"

# Look up the email in LDAP
query_email = "(email=" + user_email + ")"

# result[0][0] returns a full DN
# i.e. "uid=0123456789,c=ca,ou=bluepages,o=ibm.com"
result = conn.search_s(ldap_base, ldap.SCOPE_SUBTREE, query_email)
user_dn = result[0][0]
print(user_dn)

# To authenticate the user you have to authenticate with the full DN
conn.simple_bind_s(user_dn, pw)