# 2.9.1 - 2021.07.18
  • new feature: added support for using Kerberos authentication on windows clients using the native winkerberos library
  • new feature: added support for using Channel Bind tokens with Kerberos authentication on windows clients
  • fixed a bug related to using start_tls with a RESTARTABLE strategy that caused errors to be raised erroneously.
  • fixed a bug around the type checking of Reverse DNS Settings with Kerberos authentication
  • fixed an issue related to decoding unicode strings in LDAP referrals and attributes in python 2
  • minor documentation updates and corrections
# 2.9 - 2021.01.24
  • new feature: SafeRestartable strategy (SAFE_RESTARTABLE) for using a restartable Connection object in a multi-threading program
  • tested against Python 3.9
  • added requirements-dev.txt
  • fixed logging unicode exceptions in python2.7
  • added more granular control over use of reverse dns with Kerberos (thanks Azaria)
  • support MS Active Directory persistent search (thanks eLeX)
  • added support for LDAP signing when using DIGEST-MD5 authentication (thanks Augustin-FL)
  • check only for searchResEntries in LDIF conversion (thanks Jay)
  • modify-increment now works properly in mock strategies (thanks Saint-Marcel)
  • objectGUID are now converted properly (thanks Janne)
  • default timeout in asynchronous strategies raised to 20 seconds
# 2.8.1 - 2020.09.07
  • fixed regression in 2.8 for members returned in AD auto-range search (thanks Felix)
  • fixed regression in 2.8 for attribute error in restartable class (thanks Christian)
  • try to use Crypto library if present for hashing NTLM password on python interpreter missing the MD4 OpenSSL algorithm (thanks Doron)
# 2.8 - 2020.08.08
  • new feature: SafeSync strategy (SAFE_SYNC) for using a synchronous Connection object in a multi-threading program
  • new feature: LDIF_LINE_LENGTH for specifying line length wrapping in ldif-content output (default to 78 as per RFC 2849)
  • fixed requirements for pyasn1
  • fixed regression for ldapi connections
  • fixed issue with lazy connection requesting server info on every operation
  • fixed searching by objectGUID in hex format (thanks Matt)
  • added iso_format parameter to utils.format_json to return dates in ISO format (thanks Hugh)
  • fixed issue with Referral attributes not returned by the referral server (thanks Nazarii)
  • fixed lost error message in auto_bind (thanks cfelder)
  • fixed delete_old_dn in mock connections (thanks kpinc)
  • fixed a ResourceWarning with lazy connections
  • fixed entry_to_json() that in python2 modified the original entry value (thanks Dirk-Jan)
  • tests doesnt’ raise Exception if real server is not present (thanks Matej)
# 2.7 - 2020.03.01
  • tested against Python 3.8.1 and pyasn1 0.4.8
  • re-enabled ssl exception raising on bad certificate when only 1 server is present in the server pool
  • removed Python 2.6 from Travis configuration (thanks gliptak)
  • added support for source specifications in LDAP connections (thanks Azaria)
  • added support for allowing special AD security identifier (SID) in DN (thanks John)
  • fixed pickling of entry and attribute (thanks cfelder)
  • close connection when auto_bind fails (thank Hrishikesh)
  • operational attributes can be used in Abstraction Layer (thanks Sohalt)
  • additional SSL options can be used in Tls object (thanks Nazarii)
  • threading.Event replaces loop checking in async strategy. ASYNC strategy should be much faster now (thanks Yang)
  • adding a key that is already an alias that contains other aliases in CaseInsensitiveWithAliasDict() now works properly (thanks Mark)
  • when searching for GUID, UUID and SID the backslash character (0x5C) is properly managed (thanks Nocturem)
  • LDIF output properly formatted when controls are missing (thanks Tom)
  • operational attributes are not returned in MOCK strategies when not requested (thanks kpinc)
  • undecodable values are returned as raw bytes when using the pyasn1 decoder
# 2.6.1 - 2019.09.06
  • tested against pyasn1 0.4.7
  • added eDirectory 9.1.4 (EDIR_9_1_4) to offline schemas
  • added json converter for timedelta (thanks dirkjanm)
  • strip parameter defaults to False in utils.dn.parse_dn()
  • escaped space is allowed as trailing character in attribute_value in utils.dn.parse_dn() (thanks phi1010)
  • connection.extend.standard.paged_search doesn’t raise exceptions when raise_exceptions is False
  • the Search operation returns the entries fetched by the server when size or time limits are reached even if raise_exceptions is set to True
  • Handle the minimum value that can be stored in an Int64 in format_ad_timedelta (thanks mprahl)
  • EntryState: entry_raw_attributes is populated instead of raw_attributes (thanks Christian)
  • Removed restriction to perform rename and move simultaneously in modify_dn (thanks Fabian)
  • fixed checking for hexdigits in parse_dn (thanks Michael)
  • fixed escaping when multiple backslashes are present in parse_dn (thanks Phillip)
  • fixed multiple NoneType exceptions in entry_to_json() (thanks David and cfelder)
  • allowing Microsoft specific syntax (<WKGUID=xxx>) for WellKnownObjects in DN (thanks David)
  • connection.extend.standard.paged_search() now follows referrals when auto_referrals=True (thanks kprativa)
  • fixed a bug in decoding replica list in connection.extend.novell.list_replicas()
  • fixed a bug when adding duplicate alias in CaseInsensitiveWithAliasDict()
  • added ignore_duplicates=False in set_aliases in CaseInsensitiveWithAliasDict() to ignore a duplicate alias (either in aliases or in keys)
  • Schema info now uses CaseInsensitiveWithAlias dict as default so object and attributes can also be referentiated with OID (thanks ahoffm11)
  • added block mode and timeout parameters to next() method of persistent_search
  • when using the pyasn1 decoder raw_dn is not returned as a pyasn1 object anymore but as bytes
  • Return offset timezone aware datetime for max AD timestamp (thanks Jussi)
# 2.6 - 2019.03.24
  • fixed empty file in 2.5.2 package
  • explicitly declare digest module md5 in util.ntlm (thanks adawalli)
  • change object passed to modify() was unexpectedly mutated (thanks John)
  • added LDAPInfoError exception
  • added Server.has_control(control) method to check if a server has a specific control
  • added Server.has_extension(extension) method to check if a server has a specific extension
  • added Server.has_feature(feature) method to check if a server has a specific feature
  • fixed checking of \ in safe_dn (thanks Maxim)
  • fixed uuid checking with 5c byte value
  • added single=True parameter to the ServerPool object definition. Servers state is shared between connections using the same pool
  • updated copyright notice
# 2.5.2 - 2018.12.28
  • when starting tls before binding the connection is automatically open
  • fixed changelog date (thanks Adam)
  • support for AD timedeltas (thanks mprahl)
  • fixed WhoAmI in mock strategies (thanks mprahl)
  • prevent unnecessary exception in extend/standard/ModifyPassword (thanks Johnny)
  • added support for external gssapi credentials to be passed to the sasl connection (thanks Firstyear)
  • added support for gssapi store in sasl connection (thanks clhendrick)
  • fixed LdifProducer (thanks antoinell)
  • fixed NTLM bind (thanks ribx)
  • server state in ServerPool is now a namedtuple “ServerState” (thanks Krisztian)
  • fixed error when adding member to AD group with unsafe DN (thanks Maxim)
  • properly restore lazy status in reusable strategy (thanks Krisztian)
  • ServerState namedtuple converted to class in core/pooling (thanks Krisztian)
  • empty schema doesn’t raise exception in Abstraction Layer (thanks ghost)
# 2.5.1 - 2018.08.01
  • connection.result is populated when exception raised with raise_exceptions=True
  • fixed objectSid in mocking strategies
  • fixed circular reference in exception history
  • added objectSid validator
  • byte values are properly searched in MOCK strategies (thanks dyj216)
  • exception history refactored (thanks Tamas)
  • connections in context manager don’t bind anymore when auto_bind is set to AUTO_BIND_NONE (Thanks Tim)
  • Cython compatible build (thanks Pedro)
  • more detailed exception message in Mock strategy (thanks Janne)
  • exceptions flow refactored in reusable strategy (thanks kxt)
  • pwdlastset accept any positive integer (thanks abenbecker)
  • fixed an exception while logging packet with pyasn1 decoder
  • fixed importing abc from collections for Python 3.8
# 2.5 - 2018.04.15
  • abstract layer now handles auxiliary classes
  • pwdLastSet in AD is valid for 0 and -1 (thanks Taylor)
  • fixed extend.novell.get_universal_password (thanks Fernando)
  • entryUUID is properly validated in search filters (thanks FriedrichI)
  • custom attribute formatters are properly applied when parsing the search filter
  • REUSABLE strategy now honours credentials when changed in the original connection (thanks Prof Hase)
  • add operation doesn’t change passed attribute dict anymore (thanks Daniele)
  • missing entry’s attribute return False when searching instead of raising an exception (thanks Maxsond)
  • fixed ad_timestamp evaluation for integers (thanks Flynn)
  • wrong exception raised when user name is empty in simple binding (thanks Ivan)
  • exception is raised if size limit is exceed when searching in mocking strategies with raise_exceptions=True (thanks David)
  • fixed validator for novell guid
  • fixed validator for openldap EntryUUID
  • fixed validator for AD objectGUID, now follows MS-DTYP
  • fixed formatter for AD objectGUID
  • fixed exception when adding binary values (thanks guidow)
  • added escape_rdn_chars() to ldap3.utils.dn for safe checking untrusted input while building DNs (thanks Alex)
  • fixed search for binary values in mock strategies
  • fixed exception with unicode chars in subfilters for python 2 (thanks Friedrich)
  • connection.extend.paged_search() doesn’t miss the last entries anymore when size limit is exceeded on the server (thanks Friedrich)
  • validators are not applied when loading data from json dump in Mock strategies (thanks Derek)
  • additional validator to check for erroneous bytes to string conversion in Python 3 (thanks Brian)
  • additional formatter and validator to check for generalizedTime with 0 year (thanks Brian)
  • fixed AD dir_sync extended operation (thanks Lucas)
  • ad_unlock_account works properly (thanks Francowxu)
  • added Microsoft security descriptor control (thanks Dirk-jan)
  • fixed search in mock strategies when raise_exceptions=True (thanks Derek)
  • formatters never raise exceptions but return the raw_value when unable to format
  • fixed controls duplication in paged search (thanks Dirk-jan)
# 2.4.1 - 2018.01.21
  • tested against pyasn1 from version 0.1.8 up to version 0.4.2, Python 2.6.6, Python 2.7.14, Python 3.6.4
  • auto_encode parameter is honored when binding (thanks jkolo)
  • fixed organizationalName definition in oid (thanks mingulov)
  • automatic byte to int conversion working again (thanks Brian)
  • mock connection searchs correctly escape filters (thanks kiddick)
  • fixed bind with not unicode characters in Python 2 (thanks jkolo)
  • extended filter attributes should work again with pyasn1 0.4.1 (thanks Dirk-jan)
  • fixed error when reading incomplete server info
  • NOT keyword properly handled in dit_content_rules (thanks Michael)
  • operational attributes are prorerly returned in Cursor whit get_operational_attributes = True (thanks a23s4a)
  • start_tls() is properly executed with AD when raise_exceptions=True (thanks Andrew)
  • reopening a Connection honours auto_bind setting (thanks calken)
  • an attribute returned with no value from a flaky server doesn’t raise exception anymore (thanks Terrence)
  • pwdLastSet in AD is valid only for -1 (thanks Thane)
  • fixed docs for ldifProducer (thanks lhoekenga)
  • fixed monkeypatching of pyasn1 for Boolean Value in BER encoding (thanks tmarlok88)
  • check_names was not honoured while validating attribute values (thanks ymcymc)
  • locks refactored in Connection and in Async strategy
  • socket properly closed when checking availability of an invalid server
# 2.4 - 2017.11.14
  • security fix in the rebind() method of the Connection object (thanks Daniel)
  • fix for Sasl credentials in Python 3 (thanks Busuwe)
  • fixed bug when checking for equality in MockBase
  • added validator parameter to Server object for custom validators
  • attribute values are now validated in add/compare/modify operations in the Connection object
  • Python types can now be used in add/compare/modify operations
  • compatible with the pyasn1 library from version 0.1.8 up to latest (0.3.3 for now) version
  • fixed compatibility with Twisted on Windows on Python 2.7 (thanks Pmisik)
  • fixed paged_search behaviour in Reader object
  • fixed regression in MockBase (thanks Markus)
  • fixed invalid filter sequence in MockBase (thanks SignedBit)
  • added compatibility with Cython (thanks Pedro)
  • fixed auto_encode check in validate_attribute_value for unknown attrs (thanks CFelder)
  • don’t encode response_value as extended_response_to_dict expects a decoded value (thanks Matthias)
  • compatible with the pyasn1 library from version 0.1.8 up to latest (0.3.7 for now) version
  • added LDAPObjectDereferenceError exception
  • LDAPObjectDereferenceError is raised when an object tries to dereference itself in the Abstraction Layer (thanks Daniele)
  • async module renamed to asynchronous for compatibility with Python 3.7 (thank Barry)
  • long integer are properly checked in mocking strategies (thanks gregn610)
  • NUMERIC_TYPES includes long for Python 2
# 2.3 - 2017.08.02
  • compatible with the pyasn1 library from version 0.1.8 up to latest (0.3.1 for now) version
  • MockAsync strategy is available
  • added __ne__ method to Attribute in abstraction layer (thank Rodrigo)
  • added LDAPUserNameIsMandatoryError exception in simple bind when user name is empty
  • search referrals are properly decoded with fast decoder
  • paged search works in mock strategies
  • paged_search in extend.standard namespace raises an exception of class LDAPOperationResult if the search returns an error
  • search_paged() method of Cursor object now return the whole list of entries if generator=False
  • updated docs for defaults parameters (thanks Guarnacciaa)
  • fixed mockBase for integer matching (thanks Jijo)
  • boolean values are now uppercase in LDIF (thanks Linus)
  • fixed timeout in ssl connection on Linux and Mac (thanks Allan)
  • changed some internal functions to private in ldap3.utils.dn
  • operational attribute entryDN is properly managed in Mock strategies (thanks Mark)
  • new rdn in renamed entry is properly set in Mock strategies (thanks Mark)
  • metrics are now updated for Mock strategies, except that for received bytes (thanks joehy)
  • better managing of missing schema from the server (thanks Deborah)
  • fixed error while schema is not in string format (thanks Alexandre)
  • SNI support added when the underlying python library allows it (thanks Edmund)
  • added pool_keepalive parameter to Connection object for REUSABLE strategy
  • returns False when change is not successful (thanks Ashley)
  • added validators for uuid and uuid_le
  • fixed error while searching for bytes
  • fixed pickling and unpickling of datetime values (thanks David)
  • fixed error that resulted in valid generalizedTime strings not being parsed (thanks Busuwe)
  • fixed error with modify operation on referrals (thanks Busuwe)
  • fixed error in mockBase add_entry() with raw rdn (thanks Chad)
  • fixed error when stdin has not encoding in (thanks cronicryo)
  • fixed error when optional field are not present in pyasn1 requests (thanks Ilya)
  • added DEFAULT_SERVER_ENCODING config parameter, should always be utf-8
  • DEFAULT_ENCODING config parameter renamed to DEFAULT_CLIENT_ENCODING
  • additional encodings are applied to all data received from the server
  • additional encodings are not applied to client data
  • added from_server=False parameter to to_unicode() to not try client encoding while decoding data from server
# 2.2.4 - 2017.05.07
  • leading and trailing spaces in server name don’t raise exception anymore
  • DitContentRule is properly read from the schema
  • added validator for Active Directory timestamp
  • Mock strategies raise an exception if a non-bytes value is added to the schema when no offline schema is provided (str and int are automatically converted)
  • added custom_validators property to Mock strategies
  • modifying objectClass with bytes values doesn’t raise an exception anymore (but it may fail anyway because of server constraints)
  • ensure that config sequence parameters are properly set
  • allow case insensitive attribute and class names in config parameters
  • added server.schema.is_valid() to check if the schema is available
  • empty schema properties are set to empty dict() instead of None
  • schema definitions with trailing and leading spaces are now properly parsed and don’t raise an LDAPSchemaError exception anymore
  • fixed error when flaky servers (OpenLDAP) don’t return the correct response with StartTls
# 2.2.3 - 2017.04.30
  • abstraction layer query converts int values to string (thanks dgadmin)
  • CaseInsensitiveDictWithAlias doesn’t raise an exception anymore if alias is set multiple times to the same key
  • friendly names in AttrDef are properly managed when performing commits in Writer cursors
  • no more errors when server returns an empty schema (thanks Glen)
  • range attributes in entries are properly recognized when auto_range is False
  • fixed random errors in auto_range searches (thanks James)
  • fixed checking of malformed schema
  • added configuration parameter IGNORE_MALFORMED_SCHEMA to not raise exception for servers that don’t follow the LDAP RFCs (defaults to False)
  • test config moved to test/
  • testcase_id generated randomly for each test
  • added ATTRIBUTES_EXCLUDED_FROM_OBJECT_DEF parmeter to exclude some attribute from automatic populate of ObjectDef in Abstract Layer (helpful for AD)
  • added IGNORED_MANDATORY_ATTRIBUTES_IN_OBJECT_DEF parmeter to exclude some attribute from mandatory attribute list in ObjectDef in Abstract Layer (helpful for AD)
  • fixed error when using implicit assigning in WritableEntry
  • added LDAPInvalidValueError Exception
  • in Python 3 byte filter are converted to unicode before parsing
  • to_unicode(value, encoding=None, additional_encodings=False) now checks for additional encoodings in ADDITIONAL_ENCODINGS list if additional_encoding is set to True
  • Reusable strategy uses not lazy Restartable connections
  • Reusable strategy doesn’t keep requesting the schema
  • connection pool size in Reusable strategy defaults to 5
  • optimized usage of configuration parameters
# 2.2.2 - 2017.03.17
  • PLAIN mechanism added to SASL authentication (thanks Janusz)
  • added RESULT_RESERVED return code (thanks Rak)
  • added RESPONSE_DN_ENCODING in config for flaky servers that return non utf-8 encoded DN. Set it to a list of encoding to sequentially try for decodign DNs.
  • removed StopIteration in generators (deprecated by PEP 479)
  • fixed a bug when converting AD datetimes on Windows systems
  • added compatibility with pyasn1 0.2.3
  • fixed NTLM authentication with pyasn1 0.2.3
  • fixed an error when installing via executable on Windows (thanks TrumSteven)
  • added ‘raw_dn’ key in search response dictionary. It contains the DN byte value returned for DN by the server
  • attributes with “;binary” tag can now be retrieved in abstraction layer with the usual entry.atttribute syntax
  • updated tests for OpenLDAP
  • fixed error when in add/remove extend operation for case mismatch in user or group dn
  • integer validator now automatically convert valid string numbers to int
  • invalid timezone are checked when validating Generalized Time Format
  • added test cases for validators
  • updated tests for OpenLDAP
# 2.2.1 - 2017.02.12
  • tested against pyasn1 0.2.2 (thanks Ilya)
  • get_response() has an optional new parameter “get_request” to return the request too, helpful in asynchronous strategies
  • connection.request, connection.response and connection result are now properly blanked in async strategies
  • ldap3.utils.dn.safe_dn() now checks for AD names only if no equal sign is present in the dn
  • abstraction layer properly works with asynchronous strategies
  • added a named tuple “Operation” used to store the request, result and response of an LDAP operation in Cursor history
  • cursors in the Abstraction Layer keep history of executed LDAP operations for the last Cursor operation in the cursor.operation property
  • Cursors in the Abstraction Layer keep history of errors for the last Cursor operation in the cursor.errors property
  • if any error has occurred in the last operation of a Cursor the cursor.failed property is set to True
  • added a named tuple “Operation” for storing request, result and response of an LDAP operation in Cursor history
  • Cursor honours raise_exception parameter of the Connection.
  • Cursor commit() return True if operations are successful and False if not. All pending commits are executed even if some fail
  • new entries that have no additional mandatory attributes other those defined in dn are properly managed in Writers (thanks Matt)
  • CaseInsensitiveDict now properly strips blanks from keys
  • updated hashing alghoritm SHA to SHA1 (thanks Satoh)
  • added match_dn(dn) to Cursor for matching entries with specified text in DN
  • added match(attributes, value) for matching entries with specified value in one or more attribute values. It checks values and raw_values
  • Cursors have simple match capability. When key is a string Cursor tries to match it against the DN of entries found.
# 2.2.0 - 2017.01.16
  • tested againsts Python 3.6.0, Python 2.7.13 and Python 2.6.6
  • updated docs regarding search response attributes (thanks James)
  • fixed LDIF representation for operation_to_ldif (thanks m7four)
  • fixed rebind for pooled connections
  • fixed custom sort order in LDIF representation of entry
  • added Active Directory GUID syntax for safe_dn() (thanks dinhngtu)
  • added pre-post read control (thanks Elizabeth)
  • added add_members_to_groups in microsoft.extend namespace for Active Directory
  • added remove_members_to_groups in microsoft.extend namespace for Active Directory
  • refactored internal and extend.novell structures
  • fixed auto_escape for extended characters (thanks asand3r)
  • validators now transform the Python value to a valid LDAP value when appropriate (thanks Sjd-Risca)
  • added validator for boolean types
  • added validator for date types
  • fixed representation of binary data in Abstraction Layer for Python 2
  • added auto_encode parameter to Connection object (defaults to True)
  • limited auto_escape feature only to filter values
  • escape_filter_chars doens’t try anymore to guess if the value is already escaped.
  • added ldap3.conv.is_filter_safe() (thanks Robert)
  • added auto_escape parameter to to override connection auto_escape behaviour (defaults to None)
  • auto_escape is not applied to filter value if already escaped
  • automatically encode output to stdout encoding for repr() and str() (for printing and logging attributes values).
  • binary data are converted to a hex values string in repr() and str() (for printing and logging attributes values).
  • auto_encoding is performed only for well known attribute types that use Unicode format in LDAP
  • CLASSES_EXCLUDED_FROM_CHECK and ATTRIBUTES_EXCLUDED_FROM_CHECK moved to ldap3.utils.config and made available via get_config_parameter()
  • added UTF8_ENCODED_SYNTAXES in ldap3.config.utils and made available via get_config_parameter()
  • added UTF8_ENCODED_TYPES in ldap3.config.utils and made available via get_config_parameter()
  • config parameters made available only via get_config_parameters()
  • removed to_bytes() and check_escape() from ldap3.utils.conv (ambiguous functions)
  • added connection.request to MockSync (thanks Fabian)
  • tags are properly managed in add, compare and modify requests (thanks guidow)
  • in Mock strategies single-valued attributes are properly managed
  • in Mock strategies attributes type names are properly managed
  • implemented extended operation machinery in MockBase
  • implemented WhoAmI [RFC4532] in Mock strategies
  • implemented GetBindDn [NOVELL] in Mock strategies
  • implemented operational attributes machinery in MockBase
  • implemented entryDN [RFC5020] operational attribute in MockBase
  • Sphinx updated to 1.5.1
# 2.1.1 - 2016.11.18
  • Mock strategy uses case insensitive matching when appropriate
  • fixed error when adding a virtual attribute in the abstract Entry object
  • fixed error messages in Entry moving and renaming
  • Reverted default connection strategy to SYNC (thanks Mauro)
  • Fixed tutorials (thanks Mauro)
  • Fixed checking of schema in ObjectDef (thanks Pierre)
  • Fixed checking of stdin in config (thanks Oleg)
  • fixed commit of entry with async strategies
  • fixed reading of entries in async strategies
  • added cipher argument to Tls (thanks Nicolas)
  • fixed bug when using the abstraction layer with lazy connections
  • fixed case matching while adding new entry in Writer cursor (thanks t0neg)
  • disabled auto_escape for byte values
  • fixed auto_escape for python 2
  • fixed tutorials (thanks Ivano)
# 2.1.0 - 2016.11.03
  • changed default Connection strategy from SYNC to RESTARTABLE
  • enable automatic escaping of assertion values
  • fixed decoding error with check_name=False
  • added auto_escape parameter in connection, for trying automatic filter and attribute values escape
  • fixed checking of schema in MockBase
  • SASLBindInProgress doesn’t raise an exception anymore with raise_exceptions=True
  • standard formatters are applied in mocking strategies when serching for exact match
# 2.0.9 - 2016.10.28
  • removed sanitization of DN in bind operation because some servers accept non standard DN for Simple Bind
# 2.0.8 - 2016.10.28
  • included referral caching (thanks TWAC)
# 2.0.7 - 2016.10.27
  • changed signature of ldap3.abstract.Reader object
  • removed search_size_limit(), search_time_limit() and search_types_only in the Reader cursor
  • fixed SASL in progress error (thanks Styleex)
  • fixed ALL_ATTRIBUTES in MOCK_SYNC strategy (thanks Belgarion)
  • ncorrect attribute type error message now includes the name of the attribute (Thanks Andrej)
  • relaxed dn checking for Active Directory UserPrincipalName
  • relaxed dn checking for Active Directory SamAccountName
  • added checking of attribute name in add, compare and search operations
  • added checking of class name in add operation
  • renamed exception LDAPTypeError to LDAPAttributeError
  • in sync strategies LDAP operations populate the last_error attribute of the connection in case of not RESULT_SUCCESS
  • connection.return_empty_attributes defaults to True
  • escaped filter by default
  • fixed escaping of filter
  • add move and rename to abstraction layer entry
  • ldap3 namespace decluttered
  • RESULT_CODES moved to ldap3.core.results
  • compatibility constants removed
  • exceptions removed from ldap3 namespace, defined in ldap3.core.exceptions only
  • ADDRESS_INFO_REFRESH_TIME is now configurable via set_config_parameter
  • Operational attribute prefix set to ‘OA_
  • Allows cert and key file in the same file (thanks Jan-Philip)
  • Removed logging info when logging is disabled (thanks Dan)
  • Updated copyright notice
  • Refactored abstraction layer with full support for CRUD (Create, Read, Update, Delete) abstract operations
  • Added WritableEntry and WritableAttribute to abstraction layer
  • Added standard validators for attribute types and syntaxes defined in the standard LDAP schema
  • Added custom validators for attribute values
  • Added update capability to abstraction layer
  • Fixed typo in docs (thanks Gerardwx)
  • Fixed Object and Attribute representation in schema (superior class not shown)
  • ObjectDef automatically populates attributes from schema, following object_class hierarchy
  • Added attributes parameter to search* methods of Cursor, so that only needed attributes are read even if attr_defs defines more
  • Fixed connect_timeout not honored while wrapping socket in tls (thanks Kyle)
  • Added ‘set’ to SEQUENCE_TYPES (thanks Christian)
  • Entries returned by search are now writable via the abstraction layer
  • LDAPReaderError exception renamed to LDAPCursorError
  • auto_range parameter in Connection defaults to True (thanks Ashley)
  • get_info defaults to SCHEMA while defining Server object
  • Included ordereddict 1.1 (# Copyright (c) 2009 Raymond Hettinger) in ldap3.utils.ordDict for backporting OrderedDict in Python 2.6
  • Added config parameter RESET_AVAILABILITY_TIMEOUT to reinsert invalid address in candidate_addresses while checking connection, defaults to 5 seconds
  • Fixed inability to connect to a server if the connection starts when the server is unavailable and then it becomes available again
  • All DNs are sanitized if connection.check_names is True
  • LDAPControlsError exception renamed to LDAPControlError
  • LDAPChangesError exception renamed to LDAPChangeError
  • The following older constants in ldap3 have been removed, please use the suggested ones:
# 1.4.0 - 2016.07.18
  • Multiple Mock strategies now share entries when using the same Server object
  • Added AsyncStreamStrategy
  • Added Connection.extend.standard.persistent_search() (Thanks martinrm77)
  • Added escaping of character > 0x7F in filter validation (thanks cfelder)
  • Added better descriptions of Exception in abstraction layer (thanks cfelder)
  • Added queue in Persistent Search
  • Added callback in Persistent Search
  • MockStrategy now honors raise_exception parameter (thanks Simon)
# 1.3.3 - 2016.07.03
  • Change paameter name from ‘check’ to ‘fix’ in connection.extend.novell.add_members_to_groups() and connection.extend.novell.remove_members_from_groups
  • Added connection.extend.novell.check_groups_memberships() that check if members are in groups and fixes the user-group relation if incorrect
  • Updated docs link to
  • Fixed error in utils.conv.check_escape (thanks Anjuta)
  • Fixed typo in when IP_V4_PREFERRED is used (thanks eva8668)
  • Host name certificate matching exception and logging is much more informative (thanks eddie-dunn)
  • Fixed typo in docs for use_ssl (thanks Brooks Kindle)
  • Tested against Python 2.6., Python 2.7.12, Python 3.5.2 and PyPy 5.3.1
# 1.3.2 - 2016.07.01
  • unreleased on pypi
# 1.3.1 - 2016.05.11
  • Added support for mocking the ldap3 library
  • Added support for MockSync strategy (thanks Roxana)
  • Added checked_attributes=True parameter to connection.response_to_json()
  • Added checked_attributes=True parameter to entry.entry_to_json()
  • MockSyncBase strategy supports bind(), unbind(), delete(), compare(), modify(), modify_dn(), abandon(), add()
  • MockSyncBase strategy accepts directory entries in json file
  • Fixed schema representation (thanks Conrado)
  • Allow connection.abandon(0), useful to “ping” the server
  • Added connection.abandon() test suite
  • Reusable strategy checks bind credential at bind() time, only on one worker connection
  • Reusable strategy ignores abandon() operation because of multiple connection workers
  • Reusable strategy honours return_empty_attributes connection parameter
  • Added lazy information to connection representation
  • Added support for hash (LM:NTLM) Windows NTLM authentication (thanks Dirk)
  • Fixed representation of empty attributes in connection.entries
  • Comparison of entry attributes value is easier
  • Added new extended operation connection.extend.novell.start_transaction()
  • Added new extended operation connection.extend.novell.end_transaction()
  • Added new extended operation connection.extend.novell.add_members_to_groups(members, groups, check, transaction)
  • Added new extended operation connection.extend.novell.remove_members_from_groups(members, groups, check, transaction)
  • Added new exception LDAPTransactionError
  • Added logic to handle Novell Transaction Error Unsolicited Notice
  • Ignore cheching of ssl context when cadata, cafile and capath are not provided (thanks DelboyJan)
# 1.2.2 - 2016.03.23
  • repr encoding set to ‘ascii’ when sys.stdout.encoding is None (thanks Jeff)
# 1.2.1 - 2016.03.19
  • try to use the requested ssl protocol in SSLContext for Python>=3.4 (thanks Patrick)
  • added return_empty_attributes to Connection object to return an empty list when the attribute requested is missing in the retrieved object
# 1.1.2 - 2016.03.10
  • Added rebind() method to Connection object to rebind with a different user (thanks Lorenzo)
  • Added Tests for rebind operation
  • Start_tls honored in referrals
  • Default ldaps port honored in referrals
  • Additional connection parameters honored in referrals and in the restartable strategy
  • Server connection timeout is honored while connecting, connection receive timeout while receiving
  • Extended operations followed on referrals (thanks Pavel)
  • Added receive_timeout parameter in Connection object to set socket in non-blocking mode with a specified timeout (thanks Antho)
  • Fixed abstract entry __getattr__() throwing KeyError instead of AttributeError (thanks Kilroy)
  • Fixed start_tls() Reusable strategy
# 1.0.4 - 2016.01.25
  • Controls can be added to extended operation in the extend package (thanks Hinel)
# 1.0.3 - 2015.12.1
  • Fixed set_config_parameter (thanks Sigmunau)
  • Disabled unauthenticated authentication, see RFC 4513 section 5.1.2 (thanks Petros)
  • Fixed falsey value in abstract Entry object __contains__() (thanks Vampouille)
# 1.0.2 - 2015.12.07
  • Allowed_referral_hosts in Server objects defaults to [(‘*’, True)] to accept any referral server with authentication
  • Referral uri is now properly percent-undecoded (thanks TWAC)
  • Referral Server object now use the same configuration of the original Server object
  • Fixed __contains__() in Entry object (thanks Vampouille)
# 1.0.1 - 2015.12.06
  • Removed the compat package
  • Refactored docs for extend operations
# 1.0.0 - 2015.12.06
  • Private RC for production
  • Status moved to 5 - Production/Stable
# - 2015.12.02
  • Added items() to CaseInsensitiveDict class (thanks Jan-Hendrik)
  • Added set_config_parameter() in ldap3 namespace to modify the values of the configurable parameters of ldap3
  • Added microsoft.extend.modify_password() extended operation to change AD password
  • Fixed find_active_random_server() in pooling (thanks Sargul)
  • Fixed referral decoding in fast ber decoder (thanks TWAC)
# - 2015.11.15
  • Added LDAPI (LDAP over IPC) support for unix socket communication
  • Added mandatory_in and optional_in in server schema for attribute types. Now you can see in which classes attributes are used
  • Added last_transmitted_time and last_received_time to Usage object to track time of the last sent and received operation
  • Exception SessionTerminatedByServer renamed to SessionTerminatedByServerError and added to ldap3 namespace
  • Added get_config_parameter() in ldap3 namespace to read the current value of ldap3 configurable parameters
  • Added SASL mechanism name as constants in the ldap3 namespace
  • Added escape_filter_chars in utils.conv (thanks Peter)
  • Reverted ALL_ATTRIBUTES behaviour in search to (thanks Petros)
# - 2015.10.19
  • Fixed hasattr() behaviour for Entry object in Python 3
  • Allows empty sasl_credentials in SASL bind
  • Added POOLING_LOOP_TIMEOUT constant to specify how many seconds the server pooling strategy has to wait before retrying if it did not find an active server (defaults to 10)
  • Pooling strategy now allows to specify the number of cycles to try when finding a server (with active=N)
  • Pooling strategy now allows to specify how many seconds a server must be considered offline before retrying to check for availabiliry (with exhaust=N)
  • Connection.entries defaults to empty list
  • ALL_ATTRIBUTES don’t send any attribute in the attribute list (was sending ‘*’) while searching
  • Added DirSync extended function for Microsoft Active Directory
  • Added LDAP_SERVER_DIRSYNC_OID control for Microsoft Active Directory
  • Added LDAP_SERVER_EXTENDED_DN_OID control for Microsoft Active Directory
  • Added LDAP_SERVER_SHOW_DELETED_OID control for Microsoft Active Directory
  • Fixed AD tests for single valued attributes
  • Added ACL attribute in the ATTRIBUTES_EXCLUDED_FROM_CHECK list
# - 2015.09.21
  • Allows empty member values in groups while adding - this should not be as per rfc4511 4.1.7, but some servers expects it (thanks John)
  • Faster case insensitive dict while getting and setting key (thanks Pierre)
  • Updated setuptools to 18.3.2
  • Updated wheel to 0.26
  • Tested against Python 2.6 - Python 2.7 - Python 3.3 - Python 3.4 - Python 3.5 - pypy - pypy3
# 0.9.9 - 2015.09.09
  • Fixed boolean value for True value in ASN.1 encoding for certain ldap servers. (thanks Will)
  • Fixed follow auto referrals. (thanks WIll)
  • Now protocol defined integer values can be used for scope and derefAliases arguments when searching. (thanks Will)
  • Added description field in the AttrDef object. (thanks Hogne)
  • Added a custom ber decoder. Decoding of received packets is now 10x faster.
  • Added new boolean argument fast_decoder in connection object. Defaults to True.
  • Highest date correctly managed by the format_ad_timestamp() formatter. (thanks Will)
  • Fix for latest gssapi kerberos authentication module (thanks Alex)
  • Added freeIPA OID descriptors
  • Removed unneeded OidInfo class
# - 2015.08.14
  • Coerce objectClass to a list in Add operation. (thanks Yutaka)
  • ObjectClass attribute values mantain their order in the Add operation. (thanks Yutaka)
  • Fixed search filter composition when the value part of the assertion contains = character. (thanks Eero)
  • Fixed modify_password extended operation when no hash method is specified. (thanks midnightlynx)
  • Added credentials to kerberos authentication. (thanks Alex)
  • Target name can be specified in sasl_credentials for Kerberos authentication. (thanks Alex)
  • Target name can be read from DNS in sasl_credential for Kerberos authentication. (thanks Alex)
  • Fixed connection.entries error when referrals are in the search response. (thanks WIll)
# - 2015.07.19
  • Backported ssl.match_hostname from Python 3.4.3 standard library to be used in Python < 2.7.10
  • Use backports.ssl_match_hostname if present instead of static backported functions for matching server names in ssl certificate (thanks Michal)
  • Attributes values are properly printed when not strings in abstract.attribute (thanks hogneh)
  • Checking unicode __repr__() in python2
  • Added hashing capability to Modify Password extended operation (thanks Gawain)
# - 2015.06.30
  • Modify operation now accept multiple changes for same attribute (Thanks Lorenzo)
  • Fixed entries property in connection when objects from multiple object classes are returned
  • Hide sensitive data in logging. use the utils.log.set_library_hide_sensitive_data(False) to show sensitive data and utils.log.get_library_hide_sensitive_data() to get the current value
  • Limited number of characters in a single log line. use the utils.log.set_library_log_max_line_length(length) to set and utils.log.get_library_log_max_line_length(length) to get the current value
  • Added CHANGES.txt with full changelog, latest changes only in README.txt
# - 2015.06.24
  • Updated pyasn1 to 0.1.8
  • Fixed error in not filter with pyasn1 0.1.8
# - 2015.06.23
  • Updated docs with ldap operations pages
  • Fixed a bug where an Exception was raised on OpenBSD for missing IPV4_MAPPED flag
  • Fixed missing add operation usage metrics
  • Abstract Attribute doesn’t permit “falsy” values or None as default (thanks Lucas)
# - 2015.05.19
  • Added EXTENDED log detail level with prettyPrint description of ldap messages
  • Fixed logging of IPv6 address description
  • Fixed checking of open address when dns returns more than one ip for the same host
  • Fixed selection of proper address when failing back from IPv6 to IPv4 and vice-versa
  • When sending controls controlValue is now optional (as stated in RFC 4511), specify None to not send it
  • Moved badges to
# - 2015.05.11
  • Added support for logging
  • Added LDAPInvalidTlsSpecificationError exception
  • Added support for kerberos sasl - needs the gssapi package (thanks sigmaris and pefoley2)
  • Added support for using generator objects in ldap operations (thanks Matt)
  • Fixed bug in collect_usage (thanks Philippe)
  • Changed default server mode from IP_SYSTEM_DEFAULT to IP_V6_PREFERRED
# - 2015.04.08
  • SaslCred returned as raw bytes (thanks Peter)
  • Search_paged now properly works in abstract.reader (thanks wazboy)
# - 2015.04.04
  • Added NTLMv2 authentication method
  • extend.standard.who_am_i() now try to decode the authzid as unicode
  • Tests for AD (Active Directory) now use tls_before_bind when opening a connection
  • 0.9.8 not working for pypi problems
# - 2015.03.18
  • Fixed missing optional authzid in digestMD5 sasl mechanism (thanks Damiano)
  • Changed unneeded classmethods to staticmethods
# - 2015.03.12
  • Fixed address_info resolution on systems without the IPV4MAPPED flag (thanks Andryi)
# - 2015.02.28
  • Fixed bug in PagedSearch when server has a hard limit on the number of entries returned (thanks Reimar)
  • not working for pypi problems
  • not working for pypi problems
  • not working for pypi problems
  • not working for pypi problems
# - 2015.02.20
  • Fixed exception raised when opening a connection to a server. If there is only one candidate address and there is an error it returns the specific Exception, not a generic LDAPException error
  • Address_info filters out any impossible address to reach
  • Address_info include an IPV4MAPPED address for IPV6 host that try to reach an IPV4 only server
  • Added SyncMock strategy (needs the sldap3 package)
  • Fixed bug when using the aproximation operation in ldap search operations (thanks Laurent)
  • Removed response from exception raised with raise_exceptions=True to avoid very long exceptions message
# - 2015.02.02
  • Added connection.entries property for storing response from search operations as and abstract.Entry collection.
# - 2015.01.25
  • Modify operation type can also be passed as integer
# - 2015.01.16
  • Fixed a bug when resolving IP address with getaddrinfo(). On OSX returned an UDP connection (thanks Hiroshi).
# - 2015.01.05
  • Moved to Github
  • Moved to Travis-CI for continuous integration
  • Moved to ReadTheDocs for documentation
  • Moved testing servers in the cloud, to allow testing from Travis-CI
  • Project renamed from python3-ldap to ldap3 to avoid name clashing with the existing python-ldap library
  • Constant values in ldap3 are now strings. This is helpful in testing and debugging
  • Test suite fully refactored to be used in cloud lab and local development lab
  • Test suite includes options for testing against eDirectory, Active Directory and OpenLDAP
# 0.9.7 - 2014.12.17
  • Fixed bug for auto_range used in paged search
  • Added dual IP stack mode parameter in Server object, values are: IP_SYSTEM_DEFAULT, IP_V4_ONLY, IP_V4_PREFERRED, IP_V6_ONLY, IP_V6_PREFERRED
  • Added read_server_info parameter to bind() and start_tls() to avoid multiple schema and info read operations with auto_bind
  • Redesigned Reusable (pooled) strategy
  • Added LDAPResponseTimeoutError exception raised when get_response() doesn’t receive any response in the allowed timeout period
  • Added shortened authentication parameters in ldap3 namespace: ANONYMOUS, SIMPLE, SASL
  • Added shortened scope parameters in ldap3 namespace: BASE, LEVEL, SUBTREE
  • Added shortened get_info parameters in ldap3 namespace: NONE, DSA, SCHEMA, ALL
  • Added shortened alias dereferencing parameters in ldap3 namespace: DEREF_NONE, DEREF_SEARCH, DEREF_BASE, DEREF_ALWAYS
  • Added shortened connection strategy parameters in ldap3 namespace: SYNC, ASYNC, LDIF, RESTARTABLE, REUSABLE
  • Added shortened pooling strategy parameters in ldap3 namespace: FIRST, ROUND_ROBIN, RANDOM
  • Added reentrant lock to avoid race conditions in the Connection object
  • When runs in Python 2.7.9 uses SSLContext
  • Tested against Python 2.7.9, PyPy 2.4.0 and PyPy3 2.4.0
  • setuptools updated to 8.2.1
# - 2014.11.17
  • Changed SESSION_TERMINATED_BY_SERVER from 0 to -2
  • Removed unneeded FORMAT_xxx variables in ldap3 namespace
  • Fixed bug in auto_range when search operation returns search continuations
  • Added infrastructure for Mock DSA (not functional yet)
# - 2014.11.11
  • Added boolean parameter “auto_range” to catch the “range” ldap tag in searches. When true all needed search operation are made to fully obtain the whole range of result values
  • Fixed bug in sdist
  • Added offline schema for Fedora 389 Directory Server 1.3.3
  • Fixed bug while reading DSA info
# 0.9.6 - 2014.11.01
  • New feature ‘offline schema’ to let the client have knowledge of schema and DSA info even if not returned by the server
  • Offline schema for Novell eDirectory 8.8.8
  • Offline schema for Microsoft Active Directory 2012 R2
  • Offline schema for slapd 2.4 (Openldap)
  • Added and to JSON serialize schema and info from Server object
  • Added Server.from_json() and Server.from_file() to create a Server object from a JSON definition
  • Added response_to_json() and response_to_file() to Connection object to serialize search response entries in JSON as a string or as a file
  • New exception hierarchy LDAPConfigurationError includes library configuration exceptions
  • New exception LDAPInvalidConfigurationDefinitionError
  • Dsa info and schema are not read twice when binding (thanks phobie)
  • LDAPStartTLSError exception is merged with exception raised from ssl packaged
  • Digest-MD5 SASL authentication accepts directives with list attributes (thanks John)
  • Fixed caseInsensitiveDictionary for keys() and values() methods
  • Fixed matching of certificate name in ssl with Python2
  • Attributes names and formatters are checked even if schema is not read by the server
  • Fixed fractional time when parsing generalized time
  • Specific decoder for Active Directory ObjectGuid and ObjectSid
  • Added additional checking for unicode in Python 2
  • Tested against Python 3.4.2, 2.7.8, 2.6.6
  • Updated setuptools to 7.0
# - 2014.09.22
  • Fixed security issue in lazy connections (thanks Moritz)
  • Added ldap3.utils.dn with parse_dn(dn) to verify dn compliance with RFC4514
  • Added safe_dn(dn) to properly escape dn (if possible)
  • Added ldap3.utils.uri with parse_uri(uri) to verify uri compliance with RFC4516
  • Check for trailing slashes in hostname (thanks Dylan)
  • Timeout for socket connect operation. Server.connect_timeout = seconds_to_wait_for_establishing_connection (thanks Florian)
  • Closing socket error doesn’t raise exception anymore
  • ServerPool can be implicity defined with a list of server names (even when defining a connection)
# - 2014.08.24
  • elements returned in schema and dsa info are in a case insensitive dictionary (can be changed in ldap3.CASE_INSENSITIVE_SCHEMA_NAMES = True|False)
  • attributes name returned in searches are now case insensitive (can be changed in ldap3.CASE_INSENSITIVE_ATTRIBUTE_NAMES = True|False)
  • change parameter name from separe_rdn to separate_rdn in ldap3.utils.conv.to_dn()
  • sync dev from Bitbucket to GitHub
  • schema attributes are explicitly read (useful for Active directory and 389 Directory Server)
  • new extended operation: list_replicas (Novell)
  • new extended operation: get_replica_info (Novell)
  • new extended operation: partition_entry_count (Novell)
  • renamed convert_to_ldif() to _convert_to_ldif()
# - 2014.08.05
  • fixed LDAPOperationResult.__str__ (thanks David)
  • added to_dn() in utils.conv to convert a dn string to a list of components (strings or tuples)
  • added __version__ in ldap3
  • don’t raise exception if the schema cannot be read in unauthenticated state
  • server.address_info is now a property
# - 2014.08.02
  • getaddrinfo called only once
  • real_server machinery removed - messageId is now global and monotonic for the whole library
  • attributes are returned formatted if schema is read and check_names = True, removed checked_attributes
  • bind result is populated again when successful (was removed in
  • exception is now raised if you receive multiple extended response to a single extended request. This is not allowed by RFC 4511
# 0.9.5 - 2014.07.22
  • added support for IPv6 (thanks Robert)
  • auto_bind can be used even for establishing tls, possible values (defined in ldap3) are: AUTO_BIND_NONE, AUTO_BIND_NO_TLS, AUTO_BIND_TLS_AFTER_BIND, AUTO_BIND_TLS_BEFORE_BIND
  • refactored extend package to use classes
  • new extended operation: get_universal_password (Novell)
  • new extended operation: set_universal_password (Novell)
  • added parsing of hostname in scheme://hostname:hostport format. This has the precedence on the parameters (thanks Sorin)
  • added extra checks when the schema is read (with the get_info parameter) but nothing is returned by the server
  • updated setuptools to version 5.4.1
  • when check_name is True and schema is read attributes are checked and formatted in “checked_attributes” as specified by RFCs following the server schema
  • added formatter for generalizedTime syntax as specified in RFC4517 (ASN.1)
  • custom formatter can be added in Server definition
# - 2014.07.03
  • Moved to Bitbucket + Mercurial
  • Fixed import in core.tls package
  • Removed unneeded imports
# - 2014.07.02
  • included missing extend package (thanks to debnet)
# 0.9.4 - 2014.07.02
  • when running in python 3.4 or newer now Tls class uses SSLContext object with default secure setting
  • added parameters ca_certs_path, ca_certs_data, local_private_key_password to Tls object creation, valid when using SSLContext
  • in python 3.4 or newer the system CA certificates configuration can be used (just leave ca_cert_file, ca_certs_path and ca_certs_data set to None)
  • removed TLSv1 as default for Tls connection
  • upgraded backported ssl function from python 3.4.1 when using with python 2
  • when creating a connection the server parameter can be a string: the name of the server to connect in cleartext on default port 389
  • fixed bug in ldap3.util.conv.escape_bytes()
  • attributes parameter in search can be a tuple
  • check_names parameter in connection now defaults to True (so when schema info is available attribute and class name will be checked when performing LDAP operations)
  • remove the connection.close() method - use connection.unbind()
  • new exception LDAPExtensionError for signalling when the requestValue of extended operation is of an unknown ASN1 type
  • exiting connection manager doesn’t raise an exception if unbind is not successful (needed in long operations)
  • new extended operation: modify_password (RFC3062)
  • new extended operation: who_am_i (RFC4532)
  • new extended operation: get_bind_dn (Novell)
  • updated setuptools to version 5.3
# - 2014.06.22
  • Exception history in restartable strategy is printed when reached the maximum number of retries
  • Fixed conditions on terminated_by_server unsolicited message
  • Added python2.6 egg installation package
# - 2014.06.16
  • Exception can now be imported from ldap3 package
  • Escape_bytes return ‘’ for empty string instead of None (thanks Brian)
  • Added exception history to restartable connection (not for infinite retries)
  • Fixed start_tls retrying in restartable connection (thanks Brian)
  • New exception LDAPMaximumRetriesError for signalling when the SyncRestartable Strategy has reached the maximum number of retries while performing an operation
  • Inverted deleteoldrdn value in LDIF output (thanks Joseph)
# - 2014.06.01
  • Fixed a bug in LDIFProducer when using context manager for connection
  • LDIF header in stream is added only whene there are actual data in the stream
  • Now LDIF stream can be added to an existing file - version header will not be written if stream is not empty
# - 2014.05.30
  • Fixed a bug while reading schema
  • Add an implicit open() when trying binding on a closed connection
# - 2014.05.28
  • Added stream capability to LDIFProducer strategy
  • Customizable line separator for LDIF output
  • Customizable sorting order for LDIF output
  • object_class parameter is now optional in connection.add()
  • Fixed objectClass attribute case sensitive dependency in add operation
  • Added stream capability to response_to_ldif() while searching
# 0.9.3 - 2014.05.20
  • Now the key in server.schema.attribute_type is the attribute name (was the oid)
  • Now the key in server.schema.object_classes is the class name (was the oid)
  • Added check_names to Connection definition to have name of attributes and of object class checked against the schema
  • Updated setuptools to 3.6
  • Added wheel installation format
  • Added raise_exceptions mode for connection
  • Exception hierarchy reworked
  • Added locking to Server object (for multithreading)
# - 2014.04.30
  • fixed a bug from 0.9.1 that broke start_tls() (thanks Mark)
# - 2014.04.28
  • fixed a bug in 0.9.2 that allowed only string attributes in add, modify and compare operations (thank Mladen)
# 0.9.2 - 2014.04.26
  • changed return value in get_response from response to (response, result) - helpful for multi-threaded connections
  • added ReusableStrategy for pooling connections
  • refined docstrings (thanks Will)
  • result and response attributes don’t overlap anymore. Operation result is only in result attribute.
  • fixed search for binary values (thanks Marcin)
  • added convenience function to convert bytes to LDAP binary value string format for search filter
# 0.9.1 - 2014.03.30
  • added laziness flag to test suite
  • changed ServerPool signature to accept active and exhaust parameters
  • removed unneeded start_listen parameter
  • added ‘lazy’ parameter to open, to bind and to unbind a connection only when an effective operation is performed
  • fixed start_tls in SyncWaitRestartable strategy
  • fixed certificate name checking while opening an ssl connection
  • fixed syntax error during installation
  • socket operations now raises proper exception, not generic LDAPException (thanks Joseph)
  • tested against Python 3.4, 3.3, 2.7, 2.6
  • updated setuptools to 3.3
# 0.9.0 - 2014.03.20
  • PEP8 compliance
  • added ldap3.compat package with older (non PEP8 compliant) signatures
  • renamed ldap3.abstraction to ldap3.abstract
  • moved, and files to ldap3.core
  • fixed SyncWaitRestartableStrategy (thanks Christoph)
# 0.8.3 - 2014.03.08
  • added SyncWaitRestartable strategy
  • removed useless forceBind parameter
  • usage statistics updated with restartable success/failure counters and open/closed/wrapped socket counters
# 0.8.2 - 2014.03.04
  • Added refresh() method to Entry object to read again the attributes from the Reader in the abstraction layer
  • Fixed Python 2.6 issues
  • Fixed test suite for Python 2.6
# 0.8.1 - 2014.02.12
  • Changed exceptions returned by the library to LDAPException, a subclass of Exception.
  • Fixed documentation typos
# 0.8.0 - 2014.02.08
  • Added abstraction layer (for searching, read only)
  • Added context manager to Connection class
  • Added readOnly parameter to Connection class
  • Fixed a bug in search with ‘less than’ parameter
  • Remove validation of available SSL protocols because different Python interpreters can use different ssl packages
# 0.7.3 - 2014.01.05
  • Added SASL DIGEST-MD5 support
  • Moved to intrapackage (relative) imports
# 0.7.2 - 2013.12.30
  • Fixed a bug when parentheses are used in search filter as ASCII escaped sequences
# 0.7.1 - 2013.12.21
  • Completed support for LDIF as per RFC2849
  • Added new LDIF_PRODUCER strategy to generate LDIF-CHANGE stream
  • Fixed a bug in the autoReferral feature when controls where used in operation
# 0.7.0 - 2013.12.12
  • Added support for LDIF as per RFC2849
  • Added LDIF-CONTENT compliant search responses
  • Added exception when using autoBind if connection is not successful
# 0.6.7 - 2013.12.03
  • Fixed exception when DSA is not willing to return rootDSE and schema info
# 0.6.6 - 2013.11.13
  • Added parameters to test suite
# 0.6.5 - 2013.11.05
  • Modified rawAttributes decoding, now null (empty) values are returned
# 0.6.4 - 2013.10.16
  • Added simple paged search as per RFC2696
  • Controls return values are decoded and stored in result attribute of connection
# 0.6.3 - 2013.10.07
  • Added Extesible Filter syntax to search filter
  • Fixed exception while closing connection in AsyncThreaded strategy
# 0.6.2 - 2013.10.01
  • Fix for referrals in searchRefResult
  • Disabled schema reading on Active Directory
# 0.6.1 - 2013.09.22
  • Experimental support for Python 2 - no unicode
  • Added backport of ssl.match_name for Python 2
  • Minor fixes for using the client in Python 2
  • Fix for getting schema info with AsyncThreaded strategy
# 0.6.0 - 2013.09.16
  • Moved to beta!
  • Added support site hosted on
  • Added public svn repository on
  • Added getInfo to server object, parameter can be: GET_NO_INFO, GET_DSA_INFO, GET_SCHEMA_INFO, GET_ALL_INFO
  • Added method to read the schema from the server. Schema is decoded and returned in different dictionaries of the server.schema object
  • Updated connection usage info (elapsed time is now computed when connection is closed)
  • Updated OID dictionary with extensions and controls from Active Directory specifications.
# 0.5.3 - 2013.09.03
  • Added getOperationalAttributes boolean to Search operation to fetch the operational attributes during search
  • Added increment operation to modify operation as per RFC4525
  • Added dictionary of OID descriptions (for DSE and schema decoding)
  • Added method to get Info from DSE (returned in object)
  • Modified exceptions for sending controls in LDAP request
  • Added connection usage (in connection.usage if collectUsage=True in connection definition)
  • Fixed StartTls in asynchronous client strategy
# 0.5.2 - 2013.08.27
  • Added SASLprep profile for validating password
  • Fixed RFC4511 asn1 definitions
# 0.5.1 - 2013.08.17
  • Refactored package structure
  • Project description reformatted with reStructuredText
  • Added Windows graphical installation
# 0.5.0 - 2013.08.15
  • Added reference to LGPL v3 license
  • Added Tls object to hold ssl/tls configuration
  • Added StartTLS feature
  • Added SASL feature
  • Added SASL EXTERNAL mechanism
  • Fixed Unbind
  • connection.close is now an alias for connection.unbind
# 0.4.4 - 2013.08.01
  • Added ‘Controls’ to all LDAP Requests
  • Added Extended Request feature
  • Added Intermediate Response feature
  • Added namespace ‘ldap3’
# 0.4.3 - 2013.07.31
  • Test suite refactored
  • Fixed single object search response error
  • Changed attributes returned in search from tuple to dict
  • Added ‘raw_attributes’ key in search response to hold undecoded (binary) attribute values read from ldap
  • Added __repr__ for Server and Connection objects to re-create the object instance
# 0.4.2 - 2013.07.29
  • Added autoReferral feature as per RFC4511 (4.1.10)
  • Added allowedReferralHosts to conform to Security considerations of RFC4516
# 0.4.1 - 2013.07.20
  • Add validation to Abandon operation
  • Added connection.request to hold a dictionary of infos about last request
  • Added info about outstanding operation in connection.strategy._oustanding
  • Implemented RFC4515 for search filter coding and decoding
  • Added a parser to build filter string from LdapMessage
# 0.4.0 - 2013.07.15
  • Refactoring of the connection and strategy classes
  • Added the ldap3.strategy namespace to contain client connection strategies
  • Added ssl authentication
  • Moved authentication parameters from Server object to Connection object
  • Added ssl parameters to Server Object
# 0.3.0 - 2013.07.14
  • Fixed AsyncThreaded strategy with _outstanding and _responses attributes to hold the pending requests and the not-yet-read responses
  • Added Extended Operation
  • Added “Unsolicited Notification” discover logic
  • Added managing of “Notice of Disconnection” from server to properly close connection
# 0.2.0 - 2013.07.13
  • Update setup with setuptools 0.7
  • Docstrings added to class
  • Removed ez_setup dependency
  • Removed distribute dependency
# 0.1.0 - 2013.07.12
  • Initial upload on pypi
  • PyASN1 RFC4511 module completed and tested
  • Synchronous client working properly
  • Asynchronous client working but not fully tested
  • Basic authentication working