We shouldn't hard-code an LDAP server, it should discovered by looking for DNS records on CSH's DNS and then configuring failover in the case that a server goes down.

After the TCP connect to the LDAP server times out, the library does not make an attempt to reconnect.

ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server"}

Something wonky happened between libldap 2.4.47 and 2.4.59 that causes bullseye's libldap 2.4.57 to give us SERVER_DOWN errors when attempting to connect:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/ldap/ldapobject.py", line 1196, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/local/lib/python3.9/site-packages/ldap/ldapobject.py", line 443, in simple_bind_s
    msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
  File "/usr/local/lib/python3.9/site-packages/ldap/ldapobject.py", line 437, in simple_bind
    return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
  File "/usr/local/lib/python3.9/site-packages/ldap/ldapobject.py", line 329, in _ldap_call
    reraise(exc_type, exc_value, exc_traceback)
  File "/usr/local/lib/python3.9/site-packages/ldap/compat.py", line 44, in reraise
    raise exc_value
  File "/usr/local/lib/python3.9/site-packages/ldap/ldapobject.py", line 313, in _ldap_call
    result = func(*args,**kwargs)
ldap.SERVER_DOWN: {'desc': "Can't contact LDAP server", 'errno': 9, 'info': '(unknown error code)'}

This isn't great because we tend not to pin our container images to a particular release. We have a lot of things that have python:3.9.7 instead of python:3.9.7-buster. When these projects get rebuilt by OKD, stuff breaks because it can't talk to LDAP.

It would be useful for local development and for continuous integration for csh_ldap to be able to spoof server data. Once this is implemented applications (as well as csh_ldap) would be able to add automated testing for their csh_ldap usage.

I'm not sure how we'd want to structure the local spoof data, but at first thought JSON or YAML would probably be sufficient. As an argument to the CSHLDAP constructor we could just add a spoof_file named parameter that bypasses making a server connection.

When working with groups or a collection of user objects, it would be helpful to be able to check which users you've actually got on hand just by yeeting them to stdout without much effort. A simple __repr__() that provides a user's uid or something else identifiable would be a nice QOL update. Something like <CSHMember [zach - "Zach Hart"]> might be nice.

Not sure what you'd put in the groups, maybe the group name and count of members in it.

It would be useful for csh_ldap to expose more specific exceptions to applications in order to help differentiate issues for server-side permissions, versus invalid input to csh_ldap from the application.

pep8 has been replaced by pycode style https://github.com/PyCQA/pycodestyle. The name of the package in requirements-test.txt should be changed. This could be added into PR #7.

Since there's no break here, it always picks the last server. It should respect the srv record priorities.