--- a/server/sources/ldapfeed.py	Mon Oct 05 15:48:19 2015 +0200
+++ b/server/sources/ldapfeed.py	Mon Oct 05 15:49:17 2015 +0200
@@ -21,7 +21,7 @@
 
 from datetime import datetime
 
-from six import string_types
+from six import PY2, string_types
 
 import ldap3
 
@@ -262,7 +262,7 @@
         except Exception:
             self.error('while trying to authenticate %s', user, exc_info=True)
             raise AuthenticationError()
-        eid = self.repo.extid2eid(self, user['dn'], 'CWUser', cnx, insert=False)
+        eid = self.repo.extid2eid(self, user['dn'].encode('ascii'), 'CWUser', cnx, insert=False)
         if eid < 0:
             # user has been moved away from this source
             raise AuthenticationError()
@@ -332,13 +332,14 @@
             if self.user_attrs.get(key) == 'upassword': # XXx better password detection
                 value = value[0].encode('utf-8')
                 # we only support ldap_salted_sha1 for ldap sources, see: server/utils.py
-                if not value.startswith('{SSHA}'):
+                if not value.startswith(b'{SSHA}'):
                     value = utils.crypt_password(value)
                 itemdict[key] = Binary(value)
             elif self.user_attrs.get(key) == 'modification_date':
                 itemdict[key] = datetime.strptime(value[0], '%Y%m%d%H%M%SZ')
             else:
-                value = [unicode(val, 'utf-8', 'replace') for val in value]
+                if PY2:
+                    value = [unicode(val, 'utf-8', 'replace') for val in value]
                 if len(value) == 1:
                     itemdict[key] = value = value[0]
                 else:

--- a/server/test/unittest_ldapsource.py	Mon Oct 05 15:48:19 2015 +0200
+++ b/server/test/unittest_ldapsource.py	Mon Oct 05 15:49:17 2015 +0200
@@ -187,7 +187,7 @@
                      'cn=admin,dc=cubicweb,dc=test', '-w', 'cw']
         PIPE = subprocess.PIPE
         p = subprocess.Popen(updatecmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
-        p.stdin.write('\n'.join(modcmd))
+        p.stdin.write('\n'.join(modcmd).encode('ascii'))
         p.stdin.close()
         if p.wait():
             raise RuntimeError("ldap update failed: %s"%('\n'.join(p.stderr.readlines())))

--- a/sobjects/ldapparser.py	Mon Oct 05 15:48:19 2015 +0200
+++ b/sobjects/ldapparser.py	Mon Oct 05 15:49:17 2015 +0200
@@ -20,6 +20,8 @@
 unlike ldapuser source, this source is copy based and will import ldap content
 (beside passwords for authentication) into the system source.
 """
+from six.moves import map, filter
+
 from logilab.common.decorators import cached, cachedproperty
 from logilab.common.shellutils import generate_password
 
@@ -48,8 +50,8 @@
     def user_source_entities_by_extid(self):
         source = self.source
         if source.user_base_dn.strip():
-            attrs = map(str, source.user_attrs.keys())
-            return dict((userdict['dn'], userdict)
+            attrs = list(map(str, source.user_attrs.keys()))
+            return dict((userdict['dn'].encode('ascii'), userdict)
                         for userdict in source._search(self._cw,
                                                        source.user_base_dn,
                                                        source.user_base_scope,
@@ -61,7 +63,7 @@
     def group_source_entities_by_extid(self):
         source = self.source
         if source.group_base_dn.strip():
-            attrs = map(str, ['modifyTimestamp'] + source.group_attrs.keys())
+            attrs = list(map(str, ['modifyTimestamp'] + list(source.group_attrs.keys())))
             return dict((groupdict['dn'], groupdict)
                         for groupdict in source._search(self._cw,
                                                         source.group_base_dn,
@@ -174,8 +176,8 @@
         # all CWUsers must be treated before CWGroups to have the in_group relation
         # set correctly in _associate_ldapusers
         elif etype == 'CWUser':
-            groups = filter(None, [self._get_group(name)
-                                   for name in self.source.user_default_groups])
+            groups = list(filter(None, [self._get_group(name)
+                                        for name in self.source.user_default_groups]))
             if groups:
                 entity.cw_set(in_group=groups)
             self._process_email(entity, sourceparams)
@@ -184,7 +186,7 @@
 
     def is_deleted(self, extidplus, etype, eid):
         try:
-            extid, _ = extidplus.rsplit('@@', 1)
+            extid, _ = extidplus.rsplit(b'@@', 1)
         except ValueError:
             # for some reason extids here tend to come in both forms, e.g:
             # dn, dn@@Babar
@@ -204,14 +206,14 @@
                                    {'addr': emailaddr})
             if not rset:
                 # not found, create it. first forge an external id
-                emailextid = userdict['dn'] + '@@' + emailaddr.encode('utf-8')
+                emailextid = userdict['dn'] + '@@' + emailaddr
                 email = self.extid2entity(emailextid, 'EmailAddress',
                                           address=emailaddr)
                 entity.cw_set(use_email=email)
             elif self.sourceuris:
                 # pop from sourceuris anyway, else email may be removed by the
                 # source once import is finished
-                uri = userdict['dn'] + '@@' + emailaddr.encode('utf-8')
+                uri = userdict['dn'] + '@@' + emailaddr
                 self.sourceuris.pop(uri, None)
             # XXX else check use_email relation?