Configurator method to set the LDAP login search.
At least one of these parameters should contain the replacement value %(login)s
Example:
config.set_ldap_login_query(
base_dn='CN=Users,DC=example,DC=com',
filter_tmpl='(sAMAccountName=%(login)s)',
scope=ldap.SCOPE_ONELEVEL,
)
The registered search must return one and only one value to be considered a valid login.
If the filter_tmpl is empty, the directory will not be searched, and the entry dn will be assumed to be equal to the %(login)s-replaced base_dn, and no entry’s attribute will be fetched from the LDAP server, leading to faster operation. Both in this case, and in the case of servers configured to only allow reading some needed entry’s attribute only to the bound entry itself, search_after_bind can be set to True if there is a need to read the entry’s attribute.
Example:
config.set_ldap_login_query(
base_dn='sAMAccountName=%(login)s,CN=Users,DC=example,DC=com',
filter_tmpl=''
scope=ldap.SCOPE_ONELEVEL,
search_after_bind=True
)
Configurator method to set the LDAP groups search.
Example:
config.set_ldap_groups_query(
base_dn='CN=Users,DC=example,DC=com',
filter_tmpl='(&(objectCategory=group)(member=%(userdn)s))'
scope=ldap.SCOPE_SUBTREE,
)
Configurator method to set up an LDAP connection pool.
uri: ldap server uri [mandatory]
bind: default bind that will be used to bind a connector. default: None
passwd: default password that will be used to bind a connector. default: None
size: pool size. default: 10
retry_max: number of attempts when a server is down. default: 3
retry_delay: delay in seconds before a retry. default: .1
use_tls: activate TLS when connecting. default: False
timeout: connector timeout. default: -1
each time. default: True
realm: A connection identifier default: ''
Set up Configurator methods for pyramid_ldap
Return the LDAP connector attached to the request for the connection identified by the realm name. If pyramid.config.Configurator.ldap_setup() was not called for the named realm, using this function will raise an pyramid.exceptions.ConfigurationError.
Provides API methods for accessing LDAP authentication information.
An ldappool ConnectionManager instance that can be used to perform arbitrary LDAP queries. See https://github.com/mozilla-services/ldappool
Given a login name and a password, return a tuple of (dn, attrdict) if the matching user if the user exists and his password is correct. Otherwise return None.
In a (dn, attrdict) return value, dn will be the distinguished name of the authenticated user. Attrdict will be a dictionary mapping LDAP user attributes to sequences of values. The keys and values in the dictionary values provided will be decoded from UTF-8, recursively, where possible. The dictionary returned is a case-insensitive dictionary implementation.
A zero length password will always be considered invalid since it results in a request for “unauthenticated authentication” which should not be used for LDAP based authentication. See section 5.1.2 of RFC-4513 for a description of this behavior.
If pyramid.config.Configurator.ldap_set_login_query() was not called, using this function will raise an pyramid.exceptions.ConfiguratorError.
Given a user DN, return a sequence of LDAP attribute dictionaries matching the groups of which the DN is a member. If the DN does not exist, return None.
In a return value [(dn, attrdict), ...], dn will be the distinguished name of the group. Attrdict will be a dictionary mapping LDAP group attributes to sequences of values. The keys and values in the dictionary values provided will be decoded from UTF-8, recursively, where possible. The dictionary returned is a case-insensitive dictionary implemenation.
If pyramid.config.Configurator.ldap_set_groups_query() was not called, using this function will raise an pyramid.exceptions.ConfiguratorError
A groupfinder implementation useful in conjunction with out-of-the-box Pyramid authentication policies. It returns the DN of each group belonging to the user specified by userdn to as a principal in the list of results; if the user does not exist, it returns None.