pyramid_ldap
API¶
Configuration¶
-
pyramid_ldap.
ldap_set_login_query
(config, base_dn, filter_tmpl, scope=None, cache_period=0)¶ Configurator method to set the LDAP login search.
base_dn
is the DN at which to begin the search.filter_tmpl
is a string which can be used as an LDAP filter: it should contain the replacement value%(login)s
. Scope is any valid LDAP scope value (e.g.ldap.SCOPE_ONELEVEL
).cache_period
is the number of seconds to cache login search results; if it is 0, login search results will not be cached.Example:
config.set_ldap_login_query( base_dn='CN=Users,DC=example,DC=com', filter_tmpl='(sAMAccountName=%(login)s)', scope=ldap.SCOPE_ONELEVEL, )
The registered search must return one and only one value to be considered a valid login.
-
pyramid_ldap.
ldap_set_groups_query
(config, base_dn, filter_tmpl, scope=None, cache_period=0)¶ Configurator method to set the LDAP groups search.
base_dn
is the DN at which to begin the search.filter_tmpl
is a string which can be used as an LDAP filter: it should contain the replacement value%(userdn)s
. Scope is any valid LDAP scope value (e.g.ldap.SCOPE_SUBTREE
).cache_period
is the number of seconds to cache groups search results; if it is 0, groups search results will not be cached.Example:
config.set_ldap_groups_query( base_dn='CN=Users,DC=example,DC=com', filter_tmpl='(&(objectCategory=group)(member=%(userdn)s))' scope=ldap.SCOPE_SUBTREE, )
-
pyramid_ldap.
ldap_setup
(config, uri, bind=None, passwd=None, pool_size=10, retry_max=3, retry_delay=0.1, use_tls=False, timeout=-1, use_pool=True)¶ Configurator method to set up an LDAP connection pool.
- uri: ldap server uri [mandatory]
- bind: default bind that will be used to bind a connector. default: None
- passwd: default password that will be used to bind a connector. default: None
- size: pool size. default: 10
- retry_max: number of attempts when a server is down. default: 3
- retry_delay: delay in seconds before a retry. default: .1
- use_tls: activate TLS when connecting. default: False
- timeout: connector timeout. default: -1
- use_pool: activates the pool. If False, will recreate a connector
- each time. default: True
-
pyramid_ldap.
includeme
(config)¶ Set up Configurator methods for pyramid_ldap
Usage¶
-
pyramid_ldap.
get_ldap_connector
(request)¶ Return the LDAP connector attached to the request. If
pyramid.config.Configurator.ldap_setup()
was not called, using this function will raise anpyramid.exceptions.ConfigurationError
.
-
class
pyramid_ldap.
Connector
(registry, manager)¶ Provides API methods for accessing LDAP authentication information.
-
manager
¶ An
ldappool
ConnectionManager instance that can be used to perform arbitrary LDAP queries. See https://github.com/mozilla-services/ldappool
-
authenticate
(login, password)¶ Given a login name and a password, return a tuple of
(dn, attrdict)
if the matching user if the user exists and his password is correct. Otherwise returnNone
.In a
(dn, attrdict)
return value,dn
will be the distinguished name of the authenticated user. Attrdict will be a dictionary mapping LDAP user attributes to sequences of values. The keys and values in the dictionary values provided will be decoded from UTF-8, recursively, where possible. The dictionary returned is a case-insensitive dictionary implemenation.A zero length password will always be considered invalid since it results in a request for “unauthenticated authentication” which should not be used for LDAP based authentication. See section 5.1.2 of RFC-4513 for a description of this behavior.
If
pyramid.config.Configurator.ldap_set_login_query()
was not called, using this function will raise anpyramid.exceptions.ConfiguratorError
.
-
user_groups
(userdn)¶ Given a user DN, return a sequence of LDAP attribute dictionaries matching the groups of which the DN is a member. If the DN does not exist, return
None
.In a return value
[(dn, attrdict), ...]
,dn
will be the distinguished name of the group. Attrdict will be a dictionary mapping LDAP group attributes to sequences of values. The keys and values in the dictionary values provided will be decoded from UTF-8, recursively, where possible. The dictionary returned is a case-insensitive dictionary implemenation.If
pyramid.config.Configurator.ldap_set_groups_query()
was not called, using this function will raise anpyramid.exceptions.ConfiguratorError
-
-
pyramid_ldap.
groupfinder
(userdn, request)¶ A groupfinder implementation useful in conjunction with out-of-the-box Pyramid authentication policies. It returns the DN of each group belonging to the user specified by
userdn
to as a principal in the list of results; if the user does not exist, it returns None.