pyramid_ldap API

Configuration

pyramid_ldap.ldap_set_login_query(config, base_dn, filter_tmpl, scope=None, cache_period=0)

Configurator method to set the LDAP login search. base_dn is the DN at which to begin the search. filter_tmpl is a string which can be used as an LDAP filter: it should contain the replacement value %(login)s. Scope is any valid LDAP scope value (e.g. ldap.SCOPE_ONELEVEL). cache_period is the number of seconds to cache login search results; if it is 0, login search results will not be cached.

Example:

config.set_ldap_login_query(
    base_dn='CN=Users,DC=example,DC=com',
    filter_tmpl='(sAMAccountName=%(login)s)',
    scope=ldap.SCOPE_ONELEVEL,
    )

The registered search must return one and only one value to be considered a valid login.

pyramid_ldap.ldap_set_groups_query(config, base_dn, filter_tmpl, scope=None, cache_period=0)

Configurator method to set the LDAP groups search. base_dn is the DN at which to begin the search. filter_tmpl is a string which can be used as an LDAP filter: it should contain the replacement value %(userdn)s. Scope is any valid LDAP scope value (e.g. ldap.SCOPE_SUBTREE). cache_period is the number of seconds to cache groups search results; if it is 0, groups search results will not be cached.

Example:

config.set_ldap_groups_query(
    base_dn='CN=Users,DC=example,DC=com',
    filter_tmpl='(&(objectCategory=group)(member=%(userdn)s))'
    scope=ldap.SCOPE_SUBTREE,
    )
pyramid_ldap.ldap_setup(config, uri, bind=None, passwd=None, pool_size=10, retry_max=3, retry_delay=0.1, use_tls=False, timeout=-1, use_pool=True)

Configurator method to set up an LDAP connection pool.

  • uri: ldap server uri [mandatory]
  • bind: default bind that will be used to bind a connector. default: None
  • passwd: default password that will be used to bind a connector. default: None
  • size: pool size. default: 10
  • retry_max: number of attempts when a server is down. default: 3
  • retry_delay: delay in seconds before a retry. default: .1
  • use_tls: activate TLS when connecting. default: False
  • timeout: connector timeout. default: -1
  • use_pool: activates the pool. If False, will recreate a connector
    each time. default: True
pyramid_ldap.includeme(config)

Set up Configurator methods for pyramid_ldap

Usage

pyramid_ldap.get_ldap_connector(request)

Return the LDAP connector attached to the request. If pyramid.config.Configurator.ldap_setup() was not called, using this function will raise an pyramid.exceptions.ConfigurationError.

class pyramid_ldap.Connector(registry, manager)

Provides API methods for accessing LDAP authentication information.

manager

An ldappool ConnectionManager instance that can be used to perform arbitrary LDAP queries. See https://github.com/mozilla-services/ldappool

authenticate(login, password)

Given a login name and a password, return a tuple of (dn, attrdict) if the matching user if the user exists and his password is correct. Otherwise return None.

In a (dn, attrdict) return value, dn will be the distinguished name of the authenticated user. Attrdict will be a dictionary mapping LDAP user attributes to sequences of values. The keys and values in the dictionary values provided will be decoded from UTF-8, recursively, where possible. The dictionary returned is a case-insensitive dictionary implemenation.

A zero length password will always be considered invalid since it results in a request for “unauthenticated authentication” which should not be used for LDAP based authentication. See section 5.1.2 of RFC-4513 for a description of this behavior.

If pyramid.config.Configurator.ldap_set_login_query() was not called, using this function will raise an pyramid.exceptions.ConfiguratorError.

user_groups(userdn)

Given a user DN, return a sequence of LDAP attribute dictionaries matching the groups of which the DN is a member. If the DN does not exist, return None.

In a return value [(dn, attrdict), ...], dn will be the distinguished name of the group. Attrdict will be a dictionary mapping LDAP group attributes to sequences of values. The keys and values in the dictionary values provided will be decoded from UTF-8, recursively, where possible. The dictionary returned is a case-insensitive dictionary implemenation.

If pyramid.config.Configurator.ldap_set_groups_query() was not called, using this function will raise an pyramid.exceptions.ConfiguratorError

pyramid_ldap.groupfinder(userdn, request)

A groupfinder implementation useful in conjunction with out-of-the-box Pyramid authentication policies. It returns the DN of each group belonging to the user specified by userdn to as a principal in the list of results; if the user does not exist, it returns None.