pyramid_ldap3 API

Configuration

pyramid_ldap3.ldap_set_login_query(config, base_dn, filter_tmpl, scope='LEVEL', attributes=None, cache_period=0)

Configurator method to set the LDAP login search.

base_dn is the DN at which to begin the search. filter_tmpl is a string which can be used as an LDAP filter: it should contain the replacement value %(login)s. scope is any valid LDAP scope value (e.g. ldap3.LEVEL or ldap3.SUBTREE). attributes is a list of attributes that shall be returned (can also be set to None or ldap3.ALL_ATTRIBUTES). cache_period is the number of seconds to cache login search results; if it is 0, login search results will not be cached.

Example:

config.set_ldap_login_query(
    base_dn='CN=Users,DC=example,DC=com',
    filter_tmpl='(sAMAccountName=%(login)s)',
    scope=ldap3.LEVEL)

The registered search must return one and only one value to be considered a valid login.

pyramid_ldap3.ldap_set_groups_query(config, base_dn, filter_tmpl, scope='SUBTREE', attributes=None, cache_period=0)

Configurator method to set the LDAP groups search.

base_dn is the DN at which to begin the search. filter_tmpl is a string which can be used as an LDAP filter: it should contain the replacement value %(userdn)s. scope is any valid LDAP scope value (e.g. ldap3.LEVEL or ldap3.SUBTREE). attributes is a list of attributes that shall be returned (can also be set to None or ldap3.ALL_ATTRIBUTES). cache_period is the number of seconds to cache groups search results; if it is 0, groups search results will not be cached.

Example:

config.set_ldap_groups_query(
    base_dn='CN=Users,DC=example,DC=com',
    filter_tmpl='(&(objectCategory=group)(member=%(userdn)s))'
    scope=ldap3.SUBTREE)
pyramid_ldap3.ldap_setup(config, uri, bind=None, passwd=None, use_tls=False, use_pool=True, pool_size=10, pool_lifetime=3600, get_info=None)

Configurator method to set up an LDAP connection pool.

  • uri: ldap server uri(s) [mandatory]
  • bind: default bind that will be used to bind a connector. default: None
  • passwd: default password that will be used to bind a connector. default: None
  • use_tls: activate TLS when connecting. default: False
  • use_pool: activates the connection pool. If False, will recreate a connector each time. default: True
  • pool_size: connection pool size. default: 10
  • pool_lifetime: number of seconds before recreating a new connection when using a connection pool. default: 3600
  • get_info: specifies if schema or server specific info shall be read for proper formatting of attributes. default: None
pyramid_ldap3.includeme(config)

Set up Configurator methods for pyramid_ldap3.

Usage

pyramid_ldap3.get_ldap_connector(request)

Return the LDAP connector attached to the request.

If pyramid.config.Configurator.ldap_setup() was not called, using this function will raise an pyramid.exceptions.ConfigurationError.

class pyramid_ldap3.Connector(registry, manager)

Provides API methods for accessing LDAP authentication information.

manager

A ConnectionManager instance that can be used to perform arbitrary LDAP queries.

authenticate(login, password)

Validate the given login name and password.

Given a login name and a password, return a tuple of (dn, attrdict) if the matching user if the user exists and his password is correct. Otherwise return None.

In a (dn, attrdict) return value, dn will be the distinguished name of the authenticated user. Attrdict will be a dictionary mapping LDAP user attributes to sequences of values.

A zero length password will always be considered invalid since it results in a request for “unauthenticated authentication” which should not be used for LDAP based authentication. See section 5.1.2 of RFC-4513 for a description of this behavior.

If pyramid.config.Configurator.ldap_set_login_query() was not called, using this function will raise an pyramid.exceptions.ConfiguratorError.

user_groups(userdn)

Get the groups the user belongs to.

Given a user DN, return a sequence of LDAP attribute dictionaries matching the groups of which the DN is a member. If the DN does not exist, return None.

In a return value [(dn, attrdict), ...], dn will be the distinguished name of the group. Attrdict will be a dictionary mapping LDAP group attributes to sequences of values.

If pyramid.config.Configurator.ldap_set_groups_query() was not called, using this function will raise an pyramid.exceptions.ConfiguratorError

pyramid_ldap3.groupfinder(userdn, request)

Groupfinder function for Pyramid.

A groupfinder implementation useful in conjunction with out-of-the-box Pyramid authentication policies. It returns the DN of each group belonging to the user specified by userdn to as a principal in the list of results; if the user does not exist, it returns None.