def _get_identity(self, identifier):
with ldap_context(self.ldap_settings):
user_dn, user_data = get_user_by_id(identifier, self._attributes)
if not user_dn:
return None
return IdentityInfo(self,
identifier=user_data[self.ldap_settings['uid']][0],
**to_unicode(user_data))
def get_group(self, name):
with ldap_context(self.ldap_settings):
group_dn, group_data = get_group_by_id(name,
[self.ldap_settings['gid']])
if not group_dn:
return None
group_name = to_unicode(group_data[self.ldap_settings['gid']][0])
return self.group_class(self, group_name, group_dn)
def get_members(self):
with ldap_context(self.ldap_settings):
group_dns = self._iter_group()
group_dn = next(group_dns)
while group_dn:
user_filter = build_user_search_filter({self.ldap_settings['member_of_attr']: {group_dn}}, exact=True)
for _, user_data in self.provider._search_users(user_filter):
yield IdentityInfo(self.provider, identifier=user_data[self.ldap_settings['uid']][0],
**to_unicode(user_data))
group_filter = build_group_search_filter({self.ldap_settings['member_of_attr']: {group_dn}}, exact=True)
subgroups = list(self.provider._search_groups(group_filter))
group_dn = group_dns.send(subgroups)
def search_groups(self, name, exact=False):
with ldap_context(self.ldap_settings):
search_filter = build_group_search_filter(
{self.ldap_settings['gid']: {name}}, exact=exact)
if not search_filter:
raise GroupRetrievalFailed(
"Unable to generate search filter from criteria",
provider=self)
for group_dn, group_data in self._search_groups(search_filter):
group_name = to_unicode(
group_data[self.ldap_settings['gid']][0])
yield self.group_class(self, group_name, group_dn)
def search_identities(self, criteria, exact=False):
with ldap_context(self.ldap_settings):
search_filter = build_user_search_filter(criteria,
self.settings['mapping'],
exact=exact)
if not search_filter:
raise IdentityRetrievalFailed(
"Unable to generate search filter from criteria")
for _, user_data in self._search_users(search_filter):
yield IdentityInfo(
self,
identifier=user_data[self.ldap_settings['uid']][0],
**to_unicode(user_data))
def __init__(self, *args, **kwargs):
super(LDAPIdentityProvider, self).__init__(*args, **kwargs)
self.set_defaults()
self.ldap_settings.setdefault('gid', 'cn')
self.ldap_settings.setdefault('group_filter',
'(objectClass=groupOfNames)')
self.ldap_settings.setdefault('member_of_attr', 'memberOf')
self.ldap_settings.setdefault('ad_group_style', False)
self.settings['mapping'] = to_unicode(self.settings['mapping'])
self._attributes = list(
convert_app_data(self.settings['mapping'], {},
self.settings['identity_info_keys']).values())
self._attributes.append(self.ldap_settings['uid'])
def set_defaults(self):
self.ldap_settings.setdefault('timeout', 30)
self.ldap_settings.setdefault('verify_cert', True)
self.ldap_settings.setdefault('cert_file',
certifi.where() if certifi else None)
self.ldap_settings.setdefault('starttls', False)
self.ldap_settings.setdefault('page_size', 1000)
self.ldap_settings.setdefault('uid', 'uid')
self.ldap_settings.setdefault('user_filter', '(objectClass=person)')
if not self.ldap_settings['cert_file'] and self.ldap_settings[
'verify_cert']:
warn(
"You should install certifi or provide a certificate file in order to verify the LDAP certificate."
)
# Convert LDAP settings to text in case someone gave us bytes
self.settings['ldap'] = to_unicode(self.settings['ldap'])
def get_members(self):
with ldap_context(self.ldap_settings):
group_dns = self._iter_group()
group_dn = next(group_dns)
while group_dn:
user_filter = build_user_search_filter(
{self.ldap_settings['member_of_attr']: {group_dn}},
exact=True)
for _, user_data in self.provider._search_users(user_filter):
yield IdentityInfo(
self.provider,
identifier=user_data[self.ldap_settings['uid']][0],
**to_unicode(user_data))
group_filter = build_group_search_filter(
{self.ldap_settings['member_of_attr']: {group_dn}},
exact=True)
subgroups = list(self.provider._search_groups(group_filter))
group_dn = group_dns.send(subgroups)
def get_identity_groups(self, identifier):
groups = set()
with ldap_context(self.ldap_settings):
user_dn, user_data = get_user_by_id(identifier, self._attributes)
if not user_dn:
return set()
if self.ldap_settings['ad_group_style']:
for sid in get_token_groups_from_user_dn(user_dn):
search_filter = build_group_search_filter(
{'objectSid': {sid}}, exact=True)
for group_dn, group_data in self._search_groups(
search_filter):
group_name = to_unicode(
group_data[self.ldap_settings['gid']][0])
groups.add(self.group_class(self, group_name,
group_dn))
else:
# OpenLDAP does not have a way to get all groups for a user including nested ones
raise NotImplementedError(
'Only available for active directory')
return groups
def test_to_unicode(data, expected):
assert to_unicode(data) == expected
def test_to_unicode(data, expected):
assert to_unicode(data) == expected
def search_identities(self, criteria, exact=False):
with ldap_context(self.ldap_settings):
search_filter = build_user_search_filter(criteria, self.settings['mapping'], exact=exact)
if not search_filter:
raise IdentityRetrievalFailed("Unable to generate search filter from criteria")
for _, user_data in self._search_users(search_filter):
yield IdentityInfo(self, identifier=user_data[self.ldap_settings['uid']][0], **to_unicode(user_data))
def _get_identity(self, identifier):
with ldap_context(self.ldap_settings):
user_dn, user_data = get_user_by_id(identifier, self._attributes)
if not user_dn:
return None
return IdentityInfo(self, identifier=user_data[self.ldap_settings['uid']][0], **to_unicode(user_data))
