LDAPConfig¶

pydantic settings gafaelfawr.config.LDAPConfig¶

Configuration for LDAP support.

In all known implementations, gidNumber holds the numeric GID of the group and cn holds its name, so these are not configurable.

Parameters:

_case_sensitive (bool | None, default: None)
_env_prefix (str | None, default: None)
_env_file (Union[Path, str, List[Union[str, Path]], Tuple[Union[Path, str], ...], None], default: PosixPath('.'))
_env_file_encoding (str | None, default: None)
_env_ignore_empty (bool | None, default: None)
_env_nested_delimiter (str | None, default: None)
_env_parse_none_str (str | None, default: None)
_secrets_dir (str | Path | None, default: None)
values (Any)

Fields:

addUserGroup (bool)
emailAttr (str | None)
gidAttr (str | None)
groupBaseDn (str)
groupMemberAttr (str)
groupObjectClass (str)
groupSearchByDn (bool)
kerberosConfig (str | None)
nameAttr (str | None)
password (pydantic.types.SecretStr | None)
uidAttr (str | None)
url (str)
useKerberos (bool)
userBaseDn (str)
userDn (str | None)
userSearchAttr (str)

Validators:

_validate_password » all fields
_validate_use_kerberos » all fields

field addUserGroup: bool = False (name 'add_user_group')¶

If set to true, synthesize a group for the user whose name and GID matches the username and UID, adding it to the group list without requiring it to appear in LDAP

Validated by:

_validate_password
_validate_use_kerberos

field emailAttr: str | None = 'mail' (name 'email_attr')¶

The attribute from which the user’s email address should be taken, or None to not look up email addresses. This should normally be mail.

Validated by:

_validate_password
_validate_use_kerberos

field gidAttr: str | None = 'gidNumber' (name 'gid_attr')¶

The attribute from which the user’s primary GID should be taken, or None to not look up primary GIDs. This should usually be be gidNumber, as specified in RFC 2307 and RFC 2307bis.

Validated by:

_validate_password
_validate_use_kerberos

field groupBaseDn: str [Required] (name 'group_base_dn')¶

Base DN to use when executing an LDAP search for user groups

Validated by:

_validate_password
_validate_use_kerberos

field groupMemberAttr: str = 'member' (name 'group_member_attr')¶

The LDAP attribute in the group tree that contains the list of members, either as simple usernames or, if group_search_by_dn is set, the user DN. Usually member as specified in RFC 2307bis.

Validated by:

_validate_password
_validate_use_kerberos

field groupObjectClass: str = 'posixGroup' (name 'group_object_class')¶

Object class to search for in the group tree. Usually posixGroup, as specified in RFC 2307 and RFC 2307bis.

Validated by:

_validate_password
_validate_use_kerberos

field groupSearchByDn: bool = True (name 'group_search_by_dn')¶

Whether to search for groups by user DN or only username. If this option is set to true, the username is transformed into a DN using user_base_dn and user_search_attr, and that DN is the target of the group_member_attr search.

Validated by:

_validate_password
_validate_use_kerberos

field kerberosConfig: str | None = None (name 'kerberos_config')¶

Contents of a /etc/krb5.conf file to use for Kerberos GSS-API binds to the LDAP server. This setting is not used directly by the Gafaelfawr code. It is handled in the wrapper script for container setup. However, use_kerberos is set to true if this setting is not None.

Validated by:

_validate_password
_validate_use_kerberos

field nameAttr: str | None = 'displayName' (name 'name_attr')¶

The attribute from which the user’s full name will be taken, or None to not look up full names. This should normally be displayName, but sometimes it may be desirable to use a different name attribute such as gecos. This should hold the whole name that should be used by Gafaelfawr, not just a surname or family name (which are not universally valid concepts anyway).

Validated by:

_validate_password
_validate_use_kerberos

field password: SecretStr | None = None¶

Password for simple bind authentication to the LDAP server. Only used if user_dn is set.

Validated by:

_validate_password
_validate_use_kerberos

field uidAttr: str | None = 'uidNumber' (name 'uid_attr')¶

The attribute from which the user’s numeric UID will be taken. This should usually be uidNumber as specified in RFC 2307 and RFC 2307bis. If Firestore is enabled, this may be set to null to not attempt UID lookups.

Validated by:

_validate_password
_validate_use_kerberos

field url: LdapDsnString [Required]¶

URL of LDAP server to query for user information. Not supported when GitHub is used as the authentication provider.

Validated by:

_validate_password
_validate_use_kerberos

field useKerberos: bool = False (name 'use_kerberos')¶

If set to true, authenticate to LDAP with Kerberos GSS-API. If both this and user_dn are set, simple binds take precedence. This allows triggering all of the other Kerberos handling while still using simple binds instead of GSSAPI binds, to make testing easier. This is set based on whether kerberos_config is set.

Validated by:

_validate_password
_validate_use_kerberos

field userBaseDn: str [Required] (name 'user_base_dn')¶

The base DN used to search for the user record, from which other information such as full name, email, numeric UID, and numeric GID will be retrieved.

Validated by:

_validate_password
_validate_use_kerberos

field userDn: str | None = None (name 'user_dn')¶

DN of user to bind as with simple bind when querying the LDAP server. If neither this nor use_kerberos are set, Gafaelfawr will do an anonymous bind.

Validated by:

_validate_password
_validate_use_kerberos

field userSearchAttr: str = 'uid' (name 'user_search_attr')¶

This attribute must hold the username of the user provided in the OpenID Connect ID token. The default is uid, which is the LDAP convention for the attribute holding the username. This should also be the attribute used to make up the DN of a user if group_search_by_dn is enabled.

Validated by:

_validate_password
_validate_use_kerberos