LDAPConfig¶
- class gafaelfawr.config.LDAPConfig(url, user_dn, password, use_kerberos, group_base_dn, group_object_class, group_member_attr, group_search_by_dn, user_base_dn, user_search_attr, name_attr, email_attr, uid_attr, gid_attr, add_user_group)¶
Bases:
object
Configuration for LDAP support.
In all known implementations,
gidNumber
holds the numeric GID of the group andcn
holds its name, so these are not configurable.- Parameters:
Attributes Summary
Whether to synthesize a user private group with GID matching UID.
LDAP email attribute.
LDAP GID attirbute.
Base DN to use when executing LDAP search for group membership.
LDAP group member attribute.
LDAP group object class.
Whether to search for group membership by user DN.
LDAP full name attribute.
Password for simple bind authentication to the LDAP server.
LDAP UID attribute.
LDAP server URL.
Whether to use Kerberos GSSAPI binds.
Base DN to use to search for user information.
User DN for simple bind authentication to the LDAP server.
Search attribute for finding the user record.
Attributes Documentation
-
add_user_group:
bool
¶ Whether to synthesize a user private group with GID matching UID.
If set to
True
, synthesize a group for the user whose name and GID matches the username and UID, adding it to the group list without requiring it to appear in LDAP.
-
email_attr:
str
|None
¶ LDAP email attribute.
The attribute from which the user’s email address should be taken, or
None
to not look up email addresses. This should normally bemail
.
-
gid_attr:
str
|None
¶ LDAP GID attirbute.
If set, the user’s primary GID will be taken from this sttribute. If GID lookups are desired, this should usually be
gidNumber
, as specified in RFC 2307 and RFC 2307bis. If not set, the primary GID will match the UID ifadd_user_group
is true, and otherwise will not be set.
-
group_search_by_dn:
bool
¶ Whether to search for group membership by user DN.
By default, Gafaelfawr locates user group memberships by searching for an attribute in the group tree containing the bare username. If this option is set to
True
, the username is turned into a user DN usinguser_base_dn
anduser_search_attr
and group memberships are instead retrieved by searching forgroup_member_attr
attributes containing that DN.
-
name_attr:
str
|None
¶ LDAP full name attribute.
The attribute from which the user’s full name will be taken, or
None
to not look up full names. This should normally bedisplayName
, but sometimes it may be desirable to use a different name attribute. This should hold the whole name that should be used by the Science Platform, not just a surname or family name (which are not universally valid concepts anyway).
-
uid_attr:
str
|None
¶ LDAP UID attribute.
If set, the user’s UID will be taken from this sttribute. If UID lookups are desired, this should usually be
uidNumber
, as specified in RFC 2307 and RFC 2307bis.
-
url:
str
¶ LDAP server URL.
Use the
ldaps
scheme if you’re using TLS. Only anonymous binds are supported.
-
use_kerberos:
bool
¶ Whether to use Kerberos GSSAPI binds.
If both this and
user_dn
are set, simple binds take precedence. This allows triggering all of the other Kerberos handling while still using simple binds instead of GSSAPI binds, to make testing easier.