LDAPConfig#

class gafaelfawr.config.LDAPConfig(url, user_dn, password, use_kerberos, group_base_dn, group_object_class='posixGroup', group_member_attr='member', user_base_dn=None, user_search_attr='uid', name_attr='displayName', email_attr='mail', uid_attr=None, gid_attr=None, add_user_group=False)#

Bases: object

Configuration for LDAP support.

In all known implementations, gidNumber holds the numeric GID of the group and cn holds its name, so these are not configurable.

Parameters:
  • url (str) –

  • user_dn (Optional[str]) –

  • password (Optional[str]) –

  • use_kerberos (bool) –

  • group_base_dn (str) –

  • group_object_class (str, default: 'posixGroup') –

  • group_member_attr (str, default: 'member') –

  • user_base_dn (Optional[str], default: None) –

  • user_search_attr (str, default: 'uid') –

  • name_attr (Optional[str], default: 'displayName') –

  • email_attr (Optional[str], default: 'mail') –

  • uid_attr (Optional[str], default: None) –

  • gid_attr (Optional[str], default: None) –

  • add_user_group (bool, default: False) –

Attributes Summary

add_user_group

Whether to synthesize a user private group with GID matching UID.

email_attr

LDAP email attribute.

gid_attr

LDAP GID attirbute.

group_base_dn

Base DN to use when executing LDAP search for group membership.

group_member_attr

LDAP group member attribute.

group_object_class

LDAP group object class.

name_attr

LDAP full name attribute.

password

Password for simple bind authentication to the LDAP server.

uid_attr

LDAP UID attribute.

url

LDAP server URL.

use_kerberos

Whether to use Kerberos GSSAPI binds.

user_base_dn

Base DN to use to search for user information.

user_dn

User DN for simple bind authentication to the LDAP server.

user_search_attr

Search attribute for finding the user record.

Attributes Documentation

add_user_group: bool#

Whether to synthesize a user private group with GID matching UID.

If set to True, synthesize a group for the user whose name and GID matches the username and UID, adding it to the group list without requiring it to appear in LDAP.

email_attr: Optional[str]#

LDAP email attribute.

The attribute from which the user’s email address should be taken, or None to not look up email addresses. This should normally be mail.

gid_attr: Optional[str]#

LDAP GID attirbute.

If set, the user’s primary GID will be taken from this sttribute. If GID lookups are desired, this should usually be gidNumber, as specified in RFC 2307 and RFC 2307bis. If not set, the primary GID will match the UID if add_user_group is true, and otherwise will not be set.

group_base_dn: str#

Base DN to use when executing LDAP search for group membership.

group_member_attr: str#

LDAP group member attribute.

memberuid in RFC 2307 and member in RFC 2307bis.

group_object_class: str#

LDAP group object class.

Usually posixGroup, as specified in RFC 2307 and RFC 2307bis.

name_attr: Optional[str]#

LDAP full name attribute.

The attribute from which the user’s full name will be taken, or None to not look up full names. This should normally be displayName, but sometimes it may be desirable to use a different name attribute. This should hold the whole name that should be used by the Science Platform, not just a surname or family name (which are not universally valid concepts anyway).

password: Optional[str]#

Password for simple bind authentication to the LDAP server.

uid_attr: Optional[str]#

LDAP UID attribute.

If set, the user’s UID will be taken from this sttribute. If UID lookups are desired, this should usually be uidNumber, as specified in RFC 2307 and RFC 2307bis.

url: str#

LDAP server URL.

Use the ldaps scheme if you’re using TLS. Only anonymous binds are supported.

use_kerberos: bool#

Whether to use Kerberos GSSAPI binds.

If both this and user_dn are set, simple binds take precedence. This allows triggering all of the other Kerberos handling while still using simple binds instead of GSSAPI binds, to make testing easier.

user_base_dn: Optional[str]#

Base DN to use to search for user information.

If set, the base DN used to search for the user record, from which other information such as full name, email, and (if configured) numeric UID will be retrieved.

user_dn: Optional[str]#

User DN for simple bind authentication to the LDAP server.

user_search_attr: str#

Search attribute for finding the user record.

This attribute must hold the username of the user that Gafaelfawr knows them by. Used if user_base_dn is set. The default is uid, which is the LDAP convention for the attribute holding the username.