LDAPSettings

pydantic model gafaelfawr.config.LDAPSettings

pydantic model of LDAP configuration.

Parameters:

data (Any)

Show JSON schema
{
   "title": "LDAPSettings",
   "description": "pydantic model of LDAP configuration.",
   "type": "object",
   "properties": {
      "url": {
         "title": "Url",
         "type": "string"
      },
      "userDn": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Userdn"
      },
      "useKerberos": {
         "default": false,
         "title": "Usekerberos",
         "type": "boolean"
      },
      "passwordFile": {
         "anyOf": [
            {
               "format": "path",
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Passwordfile"
      },
      "groupBaseDn": {
         "title": "Groupbasedn",
         "type": "string"
      },
      "groupObjectClass": {
         "default": "posixGroup",
         "title": "Groupobjectclass",
         "type": "string"
      },
      "groupMemberAttr": {
         "default": "member",
         "title": "Groupmemberattr",
         "type": "string"
      },
      "groupSearchByDn": {
         "default": false,
         "title": "Groupsearchbydn",
         "type": "boolean"
      },
      "userBaseDn": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Userbasedn"
      },
      "userSearchAttr": {
         "default": "uid",
         "title": "Usersearchattr",
         "type": "string"
      },
      "nameAttr": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": "displayName",
         "title": "Nameattr"
      },
      "emailAttr": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": "mail",
         "title": "Emailattr"
      },
      "uidAttr": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Uidattr"
      },
      "gidAttr": {
         "anyOf": [
            {
               "type": "string"
            },
            {
               "type": "null"
            }
         ],
         "default": null,
         "title": "Gidattr"
      },
      "addUserGroup": {
         "default": false,
         "title": "Addusergroup",
         "type": "boolean"
      }
   },
   "required": [
      "url",
      "groupBaseDn"
   ]
}

Fields:
Validators:

  • _validate_group_search_by_dn » all fields

  • _validate_password_file » all fields

field addUserGroup: bool = False (name 'add_user_group')

Whether to synthesize a user private group with GID matching UID.

If set to True, synthesize a group for the user whose name and GID matches the username and UID, adding it to the group list without requiring it to appear in LDAP.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field emailAttr: str | None = 'mail' (name 'email_attr')

LDAP email attribute.

The attribute from which the user’s email address should be taken, or None to not look up email addresses. This should normally be mail.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field gidAttr: str | None = None (name 'gid_attr')

LDAP GID attirbute.

If set, the user’s primary GID will be taken from this sttribute. If GID lookups are desired, this should usually be gidNumber, as specified in RFC 2307 and RFC 2307bis. If not set, the primary GID will match the UID if add_user_group is true, and otherwise will not be set.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field groupBaseDn: str [Required] (name 'group_base_dn')

Base DN to use when executing an LDAP search for user groups.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field groupMemberAttr: str = 'member' (name 'group_member_attr')

LDAP group member attribute.

memberuid in RFC 2307 and member in RFC 2307bis.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field groupObjectClass: str = 'posixGroup' (name 'group_object_class')

LDAP group object class.

Usually posixGroup, as specified in RFC 2307 and RFC 2307bis.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field groupSearchByDn: bool = False (name 'group_search_by_dn')

Whether to search for group membership by user DN.

By default, Gafaelfawr locates user group memberships by searching for an attribute in the group tree containing the bare username. If this option is set to True, the username is turned into a user DN using user_base_dn and user_search_attr and group memberships are instead retrieved by searching for group_member_attr attributes containing that DN.

The default is False for backwards-compatibility reasons and because setting the LDAP user attributes is optional, but most LDAP servers are organized this way. The default may be changed to True in a future release.

If set to True, user_base_dn must be set.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field nameAttr: str | None = 'displayName' (name 'name_attr')

LDAP full name attribute.

The attribute from which the user’s full name will be taken, or None to not look up full names. This should normally be displayName, but sometimes it may be desirable to use a different name attribute. This should hold the whole name that should be used by the Science Platform, not just a surname or family name (which are not universally valid concepts anyway).

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field passwordFile: Path | None = None (name 'password_file')

File containing simple bind password for the LDAP server.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field uidAttr: str | None = None (name 'uid_attr')

LDAP UID attribute.

If set, the user’s UID will be taken from this sttribute. If UID lookups are desired, this should usually be uidNumber, as specified in RFC 2307 and RFC 2307bis.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field url: str [Required]

LDAP server URL.

Use the ldaps scheme if you’re using TLS. Only anonymous binds are supported.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field useKerberos: bool = False (name 'use_kerberos')

Whether to use Kerberos GSSAPI binds.

If both this and user_dn are set, simple binds take precedence. This allows triggering all of the other Kerberos handling while still using simple binds instead of GSSAPI binds, to make testing easier.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field userBaseDn: str | None = None (name 'user_base_dn')

Base DN to use to search for user information.

If set, the base DN used to search for the user record, from which other information such as full name, email, and (if configured) numeric UID will be retrieved.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field userDn: str | None = None (name 'user_dn')

Simple bind user DN for the LDAP server.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file

field userSearchAttr: str = 'uid' (name 'user_search_attr')

Search attribute for finding the user record.

This attribute must hold the username of the user that Gafaelfawr knows them by. Used if user_base_dn is set. The default is uid, which is the LDAP convention for the attribute holding the username. This should also be the attribute used to make up the DN of a user, since it is used by group_search_by_dn.

Validated by:

  • _validate_group_search_by_dn

  • _validate_password_file