linotp.lib.user module

contains user - related functions

class linotp.lib.user.User(login='', realm='', resolver_config_identifier='')[source]

Bases: object

addResolverUId(resolver, uid, conf='', resId='', resCId='')[source]

check if a user exists in the given realm

static getUserObject(login, realm=None, check_if_exist=False)[source]

a wildcard usr (realm = *) could have multiple configurations this method will return a list of uniq users, one per configuration

Returns:list of users
static get_fq_resolver(res)[source]

generator to get the uid and resolver info of the user

Parameters:resolvers – provide the resolver, where to check for the user
Returns:the tuple of uid and resolver

in case of a resolver change / delete, we have to dump the cache


in case of a resolver change / delete, we have to dump the user cache

linotp.lib.user.find_resolver_spec_for_config_identifier(realms_dict, config_identifier)[source]

Iterates through a realms dictionary, extracts the resolver specification and returns it, when its config identifier matches the provided config_identifier argument

  • realms_dict – A realms dictionary
  • config_identifier – The config identifier to search for

:return Resolver specification (or None if no match occured)


returns the config value of selfservice.realmbox. if True, the realmbox in the selfservice login will be displayed. if False, the realmbox will not be displayed and the user needs to login


get the list of the Resolvers within a users.realm or from the resolver conf, if given in the user object

Note:It ignores the user.login attribute!
Parameters:user (User object) – User with realm or resolver conf

getResolversOfUser returns the list of the Resolvers of a user in a given realm. A user can be be in more than one resolver if the login name is the same and if the user has the same id.

The usecase behind this constrain is that an user for example could be ldap wise in a group which could be addressed by two queries.

Parameters:user – userobject with user.login, user.realm
Returns:array of resolvers, the user was found in

returns the config value of splitAtSign. if True, the username should be split if there is an at sign. if False, the username will be taken unchanged for loginname.


Returns userinfo of an user

Parameters:user – the user
Returns:the userinfo dict

establish an user object from the request parameters

linotp.lib.user.getUserFromRequest(request, config=None)[source]
This function first tries to get the user from
  • already authenticated systems (REMOTE_USER)
  • a Basic / DigestAuth and
  • otherwise from the client certificate
  • request – the pylons request
  • config – the LinOTP configuration

the authentication dict


the function catches all exceptions which are only logged


the selfservice authentication should be removed!!

Parameters:user – user object
linotp.lib.user.getUserInfo(userid, resolver, resolver_spec)[source]
linotp.lib.user.getUserList(param, search_user)[source]
linotp.lib.user.getUserListIterators(param, search_user)[source]

return a list of iterators for all userid resolvers

  • param – request params (dict), which might be realm or resolver conf
  • search_user – restrict the resolvers to those of the search_user
linotp.lib.user.getUserPhone(user, phone_type='phone')[source]

Returns the phone numer of a user

  • user (user object) – the user with the phone
  • phone_type (string) – The type of the phone, i.e. either mobile or phone (land line)

list with phone numbers of this user object

linotp.lib.user.getUserRealms(user, allRealms=None, defaultRealm=None)[source]

Returns the realms, a user belongs to. If the user has no realm but only a useridresolver, than all realms, containing this resolver are returned. This function is used for the policy module

linotp.lib.user.getUserResolverId(user, report=False)[source]
linotp.lib.user.get_authenticated_user(username, realm, password=None, realm_box=False, authenticate=True, options=None)[source]

check the username and password against a userstore.

remark: the method is called in the context of repoze.who
during authentication and during auto_enrollToken/auto_assignToken
  • username – the user login name
  • realm – the realm, where the user belongs to
  • password – the to be checked userstore password
  • realm_box – take the information, if realmbox is displayed
Parm authenticate:

for the selftest, we skip the authentication


None or authenticated user object

linotp.lib.user.get_resolvers_of_user(login, realm)[source]

get the resolvers of a given user, identified by loginname and realm

linotp.lib.user.lookup_user_in_resolver(login, user_id, resolver_spec, user_info=None)[source]

lookup login or uid in resolver to get userinfo


the userinfo should not be part of this api and not be cached

  • login – login name
  • user_id – the users uiniq identifier
  • resolver_spec – the resolver specifier
Paran user_info:

optional parameter, required to fill the cache


login, uid

linotp.lib.user.setRealm(realm, resolvers)[source]

split the username into the user and realm

Parameters:username – the given username
Returns:tuple of (user and group/realm)