useridresolver.LDAPIdResolver module

This module implements the communication
and data mapping to LDAP servers. The LinOTPd imports this module to use LDAP servers as a userstore.

Dependencies: UserIdResolver

class useridresolver.LDAPIdResolver.IdResolver[source]

Bases: useridresolver.UserIdResolver.UserIdResolver

LDAP User Id resolver


bind() - this function starts an ldap conncetion

ca_certs = set([])
ca_dir = None
checkPass(uid, password)[source]

checkPass - checks the password for a given uid.

  • uid (string) – userid to be checked
  • password (string) – user password

:return : true in case of success, false if password does not match :rtype : boolean

Attention:First the UID needs to be converted to the DN, in case the Uid is not the DN

closes method is called, when the request ends - here we close the ldap connection by unbind

conf = ''
fields = {'username': 1, 'phone': 0, 'surname': 0, 'description': 0, 'mobile': 0, 'gender': 0, 'givenname': 0, 'userid': 1, 'email': 0}
getConfigEntry(config, key, conf, required=True, default='')[source]

getConfigEntry - retrieve an entry from the config

  • config (dict) – dict of all configs
  • key (string) – key which is searched
  • conf (string) – scope of the config eg. connect.sql
  • required (boolean) – if this value ist true and the key is not defined, an exception sill be raised
  • default (any) – fallback value if confg has no such entry

the value of the specified key

Return type:

value type - in most cases string ;-)

classmethod getResolverClassDescriptor()[source]

return the descriptor of the resolver, which is - the class name and - the config description

Returns:resolver description dict
Return type:dict
classmethod getResolverClassType()[source]

getResolverId - provide the resolver identifier

Returns:returns the resolver identifier string or empty string if not exist

:rtype : string


getResolverType - return the type of the resolver

Returns:returns the string ‘ldapresolver’
Return type:string

return all fields on which a search could be made

Returns:dictionary of the search fields and their types - not used!!
Return type:dict

return the userId which mappes to an loginname

Parameters:loginName (string) – login name of the user
Returns:userid - unique idenitfier for this unser
Return type:string

return all user related information

Parameters:userId (string) – specified user
Returns:dictionary, containing all user related info
Return type:dict

The return is a dictionary with well defined keys:

fields = {
    "username": 1,
    "userid": 1,
    "description": 0,
    "phone": 0,
    "mobile": 0,
    "email": 0,
    "givenname": 0,
    "surname": 0,
    "gender": 0

This function returns all user information for a given user object identified by UserID. In LDAP case this is the DN, but could also be ‘objectguid’ or uidtype

Parameters:userid (unicode or str) – user identifier (in unicode)
Returns:user info dict
Return type:dict

retrieve a list of users

Parameters:searchDict (dict) – dictionary of the search criterias
Returns:resultList, a dict with user info
getUserListIterator(searchDict, limit_size=True)[source]

iterator based access to get the list of users to prevent server response of sizelimit exceeded

  • searchDict – the dict with a search filter expression
  • limit_size – restrict the returned data size to size_limit

generator object (that yields userlist arrays).


get the loginname from the given userid

Parameters:userId (string) – userid descriptor
Return type:string
convert the binary MS AD GUID to something that could be displayed
Parameters:guid (binary) – binary value
Returns:string representation of the guid
Return type:string
loadConfig(config, conf='')[source]
loadConfig - load the config for the resolver
The calling applications passes the LDAP configuration: FILTER LDAPURI BASE BINDDN BINDPW
  • config (dict) – configuration for the sqlresolver
  • conf (string) – configuration postfix
nameDict = {}

now - insert the now timestamp

as AD starts it’s time count at 31/12/1601, when the vigent gregorian cycle in our calendar is started, we have to add the diff to the unix now timestamp, which starts at 1/1/1970

accExp: expiry date of an user, in which case we count since 31/12/1601
not since 01/01/1601; so we add 86400 seconds to the final result. As we use this timestamp only for the account expiry, we set this as default
searchFields = {'username': 'text', 'surname': 'text', 'description': 'text', 'userid': 'text', 'givenname': 'text', 'email': 'text'}
searchLDAPUserList(key, value)[source]
finds the user objects, that have the term ‘value’ in the
user object field ‘key’
  • key (string) – The key may be an ldap attribute like ‘loginname’ or ‘email’.
  • value – The value is a regular expression.

:type value:string

Returns:a list of dictionaries (each dictionary contains a user object) or an empty string if no object is found.
Return type:list
classmethod setup(config=None, cache_dir=None)[source]

this setup hook is triggered, when the server starts to serve the first request

On this first call the CA certificate for the LDAP module is verified and set - if the CA certificate is specified.

Parameters:config (the linotp config dict) – the linotp config
classmethod testconnection(params)[source]

This is used to test if the given parameter set will do a successful LDAP connection.

  • LDAPSEARCHFILTER’: ‘(sAMAccountName=*)(objectClass=user)’,
  • LDAPFILTER’: ‘(&(sAMAccountName=%s)(objectClass=user))’,
  • USERINFO’: ‘{ “username”: “sAMAccountName”, “phone” :
    “telephoneNumber”, “mobile” : “mobile”, “email” : “mail”, “surname” : “sn”, “givenname” : “givenName” }’

unbind() - this function formarly freed the ldap connection which is now done in the class destructor __del__()

Parameters:l – ldap object
Returns:empty string

Replace all special characters found in filterstr by quoted notation - used especially for search with guid - which consists of binary data from

Parameters:filterstr – the unescaped filte string
Returns:escaped filter string