linotp.lib.user module

contains user - related functions

exception linotp.lib.user.NoResolverFound[source]

Bases: exceptions.Exception

class linotp.lib.user.User(login='', realm='', resolver_config_identifier='')[source]

Bases: object

addResolverUId(resolver, uid, conf='', resId='', resCId='')[source]

check if a user exists in the given realm


return all realms in which the user is located

Returns:list of realms
static getUserObject(login, realm=None, check_if_exist=False)[source]

a wildcard usr (realm = *) could have multiple configurations this method will return a list of uniq users, one per configuration

Returns:list of users
static get_fq_resolver(res)[source]

Get full qualified names.

Returns:list of full qualified names

generator to get the uid and resolver info of the user

Parameters:resolvers – provide the resolver, where to check for the user
Returns:the tuple of uid and resolver
linotp.lib.user.delete_from_local_cache(login, user_id, resolver_spec)[source]

remove info from the request local cache

linotp.lib.user.delete_from_realm_resolver_cache(login, realmname)[source]

helper for realm cache cleanup

linotp.lib.user.delete_from_realm_resolver_local_cache(login, realmname)[source]

helper for local realm cache cleanup

linotp.lib.user.delete_from_resolver_user_cache(login, user_id, resolver_spec)[source]

clean up the resolver cache

linotp.lib.user.delete_from_user_cache(user_name, user_id, resolver_spec)[source]

helper to remove permutation of user entry


in case of a resolver change / delete, we have to dump the cache


in case of a resolver change / delete, we have to dump the user cache

linotp.lib.user.find_resolver_spec_for_config_identifier(realms_dict, config_identifier)[source]

Iterates through a realms dictionary, extracts the resolver specification and returns it, when its config identifier matches the provided config_identifier argument

  • realms_dict – A realms dictionary
  • config_identifier – The config identifier to search for

:return Resolver specification (or None if no match occured)


returns the config value of selfservice.realmbox. if True, the realmbox in the selfservice login will be displayed. if False, the realmbox will not be displayed and the user needs to login


get the list of the Resolvers within a users.realm or from the resolver conf, if given in the user object

Note:It ignores the user.login attribute!
Parameters:user (User object) – User with realm or resolver conf

getResolversOfUser returns the list of the Resolvers of a user in a given realm. A user can be be in more than one resolver if the login name is the same and if the user has the same id.

The usecase behind this constrain is that an user for example could be ldap wise in a group which could be addressed by two queries.

Parameters:user – userobject with user.login, user.realm
Returns:array of resolvers, the user was found in

returns the config value of splitAtSign. if True, the username should be split if there is an at sign. if False, the username will be taken unchanged for loginname.


Returns userinfo of an user

Parameters:user – the user
Returns:the userinfo dict

establish an user object from the request parameters

linotp.lib.user.getUserFromRequest(request, config=None)[source]
This function first tries to get the user from
  • already authenticated systems (REMOTE_USER)
  • a Basic / DigestAuth and
  • otherwise from the client certificate
  • request – the pylons request
  • config – the LinOTP configuration

the authentication dict


the function catches all exceptions which are only logged


the selfservice authentication should be removed!!

Parameters:user – user object
linotp.lib.user.getUserInfo(userid, resolver, resolver_spec)[source]

get the user info for an given user, identified by the userid + resolver/resolver_spec

  • userid – the unique user identifier
  • resolver – the resolver (optional)
  • resolver_spec – the resolver identifier + name

dictionary, which is empty, if no user info could be retreived

linotp.lib.user.getUserList(param, search_user)[source]
linotp.lib.user.getUserListIterators(param, search_user)[source]

return a list of iterators for all userid resolvers

  • param – request params (dict), which might be realm or resolver conf
  • search_user – restrict the resolvers to those of the search_user
linotp.lib.user.getUserPhone(user, phone_type='phone')[source]

Returns the phone numer of a user

  • user (user object) – the user with the phone
  • phone_type (string) – The type of the phone, i.e. either mobile or phone (land line)

list with phone numbers of this user object

linotp.lib.user.getUserRealms(user, allRealms=None, defaultRealm=None)[source]

Returns the realms, a user belongs to. If the user has no realm but only a useridresolver, than all realms, containing this resolver are returned. This function is used for the policy module

linotp.lib.user.getUserResolverId(user, report=False)[source]

get the resolver id of the user

linotp.lib.user.get_authenticated_user(username, realm, password=None, realm_box=False, authenticate=True, options=None)[source]

check the username and password against a userstore.

remark: the method is called in the context of repoze.who
during authentication and during auto_enrollToken/auto_assignToken
  • username – the user login name
  • realm – the realm, where the user belongs to
  • password – the to be checked userstore password
  • realm_box – take the information, if realmbox is displayed
Parm authenticate:

for the selftest, we skip the authentication


None or authenticated user object

linotp.lib.user.get_resolvers_of_user(login, realm)[source]

get the resolvers of a given user, identified by loginname and realm

linotp.lib.user.get_user_from_options(options_dict, fallback_user=None, fallback_realm=None)[source]

return a tuple of user login and realm considering the options contexts

in the token implementation we often require to make a policy lookup. As the policies are user and realm dependend we require to define for witch user or realm this lookup should be made. The input can be taken from: - the token owner or - options, the request addtional parameters which might contain a user

object or a login name or
  • the token realm, if neither user or owner is given
  • options_dict – the request options dict with the user
  • fallback_user – which should be set with the token owner
  • fallback_realm – which should be set with the token realm

the tuple with user login and realm

linotp.lib.user.lookup_user_in_resolver(login, user_id, resolver_spec, user_info=None)[source]

lookup login or uid in resolver to get userinfo


the userinfo should not be part of this api and not be cached

  • login – login name
  • user_id – the users uiniq identifier
  • resolver_spec – the resolver specifier
Paran user_info:

optional parameter, required to fill the cache


login, uid, user info

linotp.lib.user.setRealm(realm, resolvers)[source]

split the username into the user and realm

Parameters:username – the given username
Returns:tuple of (user and group/realm)