linotp.useridresolver.LDAPIdResolver module

This module implements the communication

and data mapping to LDAP servers. The LinOTPd imports this module to use LDAP servers as a userstore.

Dependencies: UserIdResolver

class linotp.useridresolver.LDAPIdResolver.IdResolver

Bases: UserIdResolver

LDAP User Id resolver

bind()

bind() - this function starts an ldap conncetion

checkPass(uid, password)

checkPass - checks the password for a given uid.

Parameters:

• uid (string) – userid to be checked

• password (string) – user password

:return : true in case of success, false if password does not match :rtype : boolean

Attention:

First the UID needs to be converted to the DN, in case the Uid is not the DN

close()

closes method is called, when the request ends - here we close the ldap connection by unbind

conf = ''

classmethod connect(uri, caller, trace_level=0)

helper - to build up the initial ldap / ldaps connection

Parameters:

uri – the ldap url

Returns:

the ldap connection object

critical_parameters: List[str] = ['LDAPBASE', 'BINDDN', 'LDAPURI']

crypted_parameters: List[str] = ['BINDPW']

db_prefix = 'useridresolver.LDAPIdResolver.IdResolver'

fields = {'description': 0, 'email': 0, 'gender': 0, 'givenname': 0, 'mobile': 0, 'phone': 0, 'surname': 0, 'userid': 1, 'username': 1}

classmethod getResolverClassDescriptor()

return the descriptor of the resolver, which is - the class name and - the config description

Returns:

resolver description dict

Return type:

dict

classmethod getResolverClassType()

provide the resolver type for registration

getResolverDescriptor()

return the descriptor of the resolver, which is - the class name and - the config description

Returns:

resolver description dict

Return type:

dict

getResolverId()

getResolverId - provide the resolver identifier

Returns:

returns the resolver identifier string or empty string if not exist

Return type:

string

getResolverType()

getResolverType - return the type of the resolver

Returns:

returns the string ‘ldapresolver’

Return type:

string

getSearchFields(searchDict=None)

return all fields on which a search could be made

Returns:

dictionary of the search fields and their types - not used!!

Return type:

dict

getUserId(loginname)

return the userId which mappes to an loginname

Parameters:

loginName (string) – login name of the user

Returns:

userid - unique idenitfier for this unser

Return type:

string

getUserInfo(userid)

return all user related information

Parameters:

userId (string) – specified user

Returns:

dictionary, containing all user related info

Return type:

dict

The return is a dictionary with well defined keys:

fields = {
    "username": 1,
    "userid": 1,
    "description": 0,
    "phone": 0,
    "mobile": 0,
    "email": 0,
    "givenname": 0,
    "surname": 0,
    "gender": 0
}

getUserLDAPInfo(UserId)

This function returns all user information for a given user object identified by UserID. In LDAP case this is the DN, but could also be ‘objectguid’ or uidtype

Parameters:

• userid (unicode or str) – user identifier (in unicode)

• attrlist (list) – the list of attributes, which should be returned if None, the attributes are not filtered on the server side and all are returned

Returns:

user info dict

Return type:

dict

getUserList(searchDict)

retrieve a list of users

Parameters:

searchDict (dict) – dictionary of the search criterias

Returns:

resultList, a dict with user info

getUserListIterator(searchDict, limit_size=True)

iterator based access to get the list of users to prevent server response of sizelimit exceeded

Parameters:

• searchDict – the dict with a search filter expression

• limit_size – restrict the returned data size to size_limit

Returns:

generator object (that yields userlist arrays).

getUsername(userid)

get the loginname from the given userid

Parameters:

userId (string) – userid descriptor

Returns:

loginname

Return type:

string

loadConfig(config, conf='')

loadConfig - load the config of the resolver

Parameters:

• config – configuration dictionary, could be parameter or linotp config format

• conf – configuration identifier

nameDict: Dict[str, str] = {}

now_timestamp()

now - insert the now timestamp

as AD starts it’s time count at 31/12/1601, when the vigent gregorian cycle in our calendar is started, we have to add the diff to the unix now timestamp, which starts at 1/1/1970

accExp: expiry date of an user, in which case we count since 31/12/1601

not since 01/01/1601; so we add 86400 seconds to the final result. As we use this timestamp only for the account expiry, we set this as default

classmethod parse_timeout(timeout, div=2.0)

primary_key = 'UIDTYPE'

classmethod primary_key_changed(new_params, previous_params)

check if during the parameter update the primary key has changed

Parameters:

• new_params – the set of new parameters

• previous_params – the set of previous parameters

Returns:

boolean

resolver_parameters: Dict[str, Tuple[bool, Optional[Union[str, bool, int]], Callable[[Any], Any]]] = {'BINDDN': (True, None, <function text>), 'BINDPW': (True, None, <function encrypted_data>), 'EnforceTLS': (False, True, <function boolean>), 'LDAPBASE': (True, None, <function text>), 'LDAPFILTER': (True, None, <function text>), 'LDAPSEARCHFILTER': (True, None, <function text>), 'LDAPURI': (True, None, <function text>), 'LOGINNAMEATTRIBUTE': (True, None, <function text>), 'NOREFERRALS': (False, False, <function boolean>), 'PROXY': (False, False, <function boolean>), 'SIZELIMIT': (False, 500, <class 'int'>), 'TIMEOUT': (False, -1, <function text>), 'UIDTYPE': (False, 'DN', <function text>), 'USERINFO': (True, True, <function text>), 'only_trusted_certs': (False, True, <function boolean>), 'readonly': (False, False, <function boolean>)}

searchFields = {'description': 'text', 'email': 'text', 'givenname': 'text', 'surname': 'text', 'userid': 'text', 'username': 'text'}

classmethod setup(config=None, cache_dir=None)

this setup hook is triggered, when the server starts to serve the first request

Parameters:

config – the linotp config

Returns:

-nothing-

classmethod testconnection(params, silent=False)

This is used to test if the given parameter set will do a successful LDAP connection.

Parameters:

params –

• BINDDN

• BINDPW

• LDAPURI

• TIMEOUT

• LDAPBASE

• LOGINNAMEATTRIBUTE’: ‘sAMAccountName’,

• LDAPSEARCHFILTER’: ‘(sAMAccountName=*)(objectClass=user)’,

• LDAPFILTER’: ‘(&(sAMAccountName=%s)(objectClass=user))’,

• USERINFO’: ‘{ “username”: “sAMAccountName”, “phone” :

  ”telephoneNumber”, “mobile” : “mobile”, “email” : “mail”, “surname” : “sn”, “givenname” : “givenName” }’

• SIZELIMIT

• NOREFERRALS

• EnforceTLS

unbind(lobj)

unbind() - this function formarly freed the ldap connection which is now done in the class destructor __del__()

Parameters:

l – ldap object

Returns:

-nothing-

linotp.useridresolver.LDAPIdResolver.escape_hex_for_search(hex_value: str) → str

transform an hex string for a byte search in ldap, especially used for objectGUID

From: https://ldapwiki.com/wiki/ObjectGUID

ObjectGUID LDAP in SearchFilters

In order to form an LDAP SearchFilter that searches based on an ObjectGUID, the GUID value must be entered in a special syntax in the filter - where each byte in the hexadecimal representation of the GUID must be escaped with a Backslash () symbol.

To provide an example, in order to search for an object with hexadecimal

GUID “90395F191AB51B4A9E9686C66CB18D11”,

the corresponding filter should be set as:

(objectGUID=909F
9
AB5
BA9E9686C6CB18D )

Parameters:

hex_value – e.g. the objectGuid in hex representation

Returns:

str escaped hex representation, to be used for search

linotp.useridresolver.LDAPIdResolver.resolver_request(params, silent=False)