linotp.useridresolver.LDAPIdResolver module

This module implements the communication

and data mapping to LDAP servers. The LinOTPd imports this module to use LDAP servers as a userstore.

Dependencies: UserIdResolver

class linotp.useridresolver.LDAPIdResolver.IdResolver

Bases: UserIdResolver

LDAP User Id resolver

bind()

bind() - this function starts an ldap conncetion

checkPass(uid, password)

checkPass - checks the password for a given uid.

Parameters

• uid (string) – userid to be checked

• password (string) – user password

:return : true in case of success, false if password does not match :rtype : boolean

Attention

First the UID needs to be converted to the DN, in case the Uid is not the DN

close()

closes method is called, when the request ends - here we close the ldap connection by unbind

conf = ''

classmethod connect(uri, caller, trace_level=0)

helper - to build up the initial ldap / ldaps connection

Parameters

uri – the ldap url

Returns

the ldap connection object

critical_parameters: List[str] = ['LDAPBASE', 'BINDDN', 'LDAPURI']

crypted_parameters: List[str] = ['BINDPW']

db_prefix = 'useridresolver.LDAPIdResolver.IdResolver'

fields = {'description': 0, 'email': 0, 'gender': 0, 'givenname': 0, 'mobile': 0, 'phone': 0, 'surname': 0, 'userid': 1, 'username': 1}

classmethod getResolverClassDescriptor()

return the descriptor of the resolver, which is - the class name and - the config description

Returns

resolver description dict

Return type

dict

classmethod getResolverClassType()

provide the resolver type for registration

getResolverDescriptor()

return the descriptor of the resolver, which is - the class name and - the config description

Returns

resolver description dict

Return type

dict

getResolverId()

getResolverId - provide the resolver identifier

Returns

returns the resolver identifier string or empty string if not exist

Return type

string

getResolverType()

getResolverType - return the type of the resolver

Returns

returns the string ‘ldapresolver’

Return type

string

getSearchFields(searchDict=None)

return all fields on which a search could be made

Returns

dictionary of the search fields and their types - not used!!

Return type

dict

getUserId(loginname)

return the userId which mappes to an loginname

Parameters

loginName (string) – login name of the user

Returns

userid - unique idenitfier for this unser

Return type

string

getUserInfo(userid)

return all user related information

Parameters

userId (string) – specified user

Returns

dictionary, containing all user related info

Return type

dict

The return is a dictionary with well defined keys:

fields = {
    "username": 1,
    "userid": 1,
    "description": 0,
    "phone": 0,
    "mobile": 0,
    "email": 0,
    "givenname": 0,
    "surname": 0,
    "gender": 0
}

getUserLDAPInfo(UserId)

This function returns all user information for a given user object identified by UserID. In LDAP case this is the DN, but could also be ‘objectguid’ or uidtype

Parameters

• userid (unicode or str) – user identifier (in unicode)

• attrlist (list) – the list of attributes, which should be returned if None, the attributes are not filtered on the server side and all are returned

Returns

user info dict

Return type

dict

getUserList(searchDict)

retrieve a list of users

Parameters

searchDict (dict) – dictionary of the search criterias

Returns

resultList, a dict with user info

getUserListIterator(searchDict, limit_size=True)

iterator based access to get the list of users to prevent server response of sizelimit exceeded

Parameters

• searchDict – the dict with a search filter expression

• limit_size – restrict the returned data size to size_limit

Returns

generator object (that yields userlist arrays).

getUsername(userid)

get the loginname from the given userid

Parameters

userId (string) – userid descriptor

Returns

loginname

Return type

string

loadConfig(config, conf='')

loadConfig - load the config of the resolver

Parameters

• config – configuration dictionary, could be parameter or linotp config format

• conf – configuration identifier

nameDict: Dict[str, str] = {}

now_timestamp()

now - insert the now timestamp

as AD starts it’s time count at 31/12/1601, when the vigent gregorian cycle in our calendar is started, we have to add the diff to the unix now timestamp, which starts at 1/1/1970

accExp: expiry date of an user, in which case we count since 31/12/1601

not since 01/01/1601; so we add 86400 seconds to the final result. As we use this timestamp only for the account expiry, we set this as default

classmethod parse_timeout(timeout, div=2.0)

primary_key = 'UIDTYPE'

classmethod primary_key_changed(new_params, previous_params)

check if during the parameter update the primary key has changed

Parameters

• new_params – the set of new parameters

• previous_params – the set of previous parameters

Returns

boolean

resolver_parameters: Dict[str, Tuple[bool, Optional[Union[str, bool, int]], Callable[[Any], Any]]] = {'BINDDN': (True, None, <class 'str'>), 'BINDPW': (True, None, <function encrypted_data>), 'EnforceTLS': (False, True, <function boolean>), 'LDAPBASE': (True, None, <class 'str'>), 'LDAPFILTER': (True, None, <class 'str'>), 'LDAPSEARCHFILTER': (True, None, <class 'str'>), 'LDAPURI': (True, None, <class 'str'>), 'LOGINNAMEATTRIBUTE': (True, None, <class 'str'>), 'NOREFERRALS': (False, False, <function boolean>), 'PROXY': (False, False, <function boolean>), 'SIZELIMIT': (False, 500, <class 'int'>), 'TIMEOUT': (False, -1, <class 'str'>), 'UIDTYPE': (False, 'DN', <class 'str'>), 'USERINFO': (True, True, <class 'str'>), 'only_trusted_certs': (False, True, <function boolean>), 'readonly': (False, False, <function boolean>)}

searchFields = {'description': 'text', 'email': 'text', 'givenname': 'text', 'surname': 'text', 'userid': 'text', 'username': 'text'}

classmethod setup(config=None, cache_dir=None)

this setup hook is triggered, when the server starts to serve the first request

Parameters

config – the linotp config

Returns

-nothing-

classmethod testconnection(params, silent=False)

This is used to test if the given parameter set will do a successful LDAP connection.

Parameters

params –

• BINDDN

• BINDPW

• LDAPURI

• TIMEOUT

• LDAPBASE

• LOGINNAMEATTRIBUTE’: ‘sAMAccountName’,

• LDAPSEARCHFILTER’: ‘(sAMAccountName=*)(objectClass=user)’,

• LDAPFILTER’: ‘(&(sAMAccountName=%s)(objectClass=user))’,

• USERINFO’: ‘{ “username”: “sAMAccountName”, “phone” :

  ”telephoneNumber”, “mobile” : “mobile”, “email” : “mail”, “surname” : “sn”, “givenname” : “givenName” }’

• SIZELIMIT

• NOREFERRALS

• EnforceTLS

unbind(lobj)

unbind() - this function formarly freed the ldap connection which is now done in the class destructor __del__()

Parameters

l – ldap object

Returns

-nothing-

linotp.useridresolver.LDAPIdResolver.escape_hex_for_search(hex_value: str) → str

transform an hex string for a byte search in ldap, especially used for objectGUID

From: https://ldapwiki.com/wiki/ObjectGUID

ObjectGUID LDAP in SearchFilters

In order to form an LDAP SearchFilter that searches based on an ObjectGUID, the GUID value must be entered in a special syntax in the filter - where each byte in the hexadecimal representation of the GUID must be escaped with a Backslash () symbol.

To provide an example, in order to search for an object with hexadecimal

GUID “90395F191AB51B4A9E9686C66CB18D11”,

the corresponding filter should be set as:

(objectGUID=909F
9
AB5
BA9E9686C6CB18D )

Parameters

hex_value – e.g. the objectGuid in hex representation

Returns

str escaped hex representation, to be used for search

linotp.useridresolver.LDAPIdResolver.resolver_request(params, silent=False)