reviewboard.accounts.backends.ad¶

Active Directory authentication backend.

class ActiveDirectoryBackend[source]¶

Bases: BaseAuthBackend

Authenticate a user against an Active Directory server.

This is controlled by the following Django settings:

AD_DOMAIN_CONTROLLER:

The domain controller (or controllers) to connect to. This must be a string, but multiple controllers can be specified by separating each with a space.

This is auth_ad_domain_controller in the site configuration.

AD_DOMAIN_NAME:

The Active Directory domain name. This must be a string.

This is auth_ad_domain_name in the site configuration.

AD_FIND_DC_FROM_DNS:

Whether domain controllers should be found by using DNS. This must be a boolean.

This is auth_ad_find_dc_from_dns in the site configuration.

AD_GROUP_NAME:

The optional name of the group to restrict available users to. This must be a string.

This is auth_ad_group_name in the site configuration.

AD_OU_NAME:

The optional name of the Organizational Unit to restrict available users to. This must be a string.

This is auth_ad_ou_name in the site configuration.

AD_RECURSION_DEPTH:

Maximum depth to recurse when checking group membership. A value of -1 means infinite depth is supported. A value of 0 turns off recursive checks.

This is auth_ad_recursion_depth in the site configuration.

AD_SEARCH_ROOT:

A custom search root for entries in Active Directory. This must be a string.

This is auth_ad_search_root in the site configuration.

AD_USE_TLS:

Whether to use TLS when communicating over LDAP. This must be a boolean.

This is auth_ad_use_tls in the site configuration.

backend_id: Optional[str] = 'ad'[source]¶

The unique ID for the authentication backend.

Type:

str

name: Optional[StrOrPromise] = 'Active Directory'[source]¶

The display name for the authentication backend.

This will be shown in the list of backends in the administration UI.

Type:

str

settings_form[source]¶

alias of ActiveDirectorySettingsForm

login_instructions: Optional[StrOrPromise] = 'Use your standard Active Directory username and password.'[source]¶

Authentication instructions to display above the Login form.

Type:

str

get_domain_name() → str[source]¶

Return the current Active Directory domain name.

This returns the domain name as set in AD_DOMAIN_NAME.

Returns:

The Active Directory domain name.

Return type:

str

get_ldap_search_root(user_domain: Optional[str] = None) → str[source]¶

Return the search root(s) for users in the LDAP server.

If AD_SEARCH_ROOT is set, then it will be used. Otherwise, a suitable search root will be computed based on the domain name (either the provided user_domain or the result of get_domain_name()) and any configured Organizational Unit name (AD_OU_NAME).

Parameters:

user_domain (str, optional) – An explicit Active Directory domain to use for the search root.

Returns:

The search root used to locate users.

Return type:

str

search_ad(con: LDAPObject, filterstr: str, user_domain: Optional[str] = None) → _SearchResults[source]¶

Search the given LDAP server based on the provided filter.

Parameters:

• con (ldap.ldapobject.LDAPObject) – The LDAP connection to search.

• filterstr (str) – The filter string used to locate objects in Active Directory.

• user_domain (str, optional) – An explicit domain used for the search. If not provided, get_domain_name() will be used.

Returns:

The list of search results. Each tuple in the list is in the form of (dn, attrs), where dn is the Distinguished Name of the entry and attrs is a dictionary of attributes for that entry.

Return type:

list of tuple

find_domain_controllers_from_dns(user_domain: Optional[str] = None) → List[Tuple[str, str]][source]¶

Find and return the active domain controllers using DNS.

Parameters:

user_domain (str, optional) – An explicit domain used for the search. If not provided, get_domain_name() will be used.

Returns:

The list of domain controllers in the form of:

Tuple:

• 0 (int) – The domain controller port.

• 1 (str) – The domain controller host.

Return type:

list of tuple

can_recurse(depth: int) → bool[source]¶

Return whether the given recursion depth is too deep.

Parameters:

depth (int) – The current depth to check.

Returns:

True if the provided depth can be recursed into. False if it’s too deep.

Return type:

bool

get_member_of(con: LDAPObject, search_results: _SearchResults, seen: Optional[Set[str]] = None, depth: int = 0) → Set[str][source]¶

Return the LDAP groups for the given users.

This iterates over the users specified in search_results and returns a set of groups of which those users are members.

Parameters:

• con (ldap.LDAPObject) – The LDAP connection used for checking groups memberships.

• search_results (list of tuple) – The list of search results to check. This expects a result from search_ad().

• seen (set, optional) – The set of groups that have already been seen when recursing. This is used internally by this method and should not be provided by the caller.

• depth (int, optional) – The current recursion depth. This is used internally by this method and should not be provided by the caller.

Returns:

The group memberships found for the given users.

Return type:

set

get_ldap_connections(user_domain: str, request: Optional[HttpRequest] = None) → Iterator[Tuple[str, LDAPObject]][source]¶

Return all LDAP connections used for Active Directory.

This returns an iterable of connections to the LDAP servers specified in AD_DOMAIN_CONTROLLER.

Parameters:

• user_domain (str) – The domain for the user.

• request (django.http.HttpRequest, optional) – The HTTP request from the client. This is used only for logging purposes.

Yields:

tuple of (str, ldap.LDAPObject) – The connections to the configured LDAP servers.

authenticate(request: Optional[HttpRequest] = None, *, username: Optional[str] = None, password: Optional[str] = None, **kwargs) → Optional[User][source]¶

Authenticate a user against Active Directory.

This will attempt to authenticate the user against Active Directory. If the username and password are valid, a user will be returned, and added to the database if it doesn’t already exist.

Changed in version 6.0:

• request is now optional.

• username and password are technically optional, to aid in consistency for type hints, but will result in a None result.

Changed in version 4.0: The request argument is now mandatory as the first positional argument, as per requirements in Django.

Parameters:

• request (django.http.HttpRequest) – The HTTP request from the caller. This may be None.

• username (str) – The username to authenticate.

• password (str) – The user’s password.

• **kwargs (dict, unused) – Additional keyword arguments passed by the caller.

Returns:

The authenticated user, or None if the user could not be authenticated for any reason.

Return type:

django.contrib.auth.models.User

get_or_create_user(username: str, request: Optional[HttpRequest] = None, ad_user_data: Optional[_SearchResults] = None) → Optional[User][source]¶

Return an existing user or create one if it doesn’t exist.

This does not authenticate the user.

If the user does not exist in the database, but does in Active Directory, its information will be stored in the database for later lookup. However, this will only happen if ad_user_data is provided.

Parameters:

• username (str) – The name of the user to look up or create.

• request (django.http.HttpRequest, unused) – The HTTP request from the client. This is unused.

• ad_user_data (list of tuple, optional) – Data about the user to create. This is generally provided by authenticate().

Returns:

The resulting user, or None if one could not be found.

Return type:

django.contrib.auth.models.User

__annotations__ = {'INVALID_USERNAME_CHAR_REGEX': 're.Pattern', 'backend_id': 'Optional[str]', 'login_instructions': 'Optional[StrOrPromise]', 'name': 'Optional[StrOrPromise]', 'settings_form': 'Optional[Type[SiteSettingsForm]]', 'supports_change_email': 'bool', 'supports_change_name': 'bool', 'supports_change_password': 'bool', 'supports_registration': 'bool'}¶