reviewboard.accounts.backends.ldap¶

LDAP authentication backend.

class LDAPBackend[source]¶

Bases: BaseAuthBackend

Authentication backend for LDAP servers.

This allows the use of LDAP servers for authenticating users in Review Board, and for importing individual users on-demand. It allows for a lot of customization in terms of how the LDAP server is queried, providing compatibility with most open source and commercial LDAP servers.

The following Django settings are supported:

LDAP_ANON_BIND_UID:

The full DN (distinguished name) of a user account with sufficient access to perform lookups of users and groups in the LDAP server. This is treated as a general or “anonymous” user for servers requiring authentication, and will not be otherwise imported into the Review Board server (unless attempting to log in with the same name).

This can be unset if the LDAP server supports actual anonymous binds without a DN.

LDAP_ANON_BIND_PASSWD:

The password used for the account specified in LDAP_ANON_BIND_UID.

LDAP_ANON_BIND_UID:

The full distinguished name of a user account with sufficient access to perform lookups of users and groups in the LDAP server. This can be unset if the LDAP server supports anonymous binds.

LDAP_BASE_DN:

The base DN (distinguished name) used to perform LDAP searches.

LDAP_EMAIL_ATTRIBUTE:

The attribute designating the e-mail address of a user in the directory. E-mail attributes are only used if this is set and if LDAP_EMAIL_DOMAIN is not set.

LDAP_EMAIL_DOMAIN:

The domain name to use for e-mail addresses. If set, users imported from LDAP will have an e-mail address in the form of username@LDAP_EMAIL_DOMAIN. This takes priority over LDAP_EMAIL_ATTRIBUTE.

LDAP_GIVEN_NAME_ATTRIBUTE:

The attribute designating the given name (or first name) of a user in the directory. This defaults to givenName if not provided.

LDAP_SURNAME_ATTRIBUTE:

The attribute designating the surname (or last name) of a user in the directory. This defaults to sn if not provided.

LDAP_TLS:

Whether to use TLS to communicate with the LDAP server.

LDAP_UID:

The attribute indicating a user’s unique ID in the directory. This is used to compute a user lookup filter in the format of (LDAP_UID=username).

LDAP_UID_MASK:

A mask defining a filter for looking up users. This must contain %s somewhere in the string, representing the username. For example: (something_special=%s).

LDAP_URI:

The URI to the LDAP server to connect to for all communication.

backend_id: Optional[str] = 'ldap'[source]¶

The unique ID for the authentication backend.

Type:

str

name: Optional[StrOrPromise] = 'LDAP'[source]¶

The display name for the authentication backend.

This will be shown in the list of backends in the administration UI.

Type:

str

settings_form[source]¶

alias of LDAPSettingsForm

login_instructions: Optional[StrOrPromise] = 'Use your standard LDAP username and password.'[source]¶

Authentication instructions to display above the Login form.

Type:

str

authenticate(request: Optional[HttpRequest] = None, *, username: Optional[str] = None, password: Optional[str] = None, **credentials) → Optional[User][source]¶

Authenticate a user.

This will attempt to authenticate the user against the LDAP server. If the username and password are valid, a user will be returned, and added to the database if it doesn’t already exist.

Changed in version 6.0:

• request is now optional.

• username and password are technically optional, to aid in consistency for type hints, but will result in a None result.

Changed in version 4.0: The request argument is now mandatory as the first positional argument, as per requirements in Django.

Parameters:

• request (django.http.HttpRequest, optional) – The HTTP request from the caller. This may be None.

• username (str) – The username used to authenticate.

• password (str) – The password used to authenticate.

• **kwargs (dict, unused) – Additional keyword arguments supplied by the caller.

Returns:

The authenticated user, or None if the user could not be authenticated for any reason.

Return type:

django.contrib.auth.models.User

get_or_create_user(username: str, request: Optional[HttpRequest] = None, ldapo: Optional[LDAPObject] = None, userdn: Optional[str] = None) → Optional[User][source]¶

Return a user account, importing from LDAP if necessary.

If the user already exists in the database, it will be returned directly. Otherwise, this will attempt to look up the user in LDAP and create a local user account representing that user.

Parameters:

• username (str) – The username to look up.

• request (django.http.HttpRequest, optional) – The optional HTTP request for this operation.

• ldapo (ldap.ldapobject.LDAPObject, optional) – The existing LDAP connection, if the caller has one. If not provided, a new connection will be created.

• userdn (str, optional) – The DN for the user being looked up, if the caller knows it. If not provided, the DN will be looked up.

Returns:

The resulting user, if it could be found either locally or in LDAP. If the user does not exist, None is returned.

Return type:

django.contrib.auth.models.User

__annotations__ = {'INVALID_USERNAME_CHAR_REGEX': 're.Pattern', 'backend_id': 'Optional[str]', 'login_instructions': 'Optional[StrOrPromise]', 'name': 'Optional[StrOrPromise]', 'settings_form': 'Optional[Type[SiteSettingsForm]]', 'supports_change_email': 'bool', 'supports_change_name': 'bool', 'supports_change_password': 'bool', 'supports_registration': 'bool'}¶