
The useridresolver is responsible for getting userids for loginnames and vice versa.

This base module contains the base class UserIdResolver.UserIdResolver and also the community class PasswdIdResolver.IdResolver, that is inherited from the base class.

Base class

class privacyidea.lib.resolvers.UserIdResolver.UserIdResolver[source]
checkPass(uid, password)[source]

This function checks the password for a given uid. returns true in case of success false if password does not match

  • uid (string or int) – The uid in the resolver
  • password (string) – the password to check. Usually in cleartext

True or False

Return type:



Hook to close down the resolver after one request

classmethod getResolverClassDescriptor()[source]

return the descriptor of the resolver, which is - the class name and - the config description

Returns:resolver description dict
Return type:dict
classmethod getResolverClassType()[source]

provide the resolver type for registration


return the descriptor of the resolver, which is - the class name and - the config description

Returns:resolver description dict
Return type:dict

get resolver specific information :return: the resolver identifier string - empty string if not exist

classmethod getResolverType()[source]

getResolverType - return the type of the resolver

Returns:returns the string ‘ldapresolver’
Return type:string

The loginname is resolved to a user_id. Depending on the resolver type the user_id can be an ID (like in /etc/passwd) or a string (like the DN in LDAP)

It needs to return an emptry string, if the user does not exist.

Parameters:loginName (sting) – The login name of the user
Returns:The ID of the user
Return type:string or int

This function returns all user information for a given user object identified by UserID. :param userid: ID of the user in the resolver :type userid: int or string :return: dictionary, if no object is found, the dictionary is empty :rtype: dict


This function finds the user objects, that have the term ‘value’ in the user object field ‘key’

Parameters:searchDict (dict) – dict with key values of user attributes - the key may be something like ‘loginname’ or ‘email’ the value is a regular expression.
Returns:list of dictionaries (each dictionary contains a user object) or an empty string if no object is found.
Return type:list of dicts

Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string


Load the configuration from the dict into the Resolver object. If attributes are missing, need to set default values. If required attributes are missing, this should raise an Exception.

Parameters:config (dict) – The configuration values of the resolver
classmethod testconnection(param)[source]

This function lets you test if the parameters can be used to create a working resolver. The implemenation should try to connect to the user store and verify if users can be retrieved. In case of success it should return a text like “Resolver config seems OK. 123 Users found.”

param param: The parameters that should be saved as the resolver type param: dict return: returns True in case of success and a descriptive text rtype: tuple


class privacyidea.lib.resolvers.PasswdIdResolver.IdResolver[source]
checkPass(uid, password)[source]

This function checks the password for a given uid. returns true in case of success false if password does not match

We do not support shadow passwords. so the seconds column of the passwd file needs to contain the crypted password

  • uid (int) – The uid of the user
  • password (sting) – The password in cleartext

True or False

Return type:


checkUserId(line, pattern)[source]

Check if a userid matches a pattern. A pattern can be “=1000”, “>=1000”, “<2000” or “between 1000,2000”.

  • line (dict) – the dictionary of a user
  • pattern (string) – match pattern with <, <=...

True or False

Return type:


checkUserName(line, pattern)[source]

check for user name

classmethod getResolverClassDescriptor()[source]

return the descriptor of the resolver, which is - the class name and - the config description

Returns:resolver description dict
Return type:dict

return the resolver identifier string, which in fact is filename, where it points to.


show, which search fields this userIdResolver supports

TODO: implementation is not completed

Parameters:searchDict (dict) – fields, which can be queried
Returns:dict of all searchFields
Return type:dict

search the user id from the login name

Parameters:LoginName – the login of the user
Returns:the userId
getUserInfo(userId, no_passwd=False)[source]

get some info about the user as we only have the loginId, we have to traverse the dict for the value

  • userId – the to be searched user
  • no_passwd – retrun no password

dict of user info


get a list of all users matching the search criteria of the searchdict

Parameters:searchDict – dict of search expressions

Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string


The UserIdResolver could be configured from the pylons app config - here this could be the passwd file , whether it is /etc/passwd or /etc/shadow


Loads the data of the file initially. if the self.fileName is empty, it loads /etc/passwd. Empty lines are ignored.

classmethod setup(config=None, cache_dir=None)[source]

this setup hook is triggered, when the server starts to serve the first request

Parameters:config (the privacyidea config dict) – the privacyidea config


class privacyidea.lib.resolvers.LDAPIdResolver.IdResolver[source]
checkPass(uid, password)[source]

This function checks the password for a given uid. - returns true in case of success - false if password does not match

classmethod getResolverClassDescriptor()[source]

return the descriptor of the resolver, which is - the class name and - the config description

Returns:resolver description dict
Return type:dict

Returns the resolver Id This should be an Identifier of the resolver, preferable the type and the name of the resolver.


resolve the loginname to the userid.

Parameters:LoginName (string) – The login name from the credentials
Returns:UserId as found for the LoginName

This function returns all user info for a given userid/object.

Parameters:userId (string) – The userid of the object
Returns:A dictionary with the keys defined in self.userinfo
Return type:dict
Parameters:searchDict (dict) – A dictionary with search parameters
Returns:list of users, where each user is a dictionary

Returns the username/loginname for a given user_id :param user_id: The user_id in this resolver :type user_id: string :return: username :rtype: string


Load the config from conf.

Parameters:config (dict) – The configuration from the Config Table
The information which config entries we need to load is taken from

manage.js: function save_ldap_config

‘#ldap_uri’: ‘LDAPURI’, ‘#ldap_basedn’: ‘LDAPBASE’, ‘#ldap_binddn’: ‘BINDDN’, ‘#ldap_password’: ‘BINDPW’, ‘#ldap_timeout’: ‘TIMEOUT’, ‘#ldap_sizelimit’: ‘SIZELIMIT’, ‘#ldap_loginattr’: ‘LOGINNAMEATTRIBUTE’, ‘#ldap_searchfilter’: ‘LDAPSEARCHFILTER’, ‘#ldap_userfilter’: ‘LDAPFILTER’, ‘#ldap_mapping’: ‘USERINFO’, ‘#ldap_uidtype’: ‘UIDTYPE’, ‘#ldap_noreferrals’ : ‘NOREFERRALS’, ‘#ldap_certificate’: ‘CACERTIFICATE’,
classmethod setup(config=None, cache_dir=None)[source]

this setup hook is triggered, when the server starts to serve the first request

Parameters:config (the privacyidea config dict) – the privacyidea config
classmethod testconnection(param)[source]

This function lets you test the to be saved LDAP connection.

This is taken from controllers/

Parameters:param (dict) – A dictionary with all necessary parameter to test the connection.
Returns:Tuple of success and a description
Return type:(bool, string)
Parameters are:

Table Of Contents

Related Topics

This Page