15.2.2. UserIdResolvers¶
The useridresolver is responsible for getting userids for loginnames and vice versa.
This base module contains the base class UserIdResolver.UserIdResolver and also the community class PasswdIdResolver.IdResolver, that is inherited from the base class.
15.2.2.1. Base class¶
-
class
privacyidea.lib.resolvers.UserIdResolver.
UserIdResolver
[source]¶ -
add_user
(attributes=None)[source]¶ Add a new user in the useridresolver. This is only possible, if the UserIdResolver supports this and if we have write access to the user store.
- Parameters
username (basestring) – The login name of the user
attributes – Attributes according to the attribute mapping
- Returns
The new UID of the user. The UserIdResolver needs to
determine the way how to create the UID.
-
checkPass
(uid, password)[source]¶ This function checks the password for a given uid. returns true in case of success false if password does not match
- Parameters
uid (string or int) – The uid in the resolver
password (string) – the password to check. Usually in cleartext
- Returns
True or False
- Return type
bool
-
delete_user
(uid)[source]¶ Delete a user from the useridresolver. The user is referenced by the user id. :param uid: The uid of the user object, that should be deleted. :type uid: basestring :return: Returns True in case of success :rtype: bool
-
property
editable
¶ Return true, if the Instance! of this resolver is configured editable. :return:
-
classmethod
getResolverClassDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
- Returns
resolver description dict
- Return type
dict
-
static
getResolverDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
- Returns
resolver description dict
- Return type
dict
-
getResolverId
()[source]¶ get resolver specific information :return: the resolver identifier string - empty string if not exist
-
static
getResolverType
()[source]¶ getResolverType - return the type of the resolver
- Returns
returns the string ‘ldapresolver’
- Return type
string
-
getUserId
(loginName)[source]¶ The loginname is resolved to a user_id. Depending on the resolver type the user_id can be an ID (like in /etc/passwd) or a string (like the DN in LDAP)
It needs to return an emptry string, if the user does not exist.
- Parameters
loginName (sting) – The login name of the user
- Returns
The ID of the user
- Return type
str
-
getUserInfo
(userid)[source]¶ This function returns all user information for a given user object identified by UserID. :param userid: ID of the user in the resolver :type userid: int or string :return: dictionary, if no object is found, the dictionary is empty :rtype: dict
-
getUserList
(searchDict=None)[source]¶ This function finds the user objects, that have the term ‘value’ in the user object field ‘key’
- Parameters
searchDict (dict) – dict with key values of user attributes - the key may be something like ‘loginname’ or ‘email’ the value is a regular expression.
- Returns
list of dictionaries (each dictionary contains a user object) or an empty string if no object is found.
- Return type
list of dicts
-
getUsername
(userid)[source]¶ Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string
-
property
has_multiple_loginnames
¶ Return if this resolver has multiple loginname attributes :return: bool
-
loadConfig
(config)[source]¶ Load the configuration from the dict into the Resolver object. If attributes are missing, need to set default values. If required attributes are missing, this should raise an Exception.
- Parameters
config (dict) – The configuration values of the resolver
-
classmethod
testconnection
(param)[source]¶ This function lets you test if the parameters can be used to create a working resolver. The implementation should try to connect to the user store and verify if users can be retrieved. In case of success it should return a text like “Resolver config seems OK. 123 Users found.”
- Parameters
param (dict) – The parameters that should be saved as the resolver
- Returns
returns True in case of success and a descriptive text
- Return type
tuple
-
update_user
(uid, attributes=None)[source]¶ Update an existing user. This function is also used to update the password. Since the attribute mapping know, which field contains the password, this function can also take care for password changing.
Attributes that are not contained in the dict attributes are not modified.
- Parameters
uid (basestring) – The uid of the user object in the resolver.
attributes (dict) – Attributes to be updated.
- Returns
True in case of success
-
15.2.2.2. PasswdResolver¶
-
class
privacyidea.lib.resolvers.PasswdIdResolver.
IdResolver
[source]¶ -
checkPass
(uid, password)[source]¶ This function checks the password for a given uid. returns true in case of success false if password does not match
We do not support shadow passwords. so the seconds column of the passwd file needs to contain the crypted password
If the password is a unicode object, it is encoded according to ENCODING first.
- Parameters
uid (int) – The uid of the user
password (sting) – The password in cleartext
- Returns
True or False
- Return type
bool
-
checkUserId
(line, pattern)[source]¶ Check if a userid matches a pattern. A pattern can be “=1000”, “>=1000”, “<2000” or “between 1000,2000”.
- Parameters
line (dict) – the dictionary of a user
pattern (string) – match pattern with <, <=…
- Returns
True or False
- Return type
bool
-
classmethod
getResolverClassDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
- Returns
resolver description dict
- Return type
dict
-
static
getResolverDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
- Returns
resolver description dict
- Return type
dict
-
getResolverId
()[source]¶ return the resolver identifier string, which in fact is filename, where it points to.
-
static
getResolverType
()[source]¶ getResolverType - return the type of the resolver
- Returns
returns the string ‘ldapresolver’
- Return type
string
-
getSearchFields
(searchDict=None)[source]¶ show, which search fields this userIdResolver supports
TODO: implementation is not completed
- Parameters
searchDict (dict) – fields, which can be queried
- Returns
dict of all searchFields
- Return type
dict
-
getUserId
(LoginName)[source]¶ search the user id from the login name
- Parameters
LoginName – the login of the user (as unicode)
- Returns
the userId
- Return type
str
-
getUserInfo
(userId, no_passwd=False)[source]¶ get some info about the user as we only have the loginId, we have to traverse the dict for the value
- Parameters
userId – the to be searched user
no_passwd – retrun no password
- Returns
dict of user info
-
getUserList
(searchDict=None)[source]¶ get a list of all users matching the search criteria of the searchdict
- Parameters
searchDict – dict of search expressions
-
getUsername
(userId)[source]¶ Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: str
-
loadConfig
(configDict)[source]¶ The UserIdResolver could be configured from the pylons app config - here this could be the passwd file , whether it is /etc/passwd or /etc/shadow
-
15.2.2.3. LDAPResolver¶
-
class
privacyidea.lib.resolvers.LDAPIdResolver.
IdResolver
[source]¶ -
add_user
(attributes=None)[source]¶ Add a new user to the LDAP directory. The user can only be created in the LDAP using a DN. So we have to construct the DN out of the given attributes.
attributes are these “username”, “surname”, “givenname”, “email”, “mobile”, “phone”, “password”
- Parameters
attributes (dict) – Attributes according to the attribute mapping
- Returns
The new UID of the user. The UserIdResolver needs to
determine the way how to create the UID.
-
checkPass
(uid, password)[source]¶ This function checks the password for a given uid. - returns true in case of success - false if password does not match
-
static
create_connection
(authtype=None, server=None, user=None, password=None, auto_bind=False, client_strategy='SYNC', check_names=True, auto_referrals=False, receive_timeout=5, start_tls=False)[source]¶ Create a connection to the LDAP server.
- Parameters
authtype –
server –
user –
password –
auto_bind –
client_strategy –
check_names –
auto_referrals –
receive_timeout – At the moment we do not use this, since receive_timeout is not supported by ldap3 < 2.
- Returns
-
classmethod
create_serverpool
(urilist, timeout, get_info=None, tls_context=None, rounds=2, exhaust=30, pool_cls=<class 'ldap3.core.pooling.ServerPool'>)[source]¶ This create the serverpool for the ldap3 connection. The URI from the LDAP resolver can contain a comma separated list of LDAP servers. These are split and then added to the pool.
See https://github.com/cannatag/ldap3/blob/master/docs/manual/source/servers.rst#server-pool
- Parameters
urilist (basestring) – The list of LDAP URIs, comma separated
timeout (float) – The connection timeout
get_info – The get_info type passed to the ldap3.Sever constructor. default: ldap3.SCHEMA, should be ldap3.NONE in case of a bind.
tls_context – A ldap3.tls object, which defines if certificate verification should be performed
rounds – The number of rounds we should cycle through the server pool before giving up
exhaust – The seconds, for how long a non-reachable server should be removed from the serverpool
pool_cls –
ldap3.ServerPool
subclass that should be instantiated
- Returns
Server Pool
- Return type
serverpool_cls
-
delete_user
(uid)[source]¶ Delete a user from the LDAP Directory.
The user is referenced by the user id. :param uid: The uid of the user object, that should be deleted. :type uid: basestring :return: Returns True in case of success :rtype: bool
-
property
editable
¶ Return true, if the instance of the resolver is configured editable :return:
-
classmethod
getResolverClassDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
- Returns
resolver description dict
- Return type
dict
-
static
getResolverDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
- Returns
resolver description dict
- Return type
dict
-
getResolverId
()[source]¶ Returns the resolver Id This should be an Identifier of the resolver, preferable the type and the name of the resolver.
- Returns
the id of the resolver
- Return type
str
-
static
getResolverType
()[source]¶ getResolverType - return the type of the resolver
- Returns
returns the string ‘ldapresolver’
- Return type
string
-
getUserId
(LoginName)[source]¶ resolve the loginname to the userid.
- Parameters
LoginName (str) – The login name from the credentials
- Returns
UserId as found for the LoginName
- Return type
str
-
getUserInfo
(userId)[source]¶ This function returns all user info for a given userid/object.
- Parameters
userId (string) – The userid of the object
- Returns
A dictionary with the keys defined in self.userinfo
- Return type
dict
-
getUserList
(searchDict=None)[source]¶ - Parameters
searchDict (dict) – A dictionary with search parameters
- Returns
list of users, where each user is a dictionary
-
getUsername
(user_id)[source]¶ Returns the username/loginname for a given user_id :param user_id: The user_id in this resolver :type user_id: string :return: username :rtype: string
-
get_persistent_serverpool
(get_info=None)[source]¶ Return a process-level instance of
LockingServerPool
for the current LDAP resolver configuration. Retrieve it from the app-local store. If such an instance does not exist yet, create one. :param get_info: one of ldap3.SCHEMA, ldap3.NONE, ldap3.ALL :return: aLockingServerPool
instance
-
get_serverpool_instance
(get_info=None)[source]¶ Return a
ServerPool
instance that should be used. IfSERVERPOOL_PERSISTENT
is enabled, invokeget_persistent_serverpool
to retrieve a per-process server pool instance. If it is not enabled, invokecreate_serverpool
to retrieve a per-request server pool instance. :param get_info: one of ldap3.SCHEMA, ldap3.NONE, ldap3.ALL :return: aServerPool
/LockingServerPool
instance
-
property
has_multiple_loginnames
¶ Return if this resolver has multiple loginname attributes :return: bool
-
loadConfig
(config)[source]¶ Load the config from conf.
- Parameters
config (dict) – The configuration from the Config Table
‘#ldap_uri’: ‘LDAPURI’, ‘#ldap_basedn’: ‘LDAPBASE’, ‘#ldap_binddn’: ‘BINDDN’, ‘#ldap_password’: ‘BINDPW’, ‘#ldap_timeout’: ‘TIMEOUT’, ‘#ldap_sizelimit’: ‘SIZELIMIT’, ‘#ldap_loginattr’: ‘LOGINNAMEATTRIBUTE’, ‘#ldap_searchfilter’: ‘LDAPSEARCHFILTER’, ‘#ldap_mapping’: ‘USERINFO’, ‘#ldap_uidtype’: ‘UIDTYPE’, ‘#ldap_noreferrals’ : ‘NOREFERRALS’, ‘#ldap_editable’ : ‘EDITABLE’, ‘#ldap_certificate’: ‘CACERTIFICATE’,
-
static
split_uri
(uri)[source]¶ Splits LDAP URIs like: * ldap://server * ldaps://server * ldap[s]://server:1234 * server :param uri: The LDAP URI :return: Returns a tuple of Servername, Port and SSL(bool)
-
classmethod
testconnection
(param)[source]¶ This function lets you test the to be saved LDAP connection.
- Parameters
param (dict) – A dictionary with all necessary parameter to test the connection.
- Returns
Tuple of success and a description
- Return type
(bool, string)
- Parameters are:
BINDDN, BINDPW, LDAPURI, TIMEOUT, LDAPBASE, LOGINNAMEATTRIBUTE, LDAPSEARCHFILTER, USERINFO, SIZELIMIT, NOREFERRALS, CACERTIFICATE, AUTHTYPE, TLS_VERIFY, TLS_VERSION, TLS_CA_FILE, SERVERPOOL_ROUNDS, SERVERPOOL_SKIP
-
update_user
(uid, attributes=None)[source]¶ Update an existing user. This function is also used to update the password. Since the attribute mapping know, which field contains the password, this function can also take care for password changing.
Attributes that are not contained in the dict attributes are not modified.
- Parameters
uid (basestring) – The uid of the user object in the resolver.
attributes (dict) – Attributes to be updated.
- Returns
True in case of success
-