gws.plugin.auth_provider.ldap

LDAP authorization provider.

Accepts an LDAP URL in the following form:

ldap://host:port/baseDN?searchAttribute

which is a subset of the rfc2255 schema.

Optionally, a bind dn and a password can be provided. This dn must have search permissions for the directory.

The authorization workflow with the (login, password) credentials is as follows:

• connect to the LDAP server, using the bind dn if provided

• search for the dn matching searchAttribute = credentials.login

• attempt to login with that dn and credentials.password

• iterate the users configs to determine roles for the user

References

https://datatracker.ietf.org/doc/html/rfc2255

Source code: gws.plugin.auth_provider.ldap

Package Contents

class gws.plugin.auth_provider.ldap.Config

Bases: gws.base.auth.provider.Config

LDAP authorization provider

activeDirectory: bool = True

True if the LDAP server is ActiveDirectory.

bindDN: str | None

Bind DN.

bindPassword: str | None

Bind password.

displayNameFormat: gws.FormatStr | None

Format for user’s display name.

timeout: gws.Duration = 30

LDAP server timeout.

url: str

LDAP server url.

users: list[UserSpec]

Map LDAP filters to gws roles.

class gws.plugin.auth_provider.ldap.Object

Bases: gws.base.auth.provider.Object

baseDN: str

loginAttribute: str

serverUrl: str

timeout: int

authenticate(method, credentials)

configure()

get_user(local_uid)

class gws.plugin.auth_provider.ldap.UserSpec(*args, **kwargs)

Bases: gws.Data

Map LDAP filters to authorization roles

matches: str | None

LDAP filter the account has to match

memberOf: str | None

LDAP group the account has to be a member of

roles: list[str]

GWS role names