Skip to content

Add login_template and group_required variables #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add login_template and group_required variables #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,12 @@ To configure LDAP, create a yaml file with a dictionary containing another dicti
``timeout``
The timeout for connections to the LDAP server. Defaults to 10 seconds.

``login_template``
Template to insert the result from ``user_search`` into before attempting login

``group_required``
Require the group search to be successful for authentication

The ``user_search`` and ``group_search`` settings are dictionaries with the following options:

``base``
Expand All @@ -90,7 +96,7 @@ The ``user_search`` and ``group_search`` settings are dictionaries with the foll
password. ``devpi-ldap`` will extract this attribute from the search results and attempt to
bind to the LDAP server using this DN and the password supplied by the user. If this bind
succeeds, access is granted.

``userdn``
The distinguished name of the user which should be used for the search operation.
For ``user_search``, if you don't have anonymous user search or for ``group_search`` if the users can't search their own groups, then you need to set this to a user which has the necessary rights.
Expand Down
2 changes: 1 addition & 1 deletion devpi_ldap/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
__version__ = '2.1.0'
__version__ = '2.1.1'
12 changes: 11 additions & 1 deletion devpi_ldap/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ def __init__(self, path):
'referrals',
'reject_as_unknown',
'tls',
'login_template',
'group_required'
))
unknown_keys = set(self.keys()) - known_keys
if unknown_keys:
Expand Down Expand Up @@ -256,7 +258,11 @@ def validate(self, username, password):
else:
threadlog.debug("Validating user '%s' against LDAP at %s." % (username, self['url']))
username = escape(username)
userdn = self._userdn(username)
if 'login_template' in self:
userdn = self['login_template'].format(self._userdn(username))
else:
userdn = self._userdn(username)

if not userdn:
return dict(status="unknown")
if not password.strip():
Expand All @@ -268,6 +274,9 @@ def validate(self, username, password):
if not config:
return dict(status="ok")
groups = self._search(conn, config, username=username, userdn=userdn)
group_required = self.get('group_required', False)
if group_required and len(groups) < 1:
return self._rejection()
return dict(status="ok", groups=groups)


Expand Down Expand Up @@ -342,3 +351,4 @@ def main(argv=None):
raise SystemExit(2)

print("Authentication successful, the user is member of the following groups: %s" % ', '.join(result.get("groups", [])))