ipaserver.plugins.ldap2.ldap2

class ipaserver.plugins.ldap2.ldap2(api)[source]

Bases: ipalib.crud.CrudBackend, ipapython.ipaldap.LDAPCache

LDAP Backend Take 2.

Public Data Attributes:

ldap_uri

time_limit

Convert a string or number to a floating point number, if possible.

size_limit

int([x]) -> integer int(x, base=10) -> integer

Inherited from Connectible

conn

Return thread-local connection.

Inherited from Plugin

version

name

full_name

bases

doc

summary

api

Return API instance passed to __init__().

env

Backend

Command

Inherited from LDAPCache

hit

miss

max_entries

Inherited from LDAPClient

MATCH_ANY

MATCH_ALL

MATCH_NONE

SCOPE_BASE

SCOPE_ONELEVEL

SCOPE_SUBTREE

time_limit

Convert a string or number to a floating point number, if possible.

size_limit

int([x]) -> integer int(x, base=10) -> integer

conn

Return thread-local connection.

protocol

schema

schema associated with this LDAP server

Public Methods:

__init__(api)

close()

Close the connection.

__str__()

Return str(self).

create_connection([ccache, bind_dn, ...])

Connect to LDAP server.

destroy_connection()

Disconnect from LDAP server.

get_ipa_config([attrs_list])

Returns the IPA configuration entry (dn, entry_attrs).

has_upg()

Returns True/False whether User-Private Groups are enabled.

get_effective_rights(dn, attrs_list)

Returns the rights the currently bound user has for the given DN.

can_write(dn, attr)

Returns True/False if the currently bound user has write permissions on the attribute.

can_read(dn, attr)

Returns True/False if the currently bound user has read permissions on the attribute.

can_delete(dn)

Returns True/False if the currently bound user has delete permissions on the entry.

can_add(parent_dn, objectclass)

Returns True/False if the currently bound user has permission to add an entry with the given objectclass immediately below the entry with the given DN.

modify_password(dn, new_pass[, old_pass, ...])

Set user password.

add_entry_to_group(dn, group_dn[, ...])

Add entry designaed by dn to group group_dn in the member attribute member_attr.

remove_entry_from_group(dn, group_dn[, ...])

Remove entry from group.

set_entry_active(dn, active)

Mark entry active/inactive.

activate_entry(dn)

Mark entry active.

deactivate_entry(dn)

Mark entry inactive.

remove_principal_key(dn)

Remove a kerberos principal key.

create(**kw)

Create a new entry and return it as one dict (DN included).

retrieve(primary_key, attributes)

Get entry by primary_key (DN) as one dict (DN included).

update(primary_key, **kw)

Update entry's attributes and return it as one dict (DN included).

delete(primary_key)

Delete entry by primary_key (DN).

search(**kw)

Return a list of entries (each entry is one dict, DN included) matching the specified criteria.

Inherited from CrudBackend

create(**kw)

Create a new entry and return it as one dict (DN included).

retrieve(primary_key, attributes)

Get entry by primary_key (DN) as one dict (DN included).

update(primary_key, **kw)

Update entry's attributes and return it as one dict (DN included).

delete(primary_key)

Delete entry by primary_key (DN).

search(**kw)

Return a list of entries (each entry is one dict, DN included) matching the specified criteria.

Inherited from Connectible

__init__(api)

connect(*args, **kw)

Create thread-local connection.

create_connection([ccache, bind_dn, ...])

Connect to LDAP server.

disconnect()

destroy_connection()

Disconnect from LDAP server.

isconnected()

Return True if thread-local connection on request.context exists.

Inherited from Plugin

__init__(api)

finalize()

Finalize plugin initialization.

ensure_finalized()

Finalize plugin initialization if it has not yet been finalized.

__repr__()

Return 'module_name.class_name()' representation.

Inherited from ReadOnly

__lock__()

Put this instance into a read-only state.

__islocked__()

Return True if instance is locked, otherwise False.

__setattr__(name, value)

If unlocked, set attribute named name to value.

__delattr__(name)

If unlocked, delete attribute named name.

Inherited from LDAPCache

__init__(api)

emit(msg, *args, **kwargs)

copy_entry(dn, entry[, attrs])

add_cache_entry(dn[, attrs_list, get_all, ...])

clear_cache()

cache_status(type)

remove_cache_entry(dn)

add_entry(entry)

Create a new entry.

update_entry(entry)

Update entry's attributes.

delete_entry(entry_or_dn)

Delete an entry given either the DN or the entry itself

move_entry(dn, new_dn[, del_old])

Move an entry (either to a new superior or/and changing relative distinguished name)

modify_s(dn, modlist)

get_entry(dn[, attrs_list, time_limit, ...])

Get entry (dn, entry_attrs) by dn.

Inherited from LDAPClient

__init__(api)

from_realm(realm_name, **kwargs)

Create a LDAPI connection to local 389-DS instance

from_hostname_secure(hostname[, cacert, ...])

Create LDAP or LDAPS connection to a remote 389-DS instance

from_hostname_plain(hostname, **kwargs)

Create a plain LDAP connection with TLS/SSL

__str__()

Return str(self).

modify_s(dn, modlist)

get_attribute_type(name_or_oid)

has_dn_syntax(name_or_oid)

Check the schema to see if the attribute uses DN syntax.

get_attribute_single_value(name_or_oid)

Check the schema to see if the attribute is single-valued.

encode(val)

Encode attribute value to LDAP representation (str/bytes).

decode(val, attr)

Decode attribute value from LDAP representation (str/bytes).

error_handler([arg_desc])

Context manager that handles LDAPErrors

handle_truncated_result(truncated)

get_allowed_attributes(objectclasses[, ...])

__enter__()

__exit__(exc_type, exc_value, traceback)

close()

Close the connection.

simple_bind(bind_dn, bind_password[, ...])

Perform simple bind operation.

external_bind([server_controls, client_controls])

Perform SASL bind operation using the SASL EXTERNAL mechanism.

gssapi_bind([server_controls, client_controls])

Perform SASL bind operation using the SASL GSSAPI mechanism.

unbind()

Perform unbind operation.

make_dn_from_attr(attr, value[, parent_dn])

Make distinguished name from attribute.

make_dn(entry_attrs[, primary_key, parent_dn])

Make distinguished name from entry attributes.

make_entry([_dn, _obj])

combine_filters(filters[, rules])

Combine filters into one for ldap2.find_entries.

make_filter_from_attr(attr, value[, rules, ...])

Make filter for ldap2.find_entries from attribute.

make_filter(entry_attrs[, attrs_list, ...])

Make filter for ldap2.find_entries from entry attributes.

get_entries(base_dn[, scope, filter, ...])

Return a list of matching entries.

find_entries([filter, attrs_list, base_dn, ...])

Return a list of entries and indication of whether the results were truncated ([(dn, entry_attrs)], truncated) matching specified search parameters followed by truncated flag.

find_entry_by_attr(attr, value, object_class)

Find entry (dn, entry_attrs) by attribute and object class.

get_entry(dn[, attrs_list, time_limit, ...])

Get entry (dn, entry_attrs) by dn.

add_entry(entry)

Create a new entry.

move_entry(dn, new_dn[, del_old])

Move an entry (either to a new superior or/and changing relative distinguished name)

update_entry(entry)

Update entry's attributes.

delete_entry(entry_or_dn)

Delete an entry given either the DN or the entry itself

entry_exists(dn)

Test whether the given object exists in LDAP.

Private Data Attributes:

Inherited from ReadOnly

_ReadOnly__locked

Inherited from LDAPClient

_SYNTAX_MAPPING

_SYNTAX_OVERRIDE

_SINGLE_VALUE_OVERRIDE

Private Methods:

_connect()

_get_normalized_entry_for_crud(dn[, attrs_list])

Inherited from Connectible

_Connectible__get_conn()

Return thread-local connection.

Inherited from Plugin

_Plugin__name_getter()

_Plugin__full_name_getter()

_Plugin__bases_getter()

_Plugin__doc_getter()

_Plugin__summary_getter()

_on_finalize()

Do custom finalization.

Inherited from LDAPClient

_get_schema()

_flush_schema()

Force this instance to forget it's cached schema and reacquire it from the schema cache.

_convert_result(result)

result is a python-ldap result tuple of the form (dn, attrs), where dn is a string containing the dn (distinguished name) of the entry, and attrs is a dictionary containing the attributes associated with the entry.

_connect()

_LDAPClient__get_effective_rights_control()

Construct a GetEffectiveRights control for current user.


property Backend
property Command
MATCH_ALL = '&'
MATCH_ANY = '|'
MATCH_NONE = '!'
SCOPE_BASE = 0
SCOPE_ONELEVEL = 1
SCOPE_SUBTREE = 2
_SINGLE_VALUE_OVERRIDE = {'nsslapd-anonlimitsdn': True, 'nsslapd-db-locks': True, 'nsslapd-enable-upgrade-hash': True, 'nsslapd-idlistscanlimit': True, 'nsslapd-ldapidnmappingbase': True, 'nsslapd-ldapientrysearchbase': True, 'nsslapd-logging-hr-timestamps-enabled': True, 'nsslapd-lookthroughlimit': True, 'nsslapd-minssf-exclude-rootdse': True, 'nsslapd-sizelimit': True, 'nsslapd-ssl-check-hostname': True}
_SYNTAX_MAPPING = {'1.3.6.1.4.1.1466.115.121.1.1': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.10': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.12': <class 'ipapython.dn.DN'>, '1.3.6.1.4.1.1466.115.121.1.23': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.24': <class 'datetime.datetime'>, '1.3.6.1.4.1.1466.115.121.1.28': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.4': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.40': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.49': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.5': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.51': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.7': <class 'bool'>, '1.3.6.1.4.1.1466.115.121.1.8': <class 'bytes'>, '1.3.6.1.4.1.1466.115.121.1.9': <class 'bytes'>, '2.16.840.1.113719.1.301.4.14.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.17.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.18.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.26.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.29.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.36.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.40.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.41.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.52.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113719.1.301.4.53.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.11.21': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.11.22': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.11.4': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.3.18': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.3.20': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.3.3': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.3.5': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.3.7': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.7.1': <class 'ipapython.dn.DN'>, '2.16.840.1.113730.3.8.7.2': <class 'ipapython.dn.DN'>}
_SYNTAX_OVERRIDE = {'cACertificate': <class 'cryptography.x509.base.Certificate'>, 'cACertificate;binary': <class 'cryptography.x509.base.Certificate'>, 'dnszoneidnsname': <class 'ipapython.dnsutil.DNSName'>, 'idnsname': <class 'ipapython.dnsutil.DNSName'>, 'idnssoamname': <class 'ipapython.dnsutil.DNSName'>, 'idnssoarname': <class 'ipapython.dnsutil.DNSName'>, 'krbcanonicalname': <class 'ipapython.kerberos.Principal'>, 'krbprincipalname': <class 'ipapython.kerberos.Principal'>, 'managedbase': <class 'ipapython.dn.DN'>, 'managedtemplate': <class 'ipapython.dn.DN'>, 'memberindirect': <class 'ipapython.dn.DN'>, 'memberofindirect': <class 'ipapython.dn.DN'>, 'nsds5replicalastinitend': <class 'str'>, 'nsds5replicalastinitstart': <class 'str'>, 'nsds5replicalastupdateend': <class 'str'>, 'nsds5replicalastupdatestart': <class 'str'>, 'originscope': <class 'ipapython.dn.DN'>, 'usercertificate': <class 'cryptography.x509.base.Certificate'>, 'usercertificate;binary': <class 'cryptography.x509.base.Certificate'>}
__annotations__ = {}
__delattr__(name)

If unlocked, delete attribute named name.

If this instance is locked, an AttributeError will be raised.

Parameters

name – Name of attribute to delete.

__dict__ = mappingproxy({'__module__': 'ipaserver.plugins.ldap2', '__doc__': '\n    LDAP Backend Take 2.\n    ', '__init__': <function ldap2.__init__>, 'ldap_uri': <property object>, 'time_limit': <property object>, 'size_limit': <property object>, '_connect': <function ldap2._connect>, 'close': <function ldap2.close>, '__str__': <function ldap2.__str__>, 'create_connection': <function ldap2.create_connection>, 'destroy_connection': <function ldap2.destroy_connection>, 'get_ipa_config': <function ldap2.get_ipa_config>, 'has_upg': <function ldap2.has_upg>, 'get_effective_rights': <function ldap2.get_effective_rights>, 'can_write': <function ldap2.can_write>, 'can_read': <function ldap2.can_read>, 'can_delete': <function ldap2.can_delete>, 'can_add': <function ldap2.can_add>, 'modify_password': <function ldap2.modify_password>, 'add_entry_to_group': <function ldap2.add_entry_to_group>, 'remove_entry_from_group': <function ldap2.remove_entry_from_group>, 'set_entry_active': <function ldap2.set_entry_active>, 'activate_entry': <function ldap2.activate_entry>, 'deactivate_entry': <function ldap2.deactivate_entry>, 'remove_principal_key': <function ldap2.remove_principal_key>, '_get_normalized_entry_for_crud': <function ldap2._get_normalized_entry_for_crud>, 'create': <function ldap2.create>, 'retrieve': <function ldap2.retrieve>, 'update': <function ldap2.update>, 'delete': <function ldap2.delete>, 'search': <function ldap2.search>, '__annotations__': {}})
__enter__()
__exit__(exc_type, exc_value, traceback)
__init__(api)[source]
__islocked__()

Return True if instance is locked, otherwise False.

__lock__()

Put this instance into a read-only state.

After the instance has been locked, attempting to set or delete an attribute will raise an AttributeError.

__module__ = 'ipaserver.plugins.ldap2'
__repr__()

Return ‘module_name.class_name()’ representation.

This representation could be used to instantiate this Plugin instance given the appropriate environment.

__setattr__(name, value)

If unlocked, set attribute named name to value.

If this instance is locked, an AttributeError will be raised.

Parameters
  • name – Name of attribute to set.

  • value – Value to assign to attribute.

__str__()[source]

Return str(self).

__weakref__

list of weak references to the object (if defined)

_connect()[source]
_convert_result(result)

result is a python-ldap result tuple of the form (dn, attrs), where dn is a string containing the dn (distinguished name) of the entry, and attrs is a dictionary containing the attributes associated with the entry. The keys of attrs are strings, and the associated values are lists of strings.

We convert the tuple to an LDAPEntry object.

_flush_schema()

Force this instance to forget it’s cached schema and reacquire it from the schema cache.

_get_normalized_entry_for_crud(dn, attrs_list=None)[source]
_get_schema()
_on_finalize()

Do custom finalization.

This method is called from finalize(). Subclasses can override this method in order to add custom finalization.

activate_entry(dn)[source]

Mark entry active.

add_cache_entry(dn, attrs_list=None, get_all=False, entry=None, exception=None)
add_entry(entry)

Create a new entry.

This should be called as add_entry(entry).

add_entry_to_group(dn, group_dn, member_attr='member', allow_same=False)[source]

Add entry designaed by dn to group group_dn in the member attribute member_attr.

Adding a group as a member of itself is not allowed unless allow_same is True.

property api

Return API instance passed to __init__().

bases = (<class 'ipalib.crud.CrudBackend'>, <class 'ipapython.ipaldap.LDAPCache'>)
cache_status(type)
can_add(parent_dn, objectclass)[source]

Returns True/False if the currently bound user has permission to add an entry with the given objectclass immediately below the entry with the given DN.

For example, to check if an entry with objectclass=ipaca can be added under cn=cas,cn=ca,{basedn}, you should call can_add(DN('cn=cas,...'), 'ipaca').

can_delete(dn)[source]

Returns True/False if the currently bound user has delete permissions on the entry.

can_read(dn, attr)[source]

Returns True/False if the currently bound user has read permissions on the attribute. This only operates on a single attribute at a time.

can_write(dn, attr)[source]

Returns True/False if the currently bound user has write permissions on the attribute. This only operates on a single attribute at a time.

clear_cache()
close()[source]

Close the connection.

classmethod combine_filters(filters, rules='|')

Combine filters into one for ldap2.find_entries.

Keyword arguments: rules – see ldap2.make_filter

property conn

Return thread-local connection.

connect(*args, **kw)

Create thread-local connection.

copy_entry(dn, entry, attrs=[])
create(**kw)[source]

Create a new entry and return it as one dict (DN included).

Extends CrudBackend.create.

create_connection(ccache=None, bind_dn=None, bind_pw='', cacert=None, autobind=1, serverctrls=None, clientctrls=None, time_limit=<object object>, size_limit=<object object>)[source]

Connect to LDAP server.

Keyword arguments: ldapuri – the LDAP server to connect to ccache – Kerberos ccache name bind_dn – dn used to bind to the server bind_pw – password used to bind to the server debug_level – LDAP debug level option cacert – TLS CA certificate filename autobind - autobind as the current user time_limit, size_limit – maximum time and size limit for LDAP

possible options:
  • value - sets the given value

  • None - reads value from ipaconfig

  • _missing - keeps previously configured settings

    (unlimited set by default in constructor)

Extends backend.Connectible.create_connection.

deactivate_entry(dn)[source]

Mark entry inactive.

decode(val, attr)

Decode attribute value from LDAP representation (str/bytes).

delete(primary_key)[source]

Delete entry by primary_key (DN).

Extends CrudBackend.delete.

delete_entry(entry_or_dn)

Delete an entry given either the DN or the entry itself

destroy_connection()[source]

Disconnect from LDAP server.

disconnect()
doc = '\n    LDAP Backend Take 2.\n    '
emit(msg, *args, **kwargs)
encode(val)

Encode attribute value to LDAP representation (str/bytes).

ensure_finalized()

Finalize plugin initialization if it has not yet been finalized.

entry_exists(dn)

Test whether the given object exists in LDAP.

property env
error_handler(arg_desc=None)

Context manager that handles LDAPErrors

external_bind(server_controls=None, client_controls=None)

Perform SASL bind operation using the SASL EXTERNAL mechanism.

finalize()

Finalize plugin initialization.

This method calls _on_finalize() and locks the plugin object.

Subclasses should not override this method. Custom finalization is done in _on_finalize().

class finalize_attr(name, value=None)

Bases: object

Create a stub object for plugin attribute that isn’t set until the finalization of the plugin initialization.

When the stub object is accessed, it calls ensure_finalized() to make sure the plugin initialization is finalized. The stub object is expected to be replaced with the actual attribute value during the finalization (preferably in _on_finalize()), otherwise an AttributeError is raised.

This is used to implement on-demand finalization of plugin initialization.

__annotations__ = {}
__get__(obj, cls)
__init__(name, value=None)
__module__ = 'ipalib.plugable'
__slots__ = ('name', 'value')
name
value
find_entries(filter=None, attrs_list=None, base_dn=None, scope=2, time_limit=None, size_limit=None, paged_search=False, get_effective_rights=False)

Return a list of entries and indication of whether the results were truncated ([(dn, entry_attrs)], truncated) matching specified search parameters followed by truncated flag. If the truncated flag is True, search hit a server limit and its results are incomplete.

Keyword arguments: :param attrs_list: list of attributes to return, all if None

(default None)

Parameters
  • base_dn – dn of the entry at which to start the search (default ‘’)

  • scope – search scope, see LDAP docs (default ldap2.SCOPE_SUBTREE)

  • time_limit – time limit in seconds (default unlimited)

  • size_limit – size (number of entries returned) limit (default unlimited)

  • paged_search – search using paged results control

  • get_effective_rights – use GetEffectiveRights control

Raises

errors.NotFound if result set is empty or base_dn doesn’t exist

find_entry_by_attr(attr, value, object_class, attrs_list=None, base_dn=None)

Find entry (dn, entry_attrs) by attribute and object class.

Keyword arguments: attrs_list - list of attributes to return, all if None (default None) base_dn - dn of the entry at which to start the search (default ‘’)

classmethod from_hostname_plain(hostname, **kwargs)

Create a plain LDAP connection with TLS/SSL

Note: A plain TLS connection should only be used in combination with GSSAPI bind.

classmethod from_hostname_secure(hostname, cacert='/etc/ipa/ca.crt', start_tls=True, **kwargs)

Create LDAP or LDAPS connection to a remote 389-DS instance

This constructor is opinionated and doesn’t let you shoot yourself in the foot. It always creates a secure connection. By default it returns a LDAP connection to port 389 and performs STARTTLS using the default CA cert. With start_tls=False, it creates a LDAPS connection to port 636 instead.

Note: Microsoft AD does not support SASL encryption and integrity verification with a TLS connection. For AD, use a plain connection with GSSAPI and a MIN_SSF >= 56. SASL GSSAPI and SASL GSS SPNEGO ensure data integrity and confidentiality with SSF > 1. Also see https://msdn.microsoft.com/en-us/library/cc223500.aspx

classmethod from_realm(realm_name, **kwargs)

Create a LDAPI connection to local 389-DS instance

full_name = 'ldap2/1'
get_allowed_attributes(objectclasses, raise_on_unknown=False)
get_attribute_single_value(name_or_oid)

Check the schema to see if the attribute is single-valued.

If the attribute is in the schema then returns True/False

If there is a problem loading the schema or the attribute is not in the schema return None

get_attribute_type(name_or_oid)
get_effective_rights(dn, attrs_list)[source]

Returns the rights the currently bound user has for the given DN.

Returns 2 attributes, the attributeLevelRights for the given list of attributes and the entryLevelRights for the entry itself.

get_entries(base_dn, scope=2, filter=None, attrs_list=None, get_effective_rights=False, **kwargs)

Return a list of matching entries.

Raises

errors.LimitsExceeded if the list is truncated by the server

Raises

errors.NotFound if result set is empty or base_dn doesn’t exist

Parameters
  • base_dn – dn of the entry at which to start the search

  • scope – search scope, see LDAP docs (default ldap2.SCOPE_SUBTREE)

  • filter – LDAP filter to apply

  • attrs_list – ist of attributes to return, all if None (default)

  • get_effective_rights – use GetEffectiveRights control

  • kwargs – additional keyword arguments. See find_entries method

for their description.

get_entry(dn, attrs_list=None, time_limit=None, size_limit=None, get_effective_rights=False)

Get entry (dn, entry_attrs) by dn.

Keyword arguments: attrs_list - list of attributes to return, all if None (default None)

get_ipa_config(attrs_list=None)[source]

Returns the IPA configuration entry (dn, entry_attrs).

gssapi_bind(server_controls=None, client_controls=None)

Perform SASL bind operation using the SASL GSSAPI mechanism.

static handle_truncated_result(truncated)
has_dn_syntax(name_or_oid)

Check the schema to see if the attribute uses DN syntax.

Returns True/False

has_upg()[source]

Returns True/False whether User-Private Groups are enabled.

This is determined based on whether the UPG Definition’s originfilter contains “(objectclass=disable)”.

If the UPG Definition or its originfilter is not readable, an ACI error is raised.

property hit
isconnected()

Return True if thread-local connection on request.context exists.

property ldap_uri
make_dn(entry_attrs, primary_key='cn', parent_dn=None)

Make distinguished name from entry attributes.

Keyword arguments: primary_key – attribute from which to make RDN (default ‘cn’) parent_dn – DN of the parent entry (default ‘’)

make_dn_from_attr(attr, value, parent_dn=None)

Make distinguished name from attribute.

Keyword arguments: parent_dn – DN of the parent entry (default ‘’)

make_entry(_dn=None, _obj=None, **kwargs)
classmethod make_filter(entry_attrs, attrs_list=None, rules='|', exact=True, leading_wildcard=True, trailing_wildcard=True)

Make filter for ldap2.find_entries from entry attributes.

Keyword arguments: attrs_list – list of attributes to use, all if None (default None) rules – specifies how to determine a match (default ldap2.MATCH_ANY) exact – boolean, True - make filter as (attr=value)

False - make filter as (attr=*value*)

leading_wildcard – boolean:

True - allow heading filter wildcard when exact=False False - forbid heading filter wildcard when exact=False

trailing_wildcard – boolean:

True - allow trailing filter wildcard when exact=False False - forbid trailing filter wildcard when exact=False

rules can be one of the following: ldap2.MATCH_NONE - match entries that do not match any attribute ldap2.MATCH_ALL - match entries that match all attributes ldap2.MATCH_ANY - match entries that match any of attribute

classmethod make_filter_from_attr(attr, value, rules='|', exact=True, leading_wildcard=True, trailing_wildcard=True)

Make filter for ldap2.find_entries from attribute.

Keyword arguments: rules – see ldap2.make_filter exact – boolean, True - make filter as (attr=value)

False - make filter as (attr=*value*)

leading_wildcard – boolean:

True - allow heading filter wildcard when exact=False False - forbid heading filter wildcard when exact=False

trailing_wildcard – boolean:

True - allow trailing filter wildcard when exact=False False - forbid trailing filter wildcard when exact=False

property max_entries
property miss
modify_password(dn, new_pass, old_pass='', otp='', skip_bind=False)[source]

Set user password.

modify_s(dn, modlist)
move_entry(dn, new_dn, del_old=True)

Move an entry (either to a new superior or/and changing relative distinguished name)

Keyword arguments: dn: DN of the source entry new_dn: DN of the target entry del_old – delete old RDN value (default True)

Raises

errors.NotFound if source entry or target superior entry doesn’t exist errors.EmptyModlist if source and target are identical

name = 'ldap2'
property protocol
remove_cache_entry(dn)
remove_entry_from_group(dn, group_dn, member_attr='member')[source]

Remove entry from group.

remove_principal_key(dn)[source]

Remove a kerberos principal key.

retrieve(primary_key, attributes)[source]

Get entry by primary_key (DN) as one dict (DN included).

Extends CrudBackend.retrieve.

property schema

schema associated with this LDAP server

search(**kw)[source]

Return a list of entries (each entry is one dict, DN included) matching the specified criteria.

Keyword arguments: filter – search filter (default: ‘’) attrs_list – list of attributes to return, all if None (default None) base_dn – dn of the entry at which to start the search (default ‘’) scope – search scope, see LDAP docs (default ldap2.SCOPE_SUBTREE)

Extends CrudBackend.search.

set_entry_active(dn, active)[source]

Mark entry active/inactive.

simple_bind(bind_dn, bind_password, server_controls=None, client_controls=None, insecure_bind=False)

Perform simple bind operation.

property size_limit

int([x]) -> integer int(x, base=10) -> integer

Convert a number or string to an integer, or return 0 if no arguments are given. If x is a number, return x.__int__(). For floating point numbers, this truncates towards zero.

If x is not a number or if base is given, then x must be a string, bytes, or bytearray instance representing an integer literal in the given base. The literal can be preceded by ‘+’ or ‘-’ and be surrounded by whitespace. The base defaults to 10. Valid bases are 0 and 2-36. Base 0 means to interpret the base from the string as an integer literal. >>> int(‘0b100’, base=0) 4

summary = 'LDAP Backend Take 2.'
property time_limit

Convert a string or number to a floating point number, if possible.

unbind()

Perform unbind operation.

update(primary_key, **kw)[source]

Update entry’s attributes and return it as one dict (DN included).

Extends CrudBackend.update.

update_entry(entry)

Update entry’s attributes.

This should be called as update_entry(entry).

version = '1'