13.2.2. UserIdResolvers¶
The useridresolver is responsible for getting userids for loginnames and vice versa.
This base module contains the base class UserIdResolver.UserIdResolver and also the community class PasswdIdResolver.IdResolver, that is inherited from the base class.
13.2.2.1. Base class¶
-
class
privacyidea.lib.resolvers.UserIdResolver.
UserIdResolver
[source]¶ -
add_user
(attributes=None)[source]¶ Add a new user in the useridresolver. This is only possible, if the UserIdResolver supports this and if we have write access to the user store.
Parameters: - username (basestring) – The login name of the user
- attributes – Attributes according to the attribute mapping
Returns: The new UID of the user. The UserIdResolver needs to
determine the way how to create the UID.
-
checkPass
(uid, password)[source]¶ This function checks the password for a given uid. returns true in case of success false if password does not match
Parameters: - uid (string or int) – The uid in the resolver
- password (string) – the password to check. Usually in cleartext
Returns: True or False
Return type: bool
-
delete_user
(uid)[source]¶ Delete a user from the useridresolver. The user is referenced by the user id. :param uid: The uid of the user object, that should be deleted. :type uid: basestring :return: Returns True in case of success :rtype: bool
-
classmethod
getResolverClassDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
Returns: resolver description dict Return type: dict
-
getResolverDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
Returns: resolver description dict Return type: dict
-
getResolverId
()[source]¶ get resolver specific information :return: the resolver identifier string - empty string if not exist
-
classmethod
getResolverType
()[source]¶ getResolverType - return the type of the resolver
Returns: returns the string ‘ldapresolver’ Return type: string
-
getUserId
(loginName)[source]¶ The loginname is resolved to a user_id. Depending on the resolver type the user_id can be an ID (like in /etc/passwd) or a string (like the DN in LDAP)
It needs to return an emptry string, if the user does not exist.
Parameters: loginName (sting) – The login name of the user Returns: The ID of the user Return type: string or int
-
getUserInfo
(userid)[source]¶ This function returns all user information for a given user object identified by UserID. :param userid: ID of the user in the resolver :type userid: int or string :return: dictionary, if no object is found, the dictionary is empty :rtype: dict
-
getUserList
(searchDict=None)[source]¶ This function finds the user objects, that have the term ‘value’ in the user object field ‘key’
Parameters: searchDict (dict) – dict with key values of user attributes - the key may be something like ‘loginname’ or ‘email’ the value is a regular expression. Returns: list of dictionaries (each dictionary contains a user object) or an empty string if no object is found. Return type: list of dicts
-
getUsername
(userid)[source]¶ Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string
-
loadConfig
(config)[source]¶ Load the configuration from the dict into the Resolver object. If attributes are missing, need to set default values. If required attributes are missing, this should raise an Exception.
Parameters: config (dict) – The configuration values of the resolver
-
classmethod
testconnection
(param)[source]¶ This function lets you test if the parameters can be used to create a working resolver. The implementation should try to connect to the user store and verify if users can be retrieved. In case of success it should return a text like “Resolver config seems OK. 123 Users found.”
param param: The parameters that should be saved as the resolver type param: dict return: returns True in case of success and a descriptive text rtype: tuple
-
update_user
(uid, attributes=None)[source]¶ Update an existing user. This function is also used to update the password. Since the attribute mapping know, which field contains the password, this function can also take care for password changing.
Attributes that are not contained in the dict attributes are not modified.
Parameters: - uid (basestring) – The uid of the user object in the resolver.
- attributes (dict) – Attributes to be updated.
Returns: True in case of success
-
13.2.2.2. PasswdResolver¶
-
class
privacyidea.lib.resolvers.PasswdIdResolver.
IdResolver
[source]¶ -
checkPass
(uid, password)[source]¶ This function checks the password for a given uid. returns true in case of success false if password does not match
We do not support shadow passwords. so the seconds column of the passwd file needs to contain the crypted password
Parameters: - uid (int) – The uid of the user
- password (sting) – The password in cleartext
Returns: True or False
Return type: bool
-
checkUserId
(line, pattern)[source]¶ Check if a userid matches a pattern. A pattern can be “=1000”, “>=1000”, “<2000” or “between 1000,2000”.
Parameters: - line (dict) – the dictionary of a user
- pattern (string) – match pattern with <, <=...
Returns: True or False
Return type: bool
-
classmethod
getResolverClassDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
Returns: resolver description dict Return type: dict
-
getResolverId
()[source]¶ return the resolver identifier string, which in fact is filename, where it points to.
-
getSearchFields
(searchDict=None)[source]¶ show, which search fields this userIdResolver supports
TODO: implementation is not completed
Parameters: searchDict (dict) – fields, which can be queried Returns: dict of all searchFields Return type: dict
-
getUserId
(LoginName)[source]¶ search the user id from the login name
Parameters: LoginName – the login of the user Returns: the userId
-
getUserInfo
(userId, no_passwd=False)[source]¶ get some info about the user as we only have the loginId, we have to traverse the dict for the value
Parameters: - userId – the to be searched user
- no_passwd – retrun no password
Returns: dict of user info
-
getUserList
(searchDict)[source]¶ get a list of all users matching the search criteria of the searchdict
Parameters: searchDict – dict of search expressions
-
getUsername
(userId)[source]¶ Returns the username/loginname for a given userid :param userid: The userid in this resolver :type userid: string :return: username :rtype: string
-
loadConfig
(configDict)[source]¶ The UserIdResolver could be configured from the pylons app config - here this could be the passwd file , whether it is /etc/passwd or /etc/shadow
-
13.2.2.3. LDAPResolver¶
-
class
privacyidea.lib.resolvers.LDAPIdResolver.
IdResolver
[source]¶ -
checkPass
(uid, password)[source]¶ This function checks the password for a given uid. - returns true in case of success - false if password does not match
-
classmethod
getResolverClassDescriptor
()[source]¶ return the descriptor of the resolver, which is - the class name and - the config description
Returns: resolver description dict Return type: dict
-
getResolverId
()[source]¶ Returns the resolver Id This should be an Identifier of the resolver, preferable the type and the name of the resolver.
-
getUserId
(LoginName)[source]¶ resolve the loginname to the userid.
Parameters: LoginName (string) – The login name from the credentials Returns: UserId as found for the LoginName
-
getUserInfo
(userId)[source]¶ This function returns all user info for a given userid/object.
Parameters: userId (string) – The userid of the object Returns: A dictionary with the keys defined in self.userinfo Return type: dict
-
getUserList
(searchDict)[source]¶ Parameters: searchDict (dict) – A dictionary with search parameters Returns: list of users, where each user is a dictionary
-
getUsername
(user_id)[source]¶ Returns the username/loginname for a given user_id :param user_id: The user_id in this resolver :type user_id: string :return: username :rtype: string
-
classmethod
get_serverpool
(urilist, timeout)[source]¶ This create the serverpool for the ldap3 connection. The URI from the LDAP resolver can contain a comma separated list of LDAP servers. These are split and then added to the pool.
See https://github.com/cannatag/ldap3/blob/master/docs/manual/source/servers.rst#server-pool
Parameters: - urilist (basestring) – The list of LDAP URIs, comma separated
- timeout (float) – The connection timeout
Returns: Server Pool
Return type: LDAP3 Server Pool Instance
-
loadConfig
(config)[source]¶ Load the config from conf.
Parameters: config (dict) – The configuration from the Config Table ‘#ldap_uri’: ‘LDAPURI’, ‘#ldap_basedn’: ‘LDAPBASE’, ‘#ldap_binddn’: ‘BINDDN’, ‘#ldap_password’: ‘BINDPW’, ‘#ldap_timeout’: ‘TIMEOUT’, ‘#ldap_sizelimit’: ‘SIZELIMIT’, ‘#ldap_loginattr’: ‘LOGINNAMEATTRIBUTE’, ‘#ldap_searchfilter’: ‘LDAPSEARCHFILTER’, ‘#ldap_userfilter’: ‘LDAPFILTER’, ‘#ldap_mapping’: ‘USERINFO’, ‘#ldap_uidtype’: ‘UIDTYPE’, ‘#ldap_noreferrals’ : ‘NOREFERRALS’, ‘#ldap_certificate’: ‘CACERTIFICATE’,
-
classmethod
split_uri
(uri)[source]¶ Splits LDAP URIs like: * ldap://server * ldaps://server * ldap[s]://server:1234 * server :param uri: The LDAP URI :return: Returns a tuple of Servername, Port and SSL(bool)
-
classmethod
testconnection
(param)[source]¶ This function lets you test the to be saved LDAP connection.
This is taken from controllers/admin.py
Parameters: param (dict) – A dictionary with all necessary parameter to test the connection. Returns: Tuple of success and a description Return type: (bool, string) - Parameters are:
- BINDDN, BINDPW, LDAPURI, TIMEOUT, LDAPBASE, LOGINNAMEATTRIBUTE, LDAPSEARCHFILTER, LDAPFILTER, USERINFO, SIZELIMIT, NOREFERRALS, CACERTIFICATE, AUTHTYPE
-