reviewboard.accounts.backends.ad¶
Active Directory authentication backend.
-
class
ActiveDirectoryBackend
[source]¶ Bases:
reviewboard.accounts.backends.base.BaseAuthBackend
Authenticate a user against an Active Directory server.
This is controlled by the following Django settings:
AD_DOMAIN_CONTROLLER
:The domain controller (or controllers) to connect to. This must be a string, but multiple controllers can be specified by separating each with a space.
This is
auth_ad_domain_controller
in the site configuration.
AD_DOMAIN_NAME
:The Active Directory domain name. This must be a string.
This is
auth_ad_domain_name
in the site configuration.
AD_FIND_DC_FROM_DNS
:Whether domain controllers should be found by using DNS. This must be a boolean.
This is
auth_ad_find_dc_from_dns
in the site configuration.
AD_GROUP_NAME
:The optional name of the group to restrict available users to. This must be a string.
This is
auth_ad_group_name
in the site configuration.
AD_OU_NAME
:The optional name of the Organizational Unit to restrict available users to. This must be a string.
This is
auth_ad_ou_name
in the site configuration.
AD_RECURSION_DEPTH
:Maximum depth to recurse when checking group membership. A value of -1 means infinite depth is supported. A value of 0 turns off recursive checks.
This is
auth_ad_recursion_depth
in the site configuration.
AD_SEARCH_ROOT
:A custom search root for entries in Active Directory. This must be a string.
This is
auth_ad_search_root
in the site configuration.
AD_USE_TLS
:Whether to use TLS when communicating over LDAP. This must be a boolean.
This is
auth_ad_use_tls
in the site configuration.
-
settings_form
[source]¶ alias of
reviewboard.accounts.forms.auth.ActiveDirectorySettingsForm
-
get_domain_name
()[source]¶ Return the current Active Directory domain name.
This returns the domain name as set in
AD_DOMAIN_NAME
.Returns: The Active Directory domain name. Return type: unicode
-
get_ldap_search_root
(user_domain=None)[source]¶ Return the search root(s) for users in the LDAP server.
If
AD_SEARCH_ROOT
is set, then it will be used. Otherwise, a suitable search root will be computed based on the domain name (either the provideduser_domain
or the result ofget_domain_name()
) and any configured Organizational Unit name (AD_OU_NAME
).Parameters: user_domain (unicode, optional) – An explicit Active Directory domain to use for the search root. Returns: The search root used to locate users. Return type: unicode
-
search_ad
(con, filterstr, user_domain=None)[source]¶ Search the given LDAP server based on the provided filter.
Parameters: - con (ldap.LDAPObject) – The LDAP connection to search.
- filterstr (unicode) – The filter string used to locate objects in Active Directory.
- user_domain (unicode, optional) – An explicit domain used for the search. If not provided,
get_domain_name()
will be used.
Returns: The list of search results. Each tuple in the list is in the form of
(dn, attrs)
, wheredn
is the Distinguished Name of the entry andattrs
is a dictionary of attributes for that entry.Return type: list of tuple
-
find_domain_controllers_from_dns
(user_domain=None)[source]¶ Find and return the active domain controllers using DNS.
Parameters: user_domain (unicode, optional) – An explicit domain used for the search. If not provided, get_domain_name()
will be used.Returns: The list of domain controllers. Return type: list of unicode
-
can_recurse
(depth)[source]¶ Return whether the given recursion depth is too deep.
Parameters: depth (int) – The current depth to check. Returns: True
if the provided depth can be recursed into.False
if it’s too deep.Return type: bool
-
get_member_of
(con, search_results, seen=None, depth=0)[source]¶ Return the LDAP groups for the given users.
This iterates over the users specified in
search_results
and returns a set of groups of which those users are members.Parameters: - con (ldap.LDAPObject) – The LDAP connection used for checking groups memberships.
- search_results (list of tuple) – The list of search results to check. This expects a result
from
search_ad()
. - seen (set, optional) – The set of groups that have already been seen when recursing. This is used internally by this method and should not be provided by the caller.
- depth (int, optional) – The current recursion depth. This is used internally by this method and should not be provided by the caller.
Returns: The group memberships found for the given users.
Return type:
-
get_ldap_connections
(user_domain, request=None)[source]¶ Return all LDAP connections used for Active Directory.
This returns an iterable of connections to the LDAP servers specified in
AD_DOMAIN_CONTROLLER
.Parameters: - user_domain (unicode, optional) – The domain for the user.
- request (django.http.HttpRequest, optional) – The HTTP request from the client. This is used only for logging purposes.
Yields: tuple of (unicode, ldap.LDAPObject) – The connections to the configured LDAP servers.
-
authenticate
(request, username, password, **kwargs)[source]¶ Authenticate a user against Active Directory.
This will attempt to authenticate the user against Active Directory. If the username and password are valid, a user will be returned, and added to the database if it doesn’t already exist.
Changed in version 4.0: The
request
argument is now mandatory as the first positional argument, as per requirements in Django.Parameters: - request (django.http.HttpRequest) – The HTTP request from the caller. This may be
None
. - username (unicode) – The username to authenticate.
- password (unicode) – The user’s password.
- **kwargs (dict, unused) – Additional keyword arguments passed by the caller.
Returns: The authenticated user, or
None
if the user could not be authenticated for any reason.Return type: - request (django.http.HttpRequest) – The HTTP request from the caller. This may be
-
get_or_create_user
(username, request=None, ad_user_data=None)[source]¶ Return an existing user or create one if it doesn’t exist.
This does not authenticate the user.
If the user does not exist in the database, but does in Active Directory, its information will be stored in the database for later lookup. However, this will only happen if
ad_user_data
is provided.Parameters: - username (unicode) – The name of the user to look up or create.
- request (django.http.HttpRequest, unused) – The HTTP request from the client. This is unused.
- ad_user_data (list of tuple, optional) – Data about the user to create. This is generally provided by
authenticate()
.
Returns: The resulting user, or
None
if one could not be found.Return type: