LDAP authentication backend.
- class LDAPBackend¶
Authentication backend for LDAP servers.
This allows the use of LDAP servers for authenticating users in Review Board, and for importing individual users on-demand. It allows for a lot of customization in terms of how the LDAP server is queried, providing compatibility with most open source and commercial LDAP servers.
The following Django settings are supported:
The full DN (distinguished name) of a user account with sufficient access to perform lookups of users and groups in the LDAP server. This is treated as a general or “anonymous” user for servers requiring authentication, and will not be otherwise imported into the Review Board server (unless attempting to log in with the same name).
This can be unset if the LDAP server supports actual anonymous binds without a DN.
The password used for the account specified in
The full distinguished name of a user account with sufficient access to perform lookups of users and groups in the LDAP server. This can be unset if the LDAP server supports anonymous binds.
The base DN (distinguished name) used to perform LDAP searches.
The attribute designating the e-mail address of a user in the directory. E-mail attributes are only used if this is set and if
LDAP_EMAIL_DOMAINis not set.
The domain name to use for e-mail addresses. If set, users imported from LDAP will have an e-mail address in the form of
username@LDAP_EMAIL_DOMAIN. This takes priority over
The attribute designating the given name (or first name) of a user in the directory. This defaults to
givenNameif not provided.
The attribute designating the surname (or last name) of a user in the directory. This defaults to
snif not provided.
Whether to use TLS to communicate with the LDAP server.
The attribute indicating a user’s unique ID in the directory. This is used to compute a user lookup filter in the format of
A mask defining a filter for looking up users. This must contain
%ssomewhere in the string, representing the username. For example:
The URI to the LDAP server to connect to for all communication.
- authenticate(request, username, password, **kwargs)¶
Authenticate a user.
This will attempt to authenticate the user against the LDAP server. If the username and password are valid, a user will be returned, and added to the database if it doesn’t already exist.
Changed in version 4.0: The
requestargument is now mandatory as the first positional argument, as per requirements in Django.
The authenticated user, or
Noneif the user could not be authenticated for any reason.
- Return type
- get_or_create_user(username, request=None, ldapo=None, userdn=None)¶
Return a user account, importing from LDAP if necessary.
If the user already exists in the database, it will be returned directly. Otherwise, this will attempt to look up the user in LDAP and create a local user account representing that user.
username (unicode) – The username to look up.
request (django.http.HttpRequest, optional) – The optional HTTP request for this operation.
ldapo (ldap.LDAPObject, optional) – The existing LDAP connection, if the caller has one. If not provided, a new connection will be created.
userdn (unicode, optional) – The DN for the user being looked up, if the caller knows it. If not provided, the DN will be looked up.
The resulting user, if it could be found either locally or in LDAP. If the user does not exist,
- Return type