LDAP authentication backend.
Authentication backend for LDAP servers.
This allows the use of LDAP servers for authenticating users in Review Board, and for importing individual users on-demand. It allows for a lot of customization in terms of how the LDAP server is queried, providing compatibility with most open source and commercial LDAP servers.
The following Django settings are supported:
The full DN (distinguished name) of a user account with sufficient access to perform lookups of users and groups in the LDAP server. This is treated as a general or “anonymous” user for servers requiring authentication, and will not be otherwise imported into the Review Board server (unless attempting to log in with the same name).
This can be unset if the LDAP server supports actual anonymous binds without a DN.
- The password used for the account specified in
- The full distinguished name of a user account with sufficient access to perform lookups of users and groups in the LDAP server. This can be unset if the LDAP server supports anonymous binds.
- The base DN (distinguished name) used to perform LDAP searches.
- The attribute designating the e-mail address of a user in the
directory. E-mail attributes are only used if this is set and if
LDAP_EMAIL_DOMAINis not set.
- The domain name to use for e-mail addresses. If set, users imported
from LDAP will have an e-mail address in the form of
username@LDAP_EMAIL_DOMAIN. This takes priority over
- The attribute designating the given name (or first name) of a user
in the directory. This defaults to
givenNameif not provided.
- The attribute designating the surname (or last name) of a user in the
directory. This defaults to
snif not provided.
- Whether to use TLS to communicate with the LDAP server.
- The attribute indicating a user’s unique ID in the directory. This
is used to compute a user lookup filter in the format of
- A mask defining a filter for looking up users. This must contain
%ssomewhere in the string, representing the username. For example:
- The URI to the LDAP server to connect to for all communication.
login_instructions= u'Use your standard LDAP username and password.'¶
authenticate(request, username, password, **kwargs)¶
Authenticate a user.
This will attempt to authenticate the user against the LDAP server. If the username and password are valid, a user will be returned, and added to the database if it doesn’t already exist.
Changed in version 4.0: The
requestargument is now mandatory as the first positional argument, as per requirements in Django.
The authenticated user, or
Noneif the user could not be authenticated for any reason.
get_or_create_user(username, request=None, ldapo=None, userdn=None)¶
Return a user account, importing from LDAP if necessary.
If the user already exists in the database, it will be returned directly. Otherwise, this will attempt to look up the user in LDAP and create a local user account representing that user.
- username (unicode) – The username to look up.
- request (django.http.HttpRequest, optional) – The optional HTTP request for this operation.
- ldapo (ldap.LDAPObject, optional) – The existing LDAP connection, if the caller has one. If not provided, a new connection will be created.
- userdn (unicode, optional) – The DN for the user being looked up, if the caller knows it. If not provided, the DN will be looked up.
The resulting user, if it could be found either locally or in LDAP. If the user does not exist,