Jump to >

This documentation covers the in-development release of Review Board. You can see the latest stable docs or all previous versions.


Active Directory authentication backend.

class ActiveDirectoryBackend[source]

Bases: reviewboard.accounts.backends.base.BaseAuthBackend

Authenticate a user against an Active Directory server.

This is controlled by the following Django settings:


The domain controller (or controllers) to connect to. This must be a string, but multiple controllers can be specified by separating each with a space.

This is auth_ad_domain_controller in the site configuration.


The Active Directory domain name. This must be a string.

This is auth_ad_domain_name in the site configuration.


Whether domain controllers should be found by using DNS. This must be a boolean.

This is auth_ad_find_dc_from_dns in the site configuration.


The optional name of the group to restrict available users to. This must be a string.

This is auth_ad_group_name in the site configuration.


The optional name of the Organizational Unit to restrict available users to. This must be a string.

This is auth_ad_ou_name in the site configuration.


Maximum depth to recurse when checking group membership. A value of -1 means infinite depth is supported. A value of 0 turns off recursive checks.

This is auth_ad_recursion_depth in the site configuration.


A custom search root for entries in Active Directory. This must be a string.

This is auth_ad_search_root in the site configuration.


Whether to use TLS when communicating over LDAP. This must be a boolean.

This is auth_ad_use_tls in the site configuration.

backend_id = u'ad'[source]
name = u'Active Directory'[source]

alias of reviewboard.accounts.forms.auth.ActiveDirectorySettingsForm

login_instructions = u'Use your standard Active Directory username and password.'[source]

Return the current Active Directory domain name.

This returns the domain name as set in AD_DOMAIN_NAME.

Returns:The Active Directory domain name.
Return type:unicode

Return the search root(s) for users in the LDAP server.

If AD_SEARCH_ROOT is set, then it will be used. Otherwise, a suitable search root will be computed based on the domain name (either the provided user_domain or the result of get_domain_name()) and any configured Organizational Unit name (AD_OU_NAME).

Parameters:user_domain (unicode, optional) – An explicit Active Directory domain to use for the search root.
Returns:The search root used to locate users.
Return type:unicode
search_ad(con, filterstr, user_domain=None)[source]

Search the given LDAP server based on the provided filter.

  • con (ldap.LDAPObject) – The LDAP connection to search.
  • filterstr (unicode) – The filter string used to locate objects in Active Directory.
  • user_domain (unicode, optional) – An explicit domain used for the search. If not provided, get_domain_name() will be used.

The list of search results. Each tuple in the list is in the form of (dn, attrs), where dn is the Distinguished Name of the entry and attrs is a dictionary of attributes for that entry.

Return type:

list of tuple


Find and return the active domain controllers using DNS.

Parameters:user_domain (unicode, optional) – An explicit domain used for the search. If not provided, get_domain_name() will be used.
Returns:The list of domain controllers.
Return type:list of unicode

Return whether the given recursion depth is too deep.

Parameters:depth (int) – The current depth to check.
Returns:True if the provided depth can be recursed into. False if it’s too deep.
Return type:bool
get_member_of(con, search_results, seen=None, depth=0)[source]

Return the LDAP groups for the given users.

This iterates over the users specified in search_results and returns a set of groups of which those users are members.

  • con (ldap.LDAPObject) – The LDAP connection used for checking groups memberships.
  • search_results (list of tuple) – The list of search results to check. This expects a result from search_ad().
  • seen (set, optional) – The set of groups that have already been seen when recursing. This is used internally by this method and should not be provided by the caller.
  • depth (int, optional) – The current recursion depth. This is used internally by this method and should not be provided by the caller.

The group memberships found for the given users.

Return type:


get_ldap_connections(user_domain, request=None)[source]

Return all LDAP connections used for Active Directory.

This returns an iterable of connections to the LDAP servers specified in AD_DOMAIN_CONTROLLER.

  • user_domain (unicode, optional) – The domain for the user.
  • request (django.http.HttpRequest, optional) – The HTTP request from the client. This is used only for logging purposes.

tuple of (unicode, ldap.LDAPObject) – The connections to the configured LDAP servers.

authenticate(request, username, password, **kwargs)[source]

Authenticate a user against Active Directory.

This will attempt to authenticate the user against Active Directory. If the username and password are valid, a user will be returned, and added to the database if it doesn’t already exist.

Changed in version 4.0: The request argument is now mandatory as the first positional argument, as per requirements in Django.

  • request (django.http.HttpRequest) – The HTTP request from the caller. This may be None.
  • username (unicode) – The username to authenticate.
  • password (unicode) – The user’s password.
  • **kwargs (dict, unused) – Additional keyword arguments passed by the caller.

The authenticated user, or None if the user could not be authenticated for any reason.

Return type:


get_or_create_user(username, request=None, ad_user_data=None)[source]

Return an existing user or create one if it doesn’t exist.

This does not authenticate the user.

If the user does not exist in the database, but does in Active Directory, its information will be stored in the database for later lookup. However, this will only happen if ad_user_data is provided.

  • username (unicode) – The name of the user to look up or create.
  • request (django.http.HttpRequest, unused) – The HTTP request from the client. This is unused.
  • ad_user_data (list of tuple, optional) – Data about the user to create. This is generally provided by authenticate().

The resulting user, or None if one could not be found.

Return type: