Table Of Contents

Previous topic

9.3. CredentialStore

Next topic

9.5. UserList

9.4. LDAPServer

The LDAPServer service implements retrieving a user attribute from preconfigured AD or unix LDAP servers.

9.4.1. Configuration example

[ldap_server]
# Name of the LDAP Server policy configured in SPS
; name = <ldap-server-policy-name>

# The LDAP attribute name which should be used.
# Note that this may be different from the displayed name of the
# attribute, especially in Microsoft Windows, for example
# "Office" attribute is encoded in "physicalDeliveryOfficeName".
user_attribute = description

9.4.2. Acquiring a user attribute

In this example we’ll use the following configuration to fetch the description attribute of the user administrator.

[ldap_server]
# Name of the LDAP Server policy configured in SPS
name = my_ad_policy

# The LDAP attribute name which should be used.
# Note that this may be different from the displayed name of the
# attribute, especially in Microsoft Windows, where for example
# "Office" attribute is encoded in "physicalDeliveryOfficeName".
user_attribute = description

from safeguard.sessions.plugin import PluginConfiguration
from safeguard.sessions.plugin import LDAPServer

class Plugin:
   def __init__(self, configuration):
       self.__config = PluginConfiguration(configuration)
       self.__ldap = LDAPServer.from_config(self.__config)
       attribute = self.__ldap.get_user_attribute('administrator')
class safeguard.sessions.plugin.ldap_server.LDAPServer(ldap_service, user_attribute_factory, user_groups_factory)

The LDAPServer represent access to the LDAP Server configured in SPS.

Do not instantiate LDAPServer service with its constructor, rather use the from_config() method.

Parameters

  • plugin_configuration – configuration to use

  • section (str) – the section to get configuration options from

  • ldap_service – reference to internal implementation

classmethod from_config(plugin_configuration, section='ldap_server', name=None)

The from_config() class method creates an LDAPServer instance from a given plugin configuration.

Parameters

  • plugin_configuration (PluginConfiguration) – plugin configuration object

  • section (str) – name of the section where the LDAP parameters are stored

  • name (str) – name of the LDAP server policy

Returns

LDAPServer instance

Return type

LDAPServer

Raises

RequiredConfigurationSettingNotFound if there is no such section or “name” option in the section defined in the configuration.

get_user_string_attribute(username, attribute=None)

The get_user_string_attribute() method can retrieve a user’s string attribute from LDAP. Any string or numeric value that can be converted to a UTF-8 string will be returned. On the other hand binary data will trigger an error, for example a JPEG photo cannot be fetched this way.

Parameters

  • username (str) –

  • attribute (str) –

Returns

list of values in the attribute

Raises

RequiredConfigurationSettingNotFound if the attribute parameter is None but there is no “user_attribute” defined in the configuration.

Raises

LDAPUserNotFound if the user is not found in LDAP database.

Raises

LDAPOperationError on other LDAP related errors.

get_user_string_attributes(username, attributes)

The get_user_string_attributes() method can retrieve multiple string attributes of a user from LDAP. Any string or numeric value that can be converted to a UTF-8 string will be returned. On the other hand binary data will trigger an error, for example a JPEG photo cannot be fetched this way. The result contains a dictionary of attribute to list of value mapping, where missing attributes, empty attributes get the empty list as a value.

New in version 1.4.0.

Parameters

  • username (str) –

  • attributes (list) –

Returns

dictionary of attribute to value list

Raises

LDAPUserNotFound if the user is not found in LDAP database.

Raises

LDAPOperationError on other LDAP related errors.

filter_user_groups(username, groups=None)

The filter_user_groups() method can check whether a user is member of a list of predefined groups.

Parameters

  • username (str) –

  • groups (list) –

Returns

the input groups reduced to those groups that the user is actually a member of

Return type

list

Raises

RequiredConfigurationSettingNotFound if the groups parameter is None but there is no “user_groups” defined in the configuration.

Raises

LDAPUserNotFound if the user is not found in LDAP database.

Raises

LDAPOperationError on other LDAP related errors.

9.4.3. Exceptions

exception safeguard.sessions.plugin.ldap_server_exceptions.LDAPOperationError(message, variables=None)

The LDAPOperationError exception is raised when an LDAP error is detected.

exception safeguard.sessions.plugin.ldap_server_exceptions.LDAPUserNotFound(variables)

The LDAPUserNotFound exception is raised when a user is not found in the LDAP server.