:tocdepth: 3

:py:mod:`gws.plugin.auth_provider.ldap`
=======================================

.. py:module:: gws.plugin.auth_provider.ldap

.. autoapi-nested-parse::

   LDAP authorization provider.

   Accepts an LDAP URL in the following form::

       ldap://host:port/baseDN?searchAttribute

   which is a subset of the rfc2255 schema.

   Optionally, a bind dn and a password can be provided. This dn must have search permissions for the directory.

   The authorization workflow with the (login, password) credentials is as follows:

   - connect to the LDAP server, using the bind dn if provided
   - search for the dn matching ``searchAttribute = credentials.login``
   - attempt to login with that dn and ``credentials.password``
   - iterate the ``users`` configs to determine roles for the user


   .. rubric:: References

   https://datatracker.ietf.org/doc/html/rfc2255



**Source code:** :source:`gws.plugin.auth_provider.ldap<gws/plugin/auth_provider/ldap/__init__.py>`



Package Contents
----------------



.. py:class:: Config


   Bases: :py:obj:`gws.base.auth.provider.Config`

   LDAP authorization provider

   .. py:attribute:: activeDirectory
      :type:  bool
      :value: True


      True if the LDAP server is ActiveDirectory.

   .. py:attribute:: bindDN
      :type:  Optional[str]

      Bind DN.

   .. py:attribute:: bindPassword
      :type:  Optional[str]

      Bind password.

   .. py:attribute:: displayNameFormat
      :type:  Optional[gws.FormatStr]

      Format for user's display name.

   .. py:attribute:: timeout
      :type:  gws.Duration
      :value: 30


      LDAP server timeout.

   .. py:attribute:: url
      :type:  str

      LDAP server url.

   .. py:attribute:: users
      :type:  list[UserSpec]

      Map LDAP filters to gws roles.


.. py:class:: Object


   Bases: :py:obj:`gws.base.auth.provider.Object`

   .. py:attribute:: baseDN
      :type:  str

   .. py:attribute:: loginAttribute
      :type:  str

   .. py:attribute:: serverUrl
      :type:  str

   .. py:attribute:: timeout
      :type:  int

   .. py:method:: authenticate(method, credentials)

   .. py:method:: configure()

   .. py:method:: get_user(local_uid)


.. py:class:: UserSpec(*args, **kwargs)


   Bases: :py:obj:`gws.Data`

   Map LDAP filters to authorization roles

   .. py:attribute:: matches
      :type:  Optional[str]

      LDAP filter the account has to match

   .. py:attribute:: memberOf
      :type:  Optional[str]

      LDAP group the account has to be a member of

   .. py:attribute:: roles
      :type:  list[str]

      GWS role names