| Name | devpi-ldap JSON |
| Version |
2.1.1
JSON |
| download |
| home_page | https://github.com/devpi/devpi-ldap |
| Summary | devpi-ldap: LDAP authentication for devpi-server |
| upload_time | 2023-08-07 09:47:31 |
| maintainer | Florian Schulze |
| docs_url | None |
| author | |
| requires_python | >=3.6 |
| license | MIT |
| keywords |
|
| VCS |
 |
| bugtrack_url |
|
| requirements |
No requirements were recorded.
|
| Travis-CI |
No Travis.
|
| coveralls test coverage |
No coveralls.
|
devpi-ldap: LDAP authentication for devpi-server
================================================
.. image:: https://img.shields.io/pypi/v/devpi-ldap.svg?style=flat
:target: https://pypi.python.org/pypi/devpi-ldap/
:alt: Latest Version
For use with devpi-server >= 2.1.0.
Installation
------------
``devpi-ldap`` needs to be installed alongside ``devpi-server``.
You can install it with::
pip install devpi-ldap
For ``devpi-server`` there is no configuration needed to activate the plugin, as it will automatically discover the plugin through calling hooks using the setuptools entry points mechanism. However, you need to pass a path with a YAML config file to ``devpi-server``, via the ``--ldap-config`` command-line option.
Details about LDAP configuration below.
Configuration
-------------
A script named ``devpi-ldap`` can be used to test your LDAP configuration.
To configure LDAP, create a yaml file with a dictionary containing another dictionary under the ``devpi-ldap`` key with the following options:
``url``
The url of the LDAP server.
Using ``ldaps://`` enables SSL.
No certificate validation is performed at the moment.
``tls``
Parameters to the `ldap3.Tls object
<http://ldap3.readthedocs.org/ssltls.html#the-tls-object>`_ for
Transport Layer Security, used with LDAPS connections.
``server_pool``
A list of LDAP pool servers. Either ``server_pool`` or ``url`` are mandatory, but they are mutually exclusive.
A list entry itself is a dictionary containing a mandatory ``url`` item and optionally a ``tls`` item.
``user_template``
The template to generate the distinguished name for the user.
If the structure is fixed, this is faster than specifying a ``user_search``, but ``devpi-server`` can't know whether a user exists or not.
``user_search``
If you can't or don't want to use ``user_template``, then these are the search settings for the users distinguished name.
You can use ``username`` in the search filter.
See specifics below.
``group_search``
The search settings for the group objects of the user.
You can use ``username`` and ``userdn`` (the distinguished name) in the search filter.
See specifics below.
``referrals``
Whether to follow referrals.
This needs to be set to ``false`` in many cases when using LDAP via Active Directory on Windows.
The default is ``true``.
``reject_as_unknown``
Report all failed authentication attempts as ``unknown`` instead of
``reject``. This is useful e.g. if using the provided credentials to bind
to ldap, in which case we cannot distinguish authentication failures from
unknown users. ``unknown`` is required to let other auth hooks attempt to
authenticate the user.
``timeout``
The timeout for connections to the LDAP server. Defaults to 10 seconds.
The ``user_search`` and ``group_search`` settings are dictionaries with the following options:
``base``
The base location from which to search.
``filter``
The search filter.
To use replacements, put them in curly braces.
Example: ``(&(objectClass=group)(member={userdn}))``
``scope``
The scope for the search.
Valid values are ``base-object``, ``single-level`` and ``whole-subtree``.
The default is ``whole-subtree``.
``attribute_name``
The name of the attribute which contains the user DN which will be used to check the user's
password. ``devpi-ldap`` will extract this attribute from the search results and attempt to
bind to the LDAP server using this DN and the password supplied by the user. If this bind
succeeds, access is granted.
``userdn``
The distinguished name of the user which should be used for the search operation.
For ``user_search``, if you don't have anonymous user search or for ``group_search`` if the users can't search their own groups, then you need to set this to a user which has the necessary rights.
``password``
The password for the user in ``userdn``.
The YAML file should then look similar to this:
.. code-block:: yaml
---
devpi-ldap:
url: ldap://example.com
user_template: CN={username},CN=Partition1,DC=Example,DC=COM
group_search:
base: CN=Partition1,DC=Example,DC=COM
filter: (&(objectClass=group)(member={userdn}))
attribute_name: CN
An example with user search and Active Directory might look like this:
.. code-block:: yaml
---
devpi-ldap:
url: ldap://example.com
user_search:
base: CN=Partition1,DC=Example,DC=COM
filter: (&(objectClass=user)(sAMAccountName={username}))
attribute_name: distinguishedName
group_search:
base: CN=Partition1,DC=Example,DC=COM
filter: (&(objectClass=group)(member={userdn}))
attribute_name: CN
With a server pool it might look like this:
.. code-block:: yaml
---
devpi-ldap:
server_pool:
- url: ldap://server1.example.com:389
- url: ldap://server2.example.com:3268
- url: ldaps://server3.example.com:636
tls:
validate: 2 # ssl.CERT_REQUIRED
ca_certs_file: /etc/ssl/certs/ca-certificates.crt
- url: ldaps://server4.example.com:3269
tls:
validate: 2 # ssl.CERT_REQUIRED
ca_certs_file: /etc/ssl/certs/ca-certificates.crt
user_search:
base: CN=Partition1,DC=Example,DC=COM
filter: (&(objectClass=user)(sAMAccountName={username}))
attribute_name: distinguishedName
group_search:
base: CN=Partition1,DC=Example,DC=COM
filter: (&(objectClass=group)(member={userdn}))
attribute_name: CN
Changelog
=========
2.1.1 - 2023-08-07
------------------
- Use ``escape_filter_chars`` before calling LDAP ``search`` method.
[mr-scrawley (Micha Schmierer), fschulze]
2.1.0 - 2021-12-04
------------------
- Fix issue #50: new server_pool setting.
2.0.0 - 2021-05-16
------------------
- Add ``timeout`` option for LDAP connections. Defaults to 10 seconds.
- Use ``safe_load`` to read YAML config.
- The ``reject_as_unknown`` option is now true by default.
- Drop support for Python < 3.6, support for Python 3.x will end with their
respective EOLs.
- Fix deprecation warning with devpi-server 6.0.0.
- Fix pluggy deprecation warning.
- Require at least devpi-server 5.0.0.
1.2.2 - 2018-05-28
------------------
- More ldap3 2.x fixes.
[fschulze]
1.2.1 - 2018-05-25
------------------
- Fix compatibility with ldap3 2.x.
[fschulze, abrasive (James Laird-Wah)]
- Stopped testing with Python 2.6, but no changes made which break compatibility.
1.2.0 - 2016-03-25
------------------
- Add support for TLS parameters in the config.
[jaraco (Jason R. Coombs)]
- Allow invocation via ``python -m devpi-ldap`` and fix cli for Python 3.
[jaraco]
- Add exit codes to testing script when authentication fails.
[jaraco]
1.1.1 - 2016-01-28
------------------
- set minimum version of ldap3 library, which adds hiding of password in debug
logging.
[cannatag (Giovanni Cannata), rodcloutier (Rodrigue Cloutier), fschulze]
- change dependency for the ldap library, which was renamed.
[kumy]
- fix issue #5: dn and distinguishedName may appear as a top level response
attribute instead of the attributes list.
[kainz (Bryon Roché)]
- fix issue #24: Ignore additional search result data.
[bonzani (Patrizio Bonzani), fschulze]
1.1.0 - 2014-11-10
------------------
- add ``reject_as_unknown`` option
[davidszotten (David Szotten)]
1.0.1 - 2014-10-10
------------------
- fix the plugin hook
[fschulze]
1.0.0 - 2014-09-22
------------------
- initial release
[fschulze (Florian Schulze)]
Raw data
{
"_id": null,
"home_page": "https://github.com/devpi/devpi-ldap",
"name": "devpi-ldap",
"maintainer": "Florian Schulze",
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "mail@pyfidelity.com",
"keywords": "",
"author": "",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/4c/25/e884604cb9be38a4abc7dbaa0ace3d035007baaa8cf850db0b7e07646190/devpi-ldap-2.1.1.tar.gz",
"platform": null,
"description": "devpi-ldap: LDAP authentication for devpi-server\n================================================\n\n.. image:: https://img.shields.io/pypi/v/devpi-ldap.svg?style=flat\n :target: https://pypi.python.org/pypi/devpi-ldap/\n :alt: Latest Version\n\nFor use with devpi-server >= 2.1.0.\n\nInstallation\n------------\n\n``devpi-ldap`` needs to be installed alongside ``devpi-server``.\n\nYou can install it with::\n\n pip install devpi-ldap\n\nFor ``devpi-server`` there is no configuration needed to activate the plugin, as it will automatically discover the plugin through calling hooks using the setuptools entry points mechanism. However, you need to pass a path with a YAML config file to ``devpi-server``, via the ``--ldap-config`` command-line option.\n\nDetails about LDAP configuration below.\n\nConfiguration\n-------------\n\nA script named ``devpi-ldap`` can be used to test your LDAP configuration.\n\nTo configure LDAP, create a yaml file with a dictionary containing another dictionary under the ``devpi-ldap`` key with the following options:\n\n``url``\n The url of the LDAP server.\n Using ``ldaps://`` enables SSL.\n No certificate validation is performed at the moment.\n\n``tls``\n Parameters to the `ldap3.Tls object\n <http://ldap3.readthedocs.org/ssltls.html#the-tls-object>`_ for\n Transport Layer Security, used with LDAPS connections.\n\n``server_pool``\n A list of LDAP pool servers. Either ``server_pool`` or ``url`` are mandatory, but they are mutually exclusive.\n A list entry itself is a dictionary containing a mandatory ``url`` item and optionally a ``tls`` item.\n\n``user_template``\n The template to generate the distinguished name for the user.\n If the structure is fixed, this is faster than specifying a ``user_search``, but ``devpi-server`` can't know whether a user exists or not.\n\n``user_search``\n If you can't or don't want to use ``user_template``, then these are the search settings for the users distinguished name.\n You can use ``username`` in the search filter.\n See specifics below.\n\n``group_search``\n The search settings for the group objects of the user.\n You can use ``username`` and ``userdn`` (the distinguished name) in the search filter.\n See specifics below.\n\n``referrals``\n Whether to follow referrals.\n This needs to be set to ``false`` in many cases when using LDAP via Active Directory on Windows.\n The default is ``true``.\n\n``reject_as_unknown``\n Report all failed authentication attempts as ``unknown`` instead of\n ``reject``. This is useful e.g. if using the provided credentials to bind\n to ldap, in which case we cannot distinguish authentication failures from\n unknown users. ``unknown`` is required to let other auth hooks attempt to\n authenticate the user.\n\n``timeout``\n The timeout for connections to the LDAP server. Defaults to 10 seconds.\n\nThe ``user_search`` and ``group_search`` settings are dictionaries with the following options:\n\n``base``\n The base location from which to search.\n\n``filter``\n The search filter.\n To use replacements, put them in curly braces.\n Example: ``(&(objectClass=group)(member={userdn}))``\n\n``scope``\n The scope for the search.\n Valid values are ``base-object``, ``single-level`` and ``whole-subtree``.\n The default is ``whole-subtree``.\n\n``attribute_name``\n The name of the attribute which contains the user DN which will be used to check the user's\n password. ``devpi-ldap`` will extract this attribute from the search results and attempt to\n bind to the LDAP server using this DN and the password supplied by the user. If this bind\n succeeds, access is granted.\n \n``userdn``\n The distinguished name of the user which should be used for the search operation.\n For ``user_search``, if you don't have anonymous user search or for ``group_search`` if the users can't search their own groups, then you need to set this to a user which has the necessary rights.\n\n``password``\n The password for the user in ``userdn``.\n\nThe YAML file should then look similar to this:\n\n.. code-block:: yaml\n\n ---\n devpi-ldap:\n url: ldap://example.com\n user_template: CN={username},CN=Partition1,DC=Example,DC=COM\n group_search:\n base: CN=Partition1,DC=Example,DC=COM\n filter: (&(objectClass=group)(member={userdn}))\n attribute_name: CN\n\nAn example with user search and Active Directory might look like this:\n\n.. code-block:: yaml\n\n ---\n devpi-ldap:\n url: ldap://example.com\n user_search:\n base: CN=Partition1,DC=Example,DC=COM\n filter: (&(objectClass=user)(sAMAccountName={username}))\n attribute_name: distinguishedName\n group_search:\n base: CN=Partition1,DC=Example,DC=COM\n filter: (&(objectClass=group)(member={userdn}))\n attribute_name: CN\n\nWith a server pool it might look like this:\n\n.. code-block:: yaml\n\n ---\n devpi-ldap:\n server_pool:\n - url: ldap://server1.example.com:389\n - url: ldap://server2.example.com:3268\n - url: ldaps://server3.example.com:636\n tls:\n validate: 2 # ssl.CERT_REQUIRED\n ca_certs_file: /etc/ssl/certs/ca-certificates.crt\n - url: ldaps://server4.example.com:3269\n tls:\n validate: 2 # ssl.CERT_REQUIRED\n ca_certs_file: /etc/ssl/certs/ca-certificates.crt\n user_search:\n base: CN=Partition1,DC=Example,DC=COM\n filter: (&(objectClass=user)(sAMAccountName={username}))\n attribute_name: distinguishedName\n group_search:\n base: CN=Partition1,DC=Example,DC=COM\n filter: (&(objectClass=group)(member={userdn}))\n attribute_name: CN\n\n\nChangelog\n=========\n\n2.1.1 - 2023-08-07\n------------------\n\n- Use ``escape_filter_chars`` before calling LDAP ``search`` method.\n [mr-scrawley (Micha Schmierer), fschulze]\n\n\n2.1.0 - 2021-12-04\n------------------\n\n- Fix issue #50: new server_pool setting.\n\n\n2.0.0 - 2021-05-16\n------------------\n\n- Add ``timeout`` option for LDAP connections. Defaults to 10 seconds.\n\n- Use ``safe_load`` to read YAML config.\n\n- The ``reject_as_unknown`` option is now true by default.\n\n- Drop support for Python < 3.6, support for Python 3.x will end with their\n respective EOLs.\n\n- Fix deprecation warning with devpi-server 6.0.0.\n\n- Fix pluggy deprecation warning.\n\n- Require at least devpi-server 5.0.0.\n\n\n1.2.2 - 2018-05-28\n------------------\n\n- More ldap3 2.x fixes.\n [fschulze]\n\n\n1.2.1 - 2018-05-25\n------------------\n\n- Fix compatibility with ldap3 2.x.\n [fschulze, abrasive (James Laird-Wah)]\n\n- Stopped testing with Python 2.6, but no changes made which break compatibility.\n\n\n1.2.0 - 2016-03-25\n------------------\n\n- Add support for TLS parameters in the config.\n [jaraco (Jason R. Coombs)]\n\n- Allow invocation via ``python -m devpi-ldap`` and fix cli for Python 3.\n [jaraco]\n\n- Add exit codes to testing script when authentication fails.\n [jaraco]\n\n\n1.1.1 - 2016-01-28\n------------------\n\n- set minimum version of ldap3 library, which adds hiding of password in debug\n logging.\n [cannatag (Giovanni Cannata), rodcloutier (Rodrigue Cloutier), fschulze]\n\n- change dependency for the ldap library, which was renamed.\n [kumy]\n\n- fix issue #5: dn and distinguishedName may appear as a top level response\n attribute instead of the attributes list.\n [kainz (Bryon Roch\u00e9)]\n\n- fix issue #24: Ignore additional search result data.\n [bonzani (Patrizio Bonzani), fschulze]\n\n\n1.1.0 - 2014-11-10\n------------------\n\n- add ``reject_as_unknown`` option\n [davidszotten (David Szotten)]\n\n\n1.0.1 - 2014-10-10\n------------------\n\n- fix the plugin hook\n [fschulze]\n\n\n1.0.0 - 2014-09-22\n------------------\n\n- initial release\n [fschulze (Florian Schulze)]",
"bugtrack_url": null,
"license": "MIT",
"summary": "devpi-ldap: LDAP authentication for devpi-server",
"version": "2.1.1",
"project_urls": {
"Homepage": "https://github.com/devpi/devpi-ldap"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "aa854a099e8dafc0509c6bbbc141de3dfd17c13ba6041cd048b0dd71a48a6412",
"md5": "b19f12504cfc38364f2714385be15bca",
"sha256": "c9038868405ff4714151a726ff3025a3d6695e78eecf8d29fde1c899814cb28e"
},
"downloads": -1,
"filename": "devpi_ldap-2.1.1-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "b19f12504cfc38364f2714385be15bca",
"packagetype": "bdist_wheel",
"python_version": "2.7",
"requires_python": ">=3.6",
"size": 8510,
"upload_time": "2023-08-07T09:47:29",
"upload_time_iso_8601": "2023-08-07T09:47:29.780067Z",
"url": "https://files.pythonhosted.org/packages/aa/85/4a099e8dafc0509c6bbbc141de3dfd17c13ba6041cd048b0dd71a48a6412/devpi_ldap-2.1.1-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "4c25e884604cb9be38a4abc7dbaa0ace3d035007baaa8cf850db0b7e07646190",
"md5": "1799814cbc8d4add5884b42b469158c5",
"sha256": "5213160b0b574132e0feb1989bda6f5b2f015e8e9f476e198324e6a091ba9eb8"
},
"downloads": -1,
"filename": "devpi-ldap-2.1.1.tar.gz",
"has_sig": false,
"md5_digest": "1799814cbc8d4add5884b42b469158c5",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 14973,
"upload_time": "2023-08-07T09:47:31",
"upload_time_iso_8601": "2023-08-07T09:47:31.402906Z",
"url": "https://files.pythonhosted.org/packages/4c/25/e884604cb9be38a4abc7dbaa0ace3d035007baaa8cf850db0b7e07646190/devpi-ldap-2.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-08-07 09:47:31",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "devpi",
"github_project": "devpi-ldap",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "devpi-ldap"
}
