Quick Start¶
Install the Package¶
$ pip install flask-ldap3-login
Basic Application¶
This is a basic application which uses Flask-Login to handle user sessions.
The application stores the users in the dictionary users
.
from flask import Flask, url_for
from flask_ldap3_login import LDAP3LoginManager
from flask_login import LoginManager, login_user, UserMixin, current_user
from flask import render_template_string, redirect
from flask_ldap3_login.forms import LDAPLoginForm
app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret'
app.config['DEBUG'] = True
# Setup LDAP Configuration Variables. Change these to your own settings.
# All configuration directives can be found in the documentation.
# Hostname of your LDAP Server
app.config['LDAP_HOST'] = 'ad.mydomain.com'
# Base DN of your directory
app.config['LDAP_BASE_DN'] = 'dc=mydomain,dc=com'
# Users DN to be prepended to the Base DN
app.config['LDAP_USER_DN'] = 'ou=users'
# Groups DN to be prepended to the Base DN
app.config['LDAP_GROUP_DN'] = 'ou=groups'
# The RDN attribute for your user schema on LDAP
app.config['LDAP_USER_RDN_ATTR'] = 'cn'
# The Attribute you want users to authenticate to LDAP with.
app.config['LDAP_USER_LOGIN_ATTR'] = 'mail'
# The Username to bind to LDAP with
app.config['LDAP_BIND_USER_DN'] = None
# The Password to bind to LDAP with
app.config['LDAP_BIND_USER_PASSWORD'] = None
login_manager = LoginManager(app) # Setup a Flask-Login Manager
ldap_manager = LDAP3LoginManager(app) # Setup a LDAP3 Login Manager.
# Create a dictionary to store the users in when they authenticate
# This example stores users in memory.
users = {}
# Declare an Object Model for the user, and make it comply with the
# flask-login UserMixin mixin.
class User(UserMixin):
def __init__(self, dn, username, data):
self.dn = dn
self.username = username
self.data = data
def __repr__(self):
return self.dn
def get_id(self):
return self.dn
# Declare a User Loader for Flask-Login.
# Simply returns the User if it exists in our 'database', otherwise
# returns None.
@login_manager.user_loader
def load_user(id):
if id in users:
return users[id]
return None
# Declare The User Saver for Flask-Ldap3-Login
# This method is called whenever a LDAPLoginForm() successfully validates.
# Here you have to save the user, and return it so it can be used in the
# login controller.
@ldap_manager.save_user
def save_user(dn, username, data, memberships):
user = User(dn, username, data)
users[dn] = user
return user
# Declare some routes for usage to show the authentication process.
@app.route('/')
def home():
# Redirect users who are not logged in.
if not current_user or current_user.is_anonymous:
return redirect(url_for('login'))
# User is logged in, so show them a page with their cn and dn.
template = """
<h1>Welcome: {{ current_user.data.cn }}</h1>
<h2>{{ current_user.dn }}</h2>
"""
return render_template_string(template)
@app.route('/manual_login')
def manual_login():
# Instead of using the form, you can alternatively authenticate
# using the authenticate method.
# This WILL NOT fire the save_user() callback defined above.
# You are responsible for saving your users.
app.ldap3_login_manager.authenticate('username', 'password')
@app.route('/login', methods=['GET', 'POST'])
def login():
template = """
{{ get_flashed_messages() }}
{{ form.errors }}
<form method="POST">
<label>Username{{ form.username() }}</label>
<label>Password{{ form.password() }}</label>
{{ form.submit() }}
{{ form.hidden_tag() }}
</form>
"""
# Instantiate a LDAPLoginForm which has a validator to check if the user
# exists in LDAP.
form = LDAPLoginForm()
if form.validate_on_submit():
# Successfully logged in, We can now access the saved user object
# via form.user.
login_user(form.user) # Tell flask-login to log them in.
return redirect('/') # Send them home
return render_template_string(template, form=form)
if __name__ == '__main__':
app.run()
Basic Scripting Usage (Without a Flask App)¶
This is an example for if you wish to simply use the module, maybe for testing or for use in some other environment.
from flask_ldap3_login import LDAP3LoginManager
config = dict()
# Setup LDAP Configuration Variables. Change these to your own settings.
# All configuration directives can be found in the documentation.
# Hostname of your LDAP Server
config['LDAP_HOST'] = 'ad.mydomain.com'
# Base DN of your directory
config['LDAP_BASE_DN'] = 'dc=mydomain,dc=com'
# Users DN to be prepended to the Base DN
config['LDAP_USER_DN'] = 'ou=users'
# Groups DN to be prepended to the Base DN
config['LDAP_GROUP_DN'] = 'ou=groups'
# The RDN attribute for your user schema on LDAP
config['LDAP_USER_RDN_ATTR'] = 'cn'
# The Attribute you want users to authenticate to LDAP with.
config['LDAP_USER_LOGIN_ATTR'] = 'mail'
# The Username to bind to LDAP with
config['LDAP_BIND_USER_DN'] = None
# The Password to bind to LDAP with
config['LDAP_BIND_USER_PASSWORD'] = None
# Setup a LDAP3 Login Manager.
ldap_manager = LDAP3LoginManager()
# Init the mamager with the config since we aren't using an app
ldap_manager.init_config(config)
# Check if the credentials are correct
response = ldap_manager.authenticate('username', 'password')
print(response.status)
Custom TLS Context¶
This is an example that shows how to initialize a custom TLS context for securing communication between the module and a secure LDAP (LDAPS server.
from flask_ldap3_login import LDAP3LoginManager
from ldap3 import Tls
import ssl
config = dict()
# Setup LDAP Configuration Variables. Change these to your own settings.
# All configuration directives can be found in the documentation.
# Hostname of your LDAP Server
config['LDAP_HOST'] = 'ad.mydomain.com'
# Port number of your LDAP server
config['LDAP_PORT'] = 636
# Base DN of your directory
config['LDAP_BASE_DN'] = 'dc=mydomain,dc=com'
# Users DN to be prepended to the Base DN
config['LDAP_USER_DN'] = 'ou=users'
# Groups DN to be prepended to the Base DN
config['LDAP_GROUP_DN'] = 'ou=groups'
# The RDN attribute for your user schema on LDAP
config['LDAP_USER_RDN_ATTR'] = 'cn'
# The Attribute you want users to authenticate to LDAP with.
config['LDAP_USER_LOGIN_ATTR'] = 'mail'
# The Username to bind to LDAP with
config['LDAP_BIND_USER_DN'] = None
# The Password to bind to LDAP with
config['LDAP_BIND_USER_PASSWORD'] = None
# Specify the server connection should use SSL
config['LDAP_USE_SSL'] = True
# Instruct Flask-LDAP3-Login to not automatically add the server
config['LDAP_ADD_SERVER'] = False
# Setup a LDAP3 Login Manager.
ldap_manager = LDAP3LoginManager()
# Init the mamager with the config since we aren't using an app
ldap_manager.init_config(config)
# Initialize a `Tls` context, and add the server manually. See
# http://ldap3.readthedocs.io/ssltls.html for more information.
tls_ctx = Tls(
validate=ssl.CERT_REQUIRED,
version=ssl.PROTOCOL_TLSv1,
ca_certs_file='/path/to/cacerts',
valid_names=[
'ad.mydomain.com',
]
)
ldap_manager.add_server(
config.get('LDAP_HOST'),
config.get('LDAP_PORT'),
config.get('LDAP_USE_SSL'),
tls_ctx=tls_ctx
)
# Check if the credentials are correct
response = ldap_manager.authenticate('username', 'password')
print(response.status)