API

Core

class flask_ldap3_login.AuthenticationResponse(status=<AuthenticationResponseStatus.fail: 1>, user_info=None, user_id=None, user_dn=None, user_groups=[])[source]

A response object when authenticating. Lets us pass status codes around and also user data.

Args:
status (AuthenticationResponseStatus): The status of the result. user_info (dict): User info dictionary obtained from LDAP. user_id (str): User id used to authenticate to LDAP with. user_dn (str): User DN found from LDAP. user_groups (list): A list containing a dicts of group info.
class flask_ldap3_login.AuthenticationResponseStatus

An enumeration.

class flask_ldap3_login.LDAP3LoginManager(app=None)[source]

Initialise a LDAP3LoginManager. If app is passed, init_app is called within this call.

Args:
app (flask.Flask): The flask app to initialise with
add_server(hostname, port, use_ssl, tls_ctx=None)[source]

Add an additional server to the server pool and return the freshly created server.

Args:

hostname (str): Hostname of the server port (int): Port of the server use_ssl (bool): True if SSL is to be used when connecting. tls_ctx (ldap3.Tls): An optional TLS context object to use

when connecting.
Returns:
ldap3.Server: The freshly created server object.
authenticate(username, password)[source]

An abstracted authentication method. Decides whether to perform a direct bind or a search bind based upon the login attribute configured in the config.

Args:
username (str): Username of the user to bind password (str): User’s password to bind with.
Returns:
AuthenticationResponse
authenticate_direct_bind(username, password)[source]

Performs a direct bind. We can do this since the RDN is the same as the login attribute. Hence we just string together a dn to find this user with.

Args:
username (str): Username of the user to bind (the field specified
as LDAP_BIND_RDN_ATTR)

password (str): User’s password to bind with.

Returns:
AuthenticationResponse
authenticate_direct_credentials(username, password)[source]

Performs a direct bind, however using direct credentials. Can be used if interfacing with an Active Directory domain controller which authenticates using username@domain.com directly.

Performing this kind of lookup limits the information we can get from ldap. Instead we can only deduce whether or not their bind was successful. Do not use this method if you require more user info.

Args:
username (str): Username for the user to bind with.
LDAP_BIND_DIRECT_PREFIX will be prepended and LDAP_BIND_DIRECT_SUFFIX will be appended.

password (str): User’s password to bind with.

Returns:
AuthenticationResponse
authenticate_search_bind(username, password)[source]

Performs a search bind to authenticate a user. This is required when a the login attribute is not the same as the RDN, since we cannot string together their DN on the fly, instead we have to find it in the LDAP, then attempt to bind with their credentials.

Args:
username (str): Username of the user to bind (the field specified
as LDAP_BIND_LOGIN_ATTR)

password (str): User’s password to bind with when we find their dn.

Returns:
AuthenticationResponse
compiled_sub_dn(prepend)[source]
Returns:
str: A DN with the DN Base appended to the end.
Args:
prepend (str): The dn to prepend to the base.
connection

Convenience property for externally accessing an authenticated connection to the server. This connection is automatically handled by the appcontext, so you do not have to perform an unbind.

Returns:
ldap3.Connection: A bound ldap3.Connection
Raises:
ldap3.core.exceptions.LDAPException: Since this method is performing
a bind on behalf of the caller. You should handle this case occuring, such as invalid service credentials.
destroy_connection(connection)[source]

Destroys a connection. Removes the connection from the appcontext, and unbinds it.

Args:
connection (ldap3.Connection): The connnection to destroy
full_group_search_dn

Returns a the base search DN with the group search DN prepended.

Returns:
str: Full group search dn
full_user_search_dn

Returns a the base search DN with the user search DN prepended.

Returns:
str: Full user search dn
get_group_info(dn, _connection=None)[source]

Gets info about a group specified at dn.

Args:

dn (str): The dn of the group to find _connection (ldap3.Connection): A connection object to use when

searching. If not given, a temporary connection will be created, and destroyed after use.
Returns:
dict: A dictionary of the group info from LDAP
get_object(dn, filter, attributes, _connection=None)[source]

Gets an object at the specified dn and returns it.

Args:

dn (str): The dn of the object to find. filter (str): The LDAP syntax search filter. attributes (list): A list of LDAP attributes to get when searching. _connection (ldap3.Connection): A connection object to use when

searching. If not given, a temporary connection will be created, and destroyed after use.
Returns:
dict: A dictionary of the object info from LDAP
get_user_groups(dn, group_search_dn=None, _connection=None)[source]

Gets a list of groups a user at dn is a member of

Args:

dn (str): The dn of the user to find memberships for. _connection (ldap3.Connection): A connection object to use when

searching. If not given, a temporary connection will be created, and destroyed after use.
group_search_dn (str): The search dn for groups. Defaults to
'{LDAP_GROUP_DN},{LDAP_BASE_DN}'.
Returns:
list: A list of LDAP groups the user is a member of.
get_user_info(dn, _connection=None)[source]

Gets info about a user specified at dn.

Args:

dn (str): The dn of the user to find _connection (ldap3.Connection): A connection object to use when

searching. If not given, a temporary connection will be created, and destroyed after use.
Returns:
dict: A dictionary of the user info from LDAP
get_user_info_for_username(username, _connection=None)[source]

Gets info about a user at a specified username by searching the Users DN. Username attribute is the same as specified as LDAP_USER_LOGIN_ATTR.

Args:

username (str): Username of the user to search for. _connection (ldap3.Connection): A connection object to use when

searching. If not given, a temporary connection will be created, and destroyed after use.
Returns:
dict: A dictionary of the user info from LDAP
init_app(app)[source]

Configures this extension with the given app. This registers an teardown_appcontext call, and attaches this LDAP3LoginManager to it as app.ldap3_login_manager.

Args:
app (flask.Flask): The flask app to initialise with
init_config(config)[source]

Configures this extension with a given configuration dictionary. This allows use of this extension without a flask app.

Args:
config (dict): A dictionary with configuration keys
make_connection(bind_user=None, bind_password=None, **kwargs)[source]

Make a connection to the LDAP Directory.

Args:
bind_user (str): User to bind with. If None, AUTH_ANONYMOUS is
used, otherwise authentication specified with config[‘LDAP_BIND_AUTHENTICATION_TYPE’] is used.

bind_password (str): Password to bind to the directory with **kwargs (dict): Additional arguments to pass to the

ldap3.Connection
Returns:
ldap3.Connection: An unbound ldap3.Connection. You should handle exceptions
upon bind if you use this internal method.
save_user(callback)[source]

This sets the callback for saving a user that has been looked up from from ldap.

The function you set should take a user dn (unicode), username (unicode) and userdata (dict), and memberships (list).

@ldap3_manager.save_user
def save_user(dn, username, userdata, memberships):
    return User(username=username, data=userdata)

Your callback function MUST return the user object in your ORM (or similar). as this is used within the LoginForm and placed at form.user

Args:
callback (function): The function to be used as the save user
callback.
teardown(exception)[source]

Cleanup after a request. Close any open connections.

Forms

class flask_ldap3_login.forms.LDAPLoginForm(formdata=<object object>, **kwargs)[source]

A basic loginform which can be subclassed by your application. Upon validation, the form will check against ldap for a valid username/password combination.

Once validiated will have a form.user object that contains a user object.

validate(*args, **kwargs)[source]

Validates the form by calling validate on each field, passing any extra Form.validate_<fieldname> validators to the field validator.

also calls validate_ldap

exception flask_ldap3_login.forms.LDAPValidationError(message='', *args, **kwargs)[source]