Python LDAP module for listing accounts and authenticating them against LDAP servers.
It wraps python-ldap
and provides an API that is LDAP vendor independent.
- Lists accounts within LDAP
Group
s andOrganizationalUnit
s (OUs). - Supports Microsoft Active Directory, Red Hat Directory Server/389 Directory Server and OpenLDAP.
- Validate account credentials.
Print all users on a group 'MyGroup' on LDAP server for 'example.com':
import ldap_reader
config = {
'server_type': 'AD', # Microsoft Active Directory
'dir_username_source': 'userPrincipalName',
'dir_member_source': 'member',
'dir_fname_source': 'givenName',
'dir_lname_source': 'sn',
}
# Connect to the LDAP server running on host 'myldap.example.com'
ldap_conn = ldap_reader.LdapConnection(
'ldap://myldap.example.com:389/',
'dc=example,dc=com',
'[email protected]',
'password')
# Get Group/OU
my_group = ldap_conn.get_group(config, 'cn=MyGroup,dc=example,dc=com')
# Get the Group/OU users
users = my_group.userlist()
assert users
# Validate credentials for the first user within the group
user = users[0]
assert ldap_conn.can_auth(config, user['email'], 'password')
Here's the specific configuration for each vendor (this pain may be avoided if auto-detection is implemented in the future)
config_ad = {
'server_type': 'AD',
'dir_username_source': 'userPrincipalName',
'dir_member_source': 'member',
'dir_guid_source': 'objectGUID',
'dir_auth_username': 'userPrincipalName', # Needed for 'can_auth'
...
}
config_rhds = {
'server_type': 'RHDS',
'dir_username_source': 'uid',
'dir_member_source': 'uniqueMember',
'dir_guid_source': 'nsuniqueid',
'dir_auth_source': 'dn', # Needed for 'can_auth'
...
}
config_openldap = {
'server_type': 'OpenLDAP',
'dir_username_source': 'uid',
'dir_member_source': 'member',
'dir_guid_source': 'entryUUID',
'dir_auth_source': 'dn', # Needed for 'can_auth'
...
}
- LDAP Vendor type autodetection (this would relieve users from setting a config)
- Make
LdapGroup.userlist()
work for OpenLDAPposixGroups
. - More research is needed for OpenLDAP Enabled/Disabled account detection (see
ldap_reader.vendor._check_enabled_open_ldap()
). - Unit tests for all
ldap_reader
public methods.