Skip to main content

final class atoti.LdapConfig

The config to delegate authentication to an LDAP provider. The user’s roles can be defined using atoti.security.Security.ldap and individual_roles.

Example

>>> config = tt.LdapConfig(
...     url="ldap://example.com:389",
...     base_dn="dc=example,dc=com",
...     user_search_base="ou=people",
...     group_search_base="ou=roles",
...     username_case_conversion="lower",
... )

base_dn : str

The base Distinguished Name of the directory service.

group_role_attribute_name : str = ‘cn’

The attribute name that maps a group to a role.

group_search_base : str | None = None

The search base for group membership searches.

group_search_filter : str = ‘(uniqueMember={0})’

The filter to search for groups. The substituted parameter is the DN of the user.

manager_dn : str | None = None

The Distinguished Name (DN) used to log into the Directory Service and to search for user accounts. If None, the connection to the service will be done anonymously.

manager_password : str | None = None

The password for the manager account specified in the manager_dn attribute.

url : str

The LDAP URL including the protocol and port.

user_search_base : str = ”

Search base for user searches.

user_search_filter : str = ‘(uid={0})’

The filter to search for users. The substituted parameter is the user’s login name.

username_case_conversion : ‘upper’ | ‘lower’ | None = None

The case conversion to apply to the username. This authentication provider is generally case insensitive: the same user Jane could log in with the usernames "jane", "Jane", "JANE", etc. This attribute allows reducing all the possible cases to a single one to be compatible with individual_roles and other case sensitive mappings. For instance, if session.security.individual_roles == {"jane": {"ROLE_USER"}}, username_case_conversion should be set to "lower". Leaving this attribute to None is deprecated since it is a source of confusion or bugs.