Python ldap.filter() Examples
The following are 25
code examples of ldap.filter().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
ldap
, or try the search function
.
.
Example #1
| Source File: ldapconn.py From zabbix-ldap-sync with BSD 3-Clause "New" or "Revised" License | 6 votes |
|
def get_groups_with_wildcard(self, groups_wildcard):
self.logger.info("Search group with wildcard: %s" % groups_wildcard)
filter = self.group_filter % groups_wildcard
result_groups = []
result = self.conn.search_s(base=self.base,
scope=ldap.SCOPE_SUBTREE,
filterstr=filter, )
for group in result:
# Skip refldap (when Active Directory used)
# [0]==None
if group[0]:
group_name = group[1]['name'][0]
self.logger.info("Find group %s" % group_name)
result_groups.append(group_name)
if not result_groups:
self.logger.info('Unable to find group "%s", skipping group wildcard' % groups_wildcard)
return result_groups
Example #2
| Source File: config.py From django-auth-ldap with BSD 2-Clause "Simplified" License | 6 votes |
|
def _escape_filterargs(self, filterargs):
"""
Escapes values in filterargs.
filterargs is a value suitable for Django's string formatting operator
(%), which means it's either a tuple or a dict. This return a new tuple
or dict with all values escaped for use in filter strings.
"""
if isinstance(filterargs, tuple):
filterargs = tuple(
self.ldap.filter.escape_filter_chars(value) for value in filterargs
)
elif isinstance(filterargs, dict):
filterargs = {
key: self.ldap.filter.escape_filter_chars(value)
for key, value in filterargs.items()
}
else:
raise TypeError("filterargs must be a tuple or dict.")
return filterargs
Example #3
| Source File: __init__.py From OctoPrint-LDAP with GNU Affero General Public License v3.0 | 6 votes |
|
def ldap_search(self, ldap_filter, base=None, scope=ldap.SCOPE_SUBTREE):
if not base:
base = self.plugin_settings().get(["search_base"])
try:
client = self.get_ldap_client()
if client is not None:
self._logger.debug("Searching LDAP, base: %s and filter: %s" % (base, ldap_filter))
result = client.search_s(base, scope, ldap_filter)
client.unbind_s()
if result:
dn, data = result[0]
"""
# Dump LDAP search query results to logger
self._logger.debug("dn: %s" % dn)
for key, value in data.iteritems():
self._logger.debug("%s: %s" % (key, value))
"""
return dict(dn=dn, data=data)
except ldap.LDAPError as e:
self._logger.error(json.dumps(e.message))
return None
Example #4
| Source File: search.py From coldfront with GNU General Public License v3.0 | 6 votes |
|
def search_a_user(self, user_search_string=None, search_by='all_fields'):
os.environ["KRB5_CLIENT_KTNAME"] = self.FREEIPA_KTNAME
size_limit = 50
if user_search_string and search_by == 'all_fields':
filter = ldap.filter.filter_format("(&(|(givenName=*%s*)(sn=*%s*)(uid=*%s*)(mail=*%s*))(|(nsaccountlock=FALSE)(!(nsaccountlock=*))))", [user_search_string] * 4)
elif user_search_string and search_by == 'username_only':
filter = ldap.filter.filter_format("(&(uid=%s)(|(nsaccountlock=FALSE)(!(nsaccountlock=*))))", [user_search_string])
size_limit = 1
else:
filter = '(objectclass=person)'
searchParameters = {'search_base': self.FREEIPA_USER_SEARCH_BASE,
'search_filter': filter,
'attributes': ['uid', 'sn', 'givenName', 'mail'],
'size_limit': size_limit}
self.conn.search(**searchParameters)
users = []
for idx, entry in enumerate(self.conn.entries, 1):
user_dict = self.parse_ldap_entry(entry)
users.append(user_dict)
logger.info("LDAP user search for %s found %s results", user_search_string, len(users))
return users
Example #5
| Source File: utils.py From coldfront with GNU General Public License v3.0 | 6 votes |
|
def search_a_user(self, user_search_string=None, search_by='all_fields'):
size_limit = 50
if user_search_string and search_by == 'all_fields':
filter = ldap.filter.filter_format("(|(givenName=*%s*)(sn=*%s*)(uid=*%s*)(mail=*%s*))", [user_search_string] * 4)
elif user_search_string and search_by == 'username_only':
filter = ldap.filter.filter_format("(uid=%s)", [user_search_string])
size_limit = 1
else:
filter = '(objectclass=person)'
searchParameters = {'search_base': self.LDAP_USER_SEARCH_BASE,
'search_filter': filter,
'attributes': ['uid', 'sn', 'givenName', 'mail'],
'size_limit': size_limit}
self.conn.search(**searchParameters)
users = []
for idx, entry in enumerate(self.conn.entries, 1):
user_dict = self.parse_ldap_entry(entry)
users.append(user_dict)
logger.info("LDAP user search for %s found %s results", user_search_string, len(users))
return users
Example #6
| Source File: user.py From PowerDNS-Admin with MIT License | 6 votes |
|
def ad_recursive_groups(self, groupDN):
"""
Recursively list groups belonging to a group. It will allow checking deep in the Active Directory
whether a user is allowed to enter or not
"""
LDAP_BASE_DN = Setting().get('ldap_base_dn')
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap.filter.escape_filter_chars(
groupDN)
result = [groupDN]
try:
groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)
for group in groups:
result += [group[0][0]]
if 'memberOf' in group[0][1]:
for member in group[0][1]['memberOf']:
result += self.ad_recursive_groups(
member.decode("utf-8"))
return result
except ldap.LDAPError as e:
current_app.logger.exception("Recursive AD Group search error")
return result
Example #7
| Source File: config.py From django-auth-ldap with BSD 2-Clause "Simplified" License | 6 votes |
|
def search_with_additional_terms(self, term_dict, escape=True):
"""
Returns a new search object with additional search terms and-ed to the
filter string. term_dict maps attribute names to assertion values. If
you don't want the values escaped, pass escape=False.
"""
term_strings = [self.filterstr]
for name, value in term_dict.items():
if escape:
value = self.ldap.filter.escape_filter_chars(value)
term_strings.append("({}={})".format(name, value))
filterstr = "(&{})".format("".join(term_strings))
return type(self)(self.base_dn, self.scope, filterstr, attrlist=self.attrlist)
Example #8
| Source File: backendAD.py From ldapcherry with MIT License | 6 votes |
|
def get_groups(self, username):
username = ldap.filter.escape_filter_chars(username)
userdn = self._get_user(self._byte_p2(username), NO_ATTR)
searchfilter = self.group_filter_tmpl % {
'userdn': userdn,
'username': username
}
groups = self._search_group(searchfilter, self.groupdn)
groups = groups + self._search_group(searchfilter, self.builtin)
ret = []
self._logger(
severity=logging.DEBUG,
msg="%(backend)s: groups of '%(user)s' are %(groups)s" % {
'user': username,
'groups': str(groups),
'backend': self.backend_name
}
)
for entry in groups:
ret.append(self._uni(entry[1]['cn'][0]))
return ret
Example #9
| Source File: user.py From PowerDNS-Admin with MIT License | 6 votes |
|
def revoke_privilege(self):
"""
Revoke all privileges from a user
"""
user = User.query.filter(User.username == self.username).first()
if user:
user_id = user.id
try:
DomainUser.query.filter(DomainUser.user_id == user_id).delete()
db.session.commit()
return True
except Exception as e:
db.session.rollback()
current_app.logger.error(
'Cannot revoke user {0} privileges. DETAIL: {1}'.format(
self.username, e))
return False
return False
Example #10
| Source File: user.py From PowerDNS-Admin with MIT License | 5 votes |
|
def create_local_user(self):
"""
Create local user witch stores username / password in the DB
"""
# check if username existed
user = User.query.filter(User.username == self.username).first()
if user:
return {'status': False, 'msg': 'Username is already in use'}
# check if email existed
user = User.query.filter(User.email == self.email).first()
if user:
return {'status': False, 'msg': 'Email address is already in use'}
# first register user will be in Administrator role
self.role_id = Role.query.filter_by(name='User').first().id
if User.query.count() == 0:
self.role_id = Role.query.filter_by(
name='Administrator').first().id
self.password = self.get_hashed_password(
self.plain_text_password) if self.plain_text_password else '*'
if self.password and self.password != '*':
self.password = self.password.decode("utf-8")
db.session.add(self)
db.session.commit()
return {'status': True, 'msg': 'Created user successfully'}
Example #11
| Source File: client_libldap.py From code with MIT License | 5 votes |
|
def search(self, base, filter=None, scope=None, attrs=None):
scope = {
"base": ldap.SCOPE_BASE,
"subtree": ldap.SCOPE_SUBTREE,
"sub": ldap.SCOPE_SUBTREE,
"onelevel": ldap.SCOPE_ONELEVEL,
"one": ldap.SCOPE_ONELEVEL,
"subordinate": ldap.SCOPE_SUBORDINATE,
"child": ldap.SCOPE_SUBORDINATE,
}[scope or "subtree"]
result = self.conn.search_ext_s(base, scope, filter, attrs)
result = [(dn, CaseInsensitiveDict(attrs)) for (dn, attrs) in result]
return result
Example #12
| Source File: client_libldap.py From code with MIT License | 5 votes |
|
def quote_filter(s):
return ldap.filter.escape_filter_chars(s)
Example #13
| Source File: backendLdap.py From ldapcherry with MIT License | 5 votes |
|
def get_groups(self, username):
"""Get all groups of a user"""
username = ldap.filter.escape_filter_chars(self._byte_p2(username))
userdn = self._get_user(username, NO_ATTR)
searchfilter = self.group_filter_tmpl % {
'userdn': userdn,
'username': username
}
groups = self._search(searchfilter, NO_ATTR, self.groupdn)
ret = []
for entry in groups:
ret.append(self._uni(entry[0]))
return ret
Example #14
| Source File: backendLdap.py From ldapcherry with MIT License | 5 votes |
|
def search(self, searchstring):
"""Search users"""
# escape special char to avoid injection
searchstring = ldap.filter.escape_filter_chars(
self._byte_p2(searchstring)
)
# fill the search string template
searchfilter = self.search_filter_tmpl % {
'searchstring': searchstring
}
ret = {}
# search an process the result a little
for u in self._search(searchfilter, DISPLAYED_ATTRS, self.userdn):
attrs = {}
attrs_tmp = u[1]
for attr in attrs_tmp:
value_tmp = attrs_tmp[attr]
if len(value_tmp) == 1:
attrs[attr] = value_tmp[0]
else:
attrs[attr] = value_tmp
if self.key in attrs:
ret[attrs[self.key]] = attrs
return ret
Example #15
| Source File: backendLdap.py From ldapcherry with MIT License | 5 votes |
|
def _get_user(self, username, attrs=ALL_ATTRS):
"""Get a user from the ldap"""
username = ldap.filter.escape_filter_chars(username)
user_filter = self.user_filter_tmpl % {
'username': self._uni(username)
}
r = self._search(self._byte_p2(user_filter), attrs, self.userdn)
if len(r) == 0:
return None
# if NO_ATTR, only return the DN
if attrs == NO_ATTR:
dn_entry = r[0][0]
# in other cases, return everything (dn + attributes)
else:
dn_entry = r[0]
return dn_entry
# python-ldap talks in bytes,
# as the rest of ldapcherry talks in unicode utf-8:
# * everything passed to python-ldap must be converted to bytes
# * everything coming from python-ldap must be converted to unicode
#
# The previous statement was true for python-ldap < version 3.X.
# With versions > 3.0.0 and python 3, it gets tricky,
# some parts of python-ldap takes string, specially the filters/escaper.
#
# so we have now:
# *_byte_p2 (unicode -> bytes conversion for python 2)
# *_byte_p3 (unicode -> bytes conversion for python 3)
# *_byte_p23 (unicode -> bytes conversion for python AND 3)
Example #16
| Source File: user.py From PowerDNS-Admin with MIT License | 5 votes |
|
def set_role(self, role_name):
role = Role.query.filter(Role.name == role_name).first()
if role:
user = User.query.filter(User.username == self.username).first()
user.role_id = role.id
db.session.commit()
return {'status': True, 'msg': 'Set user role successfully'}
else:
return {'status': False, 'msg': 'Role does not exist'}
Example #17
| Source File: user.py From PowerDNS-Admin with MIT License | 5 votes |
|
def update_local_user(self):
"""
Update local user
"""
# Sanity check - account name
if self.username == "":
return {'status': False, 'msg': 'No user name specified'}
# read user and check that it exists
user = User.query.filter(User.username == self.username).first()
if not user:
return {'status': False, 'msg': 'User does not exist'}
# check if new email exists (only if changed)
if user.email != self.email:
checkuser = User.query.filter(User.email == self.email).first()
if checkuser:
return {
'status': False,
'msg': 'New email address is already in use'
}
user.firstname = self.firstname
user.lastname = self.lastname
user.email = self.email
# store new password hash (only if changed)
if self.plain_text_password != "":
user.password = self.get_hashed_password(
self.plain_text_password).decode("utf-8")
db.session.commit()
return {'status': True, 'msg': 'User updated successfully'}
Example #18
| Source File: user.py From PowerDNS-Admin with MIT License | 5 votes |
|
def get_user_info_by_username(self):
user_info = User.query.filter(User.username == self.username).first()
return user_info
Example #19
| Source File: config.py From django-auth-ldap with BSD 2-Clause "Simplified" License | 5 votes |
|
def find_groups_with_any_member(self, member_dn_set, group_search, connection):
terms = [
"({}={})".format(self.member_attr, self.ldap.filter.escape_filter_chars(dn))
for dn in member_dn_set
]
filterstr = "(|{})".format("".join(terms))
search = group_search.search_with_additional_term_string(filterstr)
return search.execute(connection)
Example #20
| Source File: config.py From django-auth-ldap with BSD 2-Clause "Simplified" License | 5 votes |
|
def _begin(self, connection, filterargs=(), escape=True):
"""
Begins an asynchronous search and returns the message id to retrieve
the results.
filterargs is an object that will be used for expansion of the filter
string. If escape is True, values in filterargs will be escaped.
"""
if escape:
filterargs = self._escape_filterargs(filterargs)
try:
filterstr = self.filterstr % filterargs
msgid = connection.search(
self.base_dn, self.scope, filterstr, self.attrlist
)
except ldap.LDAPError as e:
msgid = None
logger.error(
"search('{}', {}, '{}') raised {}".format(
self.base_dn, self.scope, filterstr, pprint.pformat(e)
)
)
return msgid
Example #21
| Source File: config.py From django-auth-ldap with BSD 2-Clause "Simplified" License | 5 votes |
|
def execute(self, connection, filterargs=(), escape=True):
"""
Executes the search on the given connection (an LDAPObject). filterargs
is an object that will be used for expansion of the filter string.
If escape is True, values in filterargs will be escaped.
The python-ldap library returns utf8-encoded strings. For the sake of
sanity, this method will decode all result strings and return them as
Unicode.
"""
if escape:
filterargs = self._escape_filterargs(filterargs)
try:
filterstr = self.filterstr % filterargs
results = connection.search_s(
self.base_dn, self.scope, filterstr, self.attrlist
)
except ldap.LDAPError as e:
results = []
logger.error(
"search_s('{}', {}, '{}') raised {}".format(
self.base_dn, self.scope, filterstr, pprint.pformat(e)
)
)
return self._process_results(results)
Example #22
| Source File: config.py From django-auth-ldap with BSD 2-Clause "Simplified" License | 5 votes |
|
def search_with_additional_term_string(self, filterstr):
"""
Returns a new search object with filterstr and-ed to the original filter
string. The caller is responsible for passing in a properly escaped
string.
"""
filterstr = "(&{}{})".format(self.filterstr, filterstr)
return type(self)(self.base_dn, self.scope, filterstr, attrlist=self.attrlist)
Example #23
| Source File: user.py From PowerDNS-Admin with MIT License | 4 votes |
|
def update_profile(self, enable_otp=None):
"""
Update user profile
"""
user = User.query.filter(User.username == self.username).first()
if not user:
return False
user.firstname = self.firstname if self.firstname else user.firstname
user.lastname = self.lastname if self.lastname else user.lastname
user.password = self.get_hashed_password(
self.plain_text_password).decode(
"utf-8") if self.plain_text_password else user.password
if self.email:
# Can not update to a new email that
# already been used.
existing_email = User.query.filter(
User.email == self.email,
User.username != self.username).first()
if existing_email:
return False
# If need to verify new email,
# update the "confirmed" status.
if user.email != self.email:
user.email = self.email
if Setting().get('verify_user_email'):
user.confirmed = 0
if enable_otp is not None:
user.otp_secret = ""
if enable_otp == True:
# generate the opt secret key
user.otp_secret = base64.b32encode(os.urandom(10)).decode('utf-8')
try:
db.session.add(user)
db.session.commit()
return True
except Exception:
db.session.rollback()
return False
Example #24
| Source File: backendLdap.py From ldapcherry with MIT License | 4 votes |
|
def _search(self, searchfilter, attrs, basedn):
"""Generic search"""
if attrs == NO_ATTR:
attrlist = []
elif attrs == DISPLAYED_ATTRS:
# fix me later (to much attributes)
attrlist = self.attrlist
elif attrs == LISTED_ATTRS:
attrlist = self.attrlist
elif attrs == ALL_ATTRS:
attrlist = None
else:
attrlist = None
self._logger(
severity=logging.DEBUG,
msg="%(backend)s: executing search "
"with filter '%(filter)s' in DN '%(dn)s'" % {
'backend': self.backend_name,
'dn': basedn,
'filter': self._uni(searchfilter)
}
)
# bind and search the ldap
ldap_client = self._bind()
try:
r = ldap_client.search_s(
basedn,
ldap.SCOPE_SUBTREE,
searchfilter,
attrlist=attrlist
)
except Exception as e:
ldap_client.unbind_s()
self._exception_handler(e)
ldap_client.unbind_s()
# python-ldap doesn't know utf-8,
# it treates everything as bytes.
# So it's necessary to reencode
# it's output in utf-8.
ret = []
for entry in r:
uni_dn = self._uni(entry[0])
uni_attrs = {}
for attr in entry[1]:
if type(entry[1][attr]) is list:
tmp = []
for value in entry[1][attr]:
tmp.append(self._uni(value))
else:
tmp = self._uni(entry[1][attr])
uni_attrs[self._uni(attr)] = tmp
ret.append((uni_dn, uni_attrs))
return ret
Example #25
| Source File: user.py From daf-recipes with GNU General Public License v3.0 | 4 votes |
|
def _ldap_search(cnx, filter_str, attributes, non_unique='raise'):
"""Helper function to perform the actual LDAP search
@param cnx: The LDAP connection object
@param filter_str: The LDAP filter string
@param attributes: The LDAP attributes to fetch. This *must* include self.ldap_username
@param non_unique: What to do when there is more than one result. Can be either 'log' (log an error
and return None - used to indicate that this is a configuration problem that needs
to be address by the site admin, not by the current user) or 'raise' (raise an
exception with a message that will be displayed to the current user - such
as 'please use your unique id instead'). Other values will silently ignore the error.
@return: A dictionary defining 'cn', self.ldap_username and any other attributes that were defined
in attributes; or None if no user was found.
"""
try:
res = cnx.search_s(config['ckanext.ldap.base_dn'], ldap.SCOPE_SUBTREE, filterstr=filter_str, attrlist=attributes)
except ldap.SERVER_DOWN:
log.error('LDAP server is not reachable')
return None
except ldap.OPERATIONS_ERROR as e:
log.error('LDAP query failed. Maybe you need auth credentials for performing searches? Error returned by the server: ' + e.info)
return None
except (ldap.NO_SUCH_OBJECT, ldap.REFERRAL) as e:
log.error('LDAP distinguished name (ckanext.ldap.base_dn) is malformed or does not exist.')
return None
except ldap.FILTER_ERROR:
log.error('LDAP filter (ckanext.ldap.search) is malformed')
return None
if len(res) > 1:
if non_unique == 'log':
log.error('LDAP search.filter search returned more than one entry, ignoring. Fix the search to return only 1 or 0 results.')
elif non_unique == 'raise':
raise MultipleMatchError(config['ckanext.ldap.search.alt_msg'])
return None
elif len(res) == 1:
cn = res[0][0]
attr = res[0][1]
ret = {
'cn': cn,
}
# Check required fields
for i in ['username', 'email']:
cname = 'ckanext.ldap.' + i
if config[cname] not in attr or not attr[config[cname]]:
log.error('LDAP search did not return a {}.'.format(i))
return None
# Set return dict
for i in ['username', 'fullname', 'email', 'about']:
cname = 'ckanext.ldap.' + i
if cname in config and config[cname] in attr:
v = attr[config[cname]]
if v:
ret[i] = v[0]
return ret
else:
return None
