User Accounts¶
Usage example¶
# There is a basic way to work with it
from lib389.idm.user import UserAccounts
users = UserAccounts(standalone, DEFAULT_SUFFIX)
user_properties = {
'uid': USER_NAME,
'cn' : USER_NAME,
'sn' : USER_NAME,
'userpassword' : USER_PWD,
'uidNumber' : '1000',
'gidNumber' : '2000',1
'homeDirectory' : '/home/{}'.format(USER_NAME)
}
testuser = users.create(properties=user_properties)
# After this you can:
# Get the list of them
users.list()
# Get some user:
testuser = users.get('testuser')
# or
testuser = users.list()[0] # You can loop through 'for user in users:'
# Set some attribute to the entry
testuser.set('userPassword', 'password')
# Bind as the user
conn = testuser.bind('password') # It will create a new connection
conn.modify_s()
conn.unbind_s()
# Delete
testuser.delete()
Module documentation¶
-
class
lib389.idm.user.UserAccounts(instance, basedn, rdn='ou=People')[source]¶ DSLdapObjects that represents all User Account entries in suffix. By default it uses ‘ou=People’ as rdn.
This is the classic “user account” style of cn + sn. You should consider nsUserAccounts instead.
- Parameters
-
ensure_state(rdn=None, properties=None)[source]¶ Create an object under base DN of our entry, or assert it exists and update it’s properties.
-
get(selector=[], dn=None, json=False)[source]¶ Get a child entry (DSLdapObject, Replica, etc.) with dn or selector using a base DN and objectClasses of our object (DSLdapObjects, Replicas, etc.)
Note that * is not a valid selector, you should use “list()” instead.
- Parameters
dn (str) – DN of wanted entry
selector – An additional filter to search for, i.e. ‘backend_name’. The attributes selected are based on object type, ie user will search for uid and cn.
- Returns
A child entry
-
lint(spec: Union[str, None, Type[List]] = None) → Generator[Any, None, None][source]¶ Lint the objects returned by list method according to the spec.
-
lint_list(spec: Optional[str] = None) → Generator[Tuple[str, Callable], None, None][source]¶ Yield specs the objects returned by list method provide.
-
list(paged_search=None, paged_critical=True)[source]¶ Get a list of children entries (DSLdapObject, Replica, etc.) using a base DN and objectClasses of our object (DSLdapObjects, Replicas, etc.)
- Parameters
paged_search – None for no paged search, or an int of page size to use.
- Returns
A list of children entries
-
class
lib389.idm.user.UserAccount(instance, dn=None)[source]¶ A single instance of User Account entry
This is the classic “user account” style of cn + sn. You should consider nsUserAccount instead.
- Parameters
instance (lib389.DirSrv) – An instance
dn (str) – Entry DN
-
apply_mods(mods)[source]¶ Perform modification operation using several mods at once
- Parameters
mods (list of tuples) – [(action, key, value),] or [(ldap.MOD_DELETE, key),]
- Raises
ValueError - if a provided mod op is invalid
-
authenticate_sso_token(token, *args, **kwargs)[source]¶ Given an entry (with dn), bind using this authentication token.
- Parameters
token (str) – An entry token
- Returns
Connection with a binding as the entry
-
bind(password=None, *args, **kwargs)[source]¶ Open a new connection and bind with the entry. You can pass arguments that will be passed to openConnection.
- Parameters
password (str) – An entry password
- Returns
Connection with a binding as the entry
-
change_password(current_password, new_password)[source]¶ Using the accounts current bind password, performan an ldap passwd change extended operation. This does not required elevated permissions to read/write the userPassword field, so is the way that most accounts would change their password. This doesn’t work on all classes of objects so it could error.
-
classmethod
compare(obj1, obj2)[source]¶ Compare if two RDN objects have same attributes and values.
This comparison is a loose comparison, not a strict one i.e. “this object is this other object” It will just check if the attributes are same. ‘nsUniqueId’ attribute is not checked intentionally because we want to compare arbitrary objects i.e they may have different ‘nsUniqueId’ but same attributes.
Example:
cn=user1,ou=a cn=user1,ou=b
Comparision of these two objects should result in same, even though their ‘nsUniqueId’ attribute differs.
- Parameters
obj1 (lib389._mapped_object.DSLdapObject) – An entry to check
obj2 (lib389._mapped_object.DSLdapObject) – An entry to check
- Returns
True if objects have same attributes else returns False
- Raises
ValueError - if obj1 or obj2 don’t inherit DSLdapObject
-
delete(recursive=False)[source]¶ Deletes the object defined by self._dn. This can be changed with the self._protected flag!
-
display(attrlist=['*'])[source]¶ Get an entry but represent it as a string LDIF
- Returns
LDIF formatted string
-
display_attr(attr)[source]¶ Get all values of given attribute - ‘attr: value’
- Returns
Formatted string
-
property
dn¶ Get an object DN
- Returns
DN
-
enroll_certificate(der_path)[source]¶ Enroll a certificate for certmap verification. Because of the userCertificate attribute, we have to do this on userAccount which has support for it.
- Parameters
der_path (str) – the certificate file in DER format to include.
-
ensure_attr_state(state)[source]¶ Given a dict of attr-values, ensure they are in the same state on the entry. This is a stateful assertion, generally used by things like PATCH in a REST api.
- The format is:
- {
‘attr_1’: [‘value’, ‘value’], ‘attr_2’: [],
}
If a value is present in the list, but not in the entry it is ADDED. If a value is NOT present in the list, and is on the entry, it is REMOVED. If a value is an empty list [], the attr is REMOVED from the entry. If an attr is not named in the dictionary, it is not altered.
This function is atomic - all changes are applied or none are. There are no partial updates.
This function is idempotent - submitting the same request twice will cause no action to be taken as we are ensuring a state, not listing actions to take.
- Parameters
state (dict) – The entry ava state
-
ensure_present(attr, value)[source]¶ Ensure that an attribute and value are present in a state, or add it.
-
ensure_removed(attr, value)[source]¶ Ensure that a attribute and value has been removed and not present or remove it.
-
ensure_state(rdn=None, properties=None, basedn=None)[source]¶ Ensure an entry exists with the following state, created if necessary.
-
get_all_attrs(use_json=False)[source]¶ Get a dictionary having all the attributes of the entry
- Returns
Dict with real attributes and operational attributes
-
get_all_attrs_utf8(use_json=False)[source]¶ Get a dictionary having all the attributes of the entry
- Returns
Dict with real attributes and operational attributes
-
get_attr_val_bytes(key, use_json=False)[source]¶ Get a single attribute value from the entry in bytes type
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_attr_val_int(key, use_json=False)[source]¶ Get a single attribute value from the entry in int type
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_attr_val_utf8(key, use_json=False)[source]¶ Get a single attribute value from the entry in utf8 type
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_attr_val_utf8_l(key, use_json=False)[source]¶ Get a single attribute value from the entry in utf8 type
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_attr_vals_bytes(key, use_json=False)[source]¶ Get attribute values from the entry in bytes type
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_attr_vals_int(key, use_json=False)[source]¶ Get attribute values from the entry in int type
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_attr_vals_utf8(key, use_json=False)[source]¶ Get attribute values from the entry in utf8 type
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_attr_vals_utf8_l(key, use_json=False)[source]¶ Get attribute values from the entry in utf8 type and lowercase
- Parameters
key (str) – An attribute name
- Returns
A single bytes value
- Raises
ValueError - if instance is offline
-
get_compare_attrs(use_json=False)[source]¶ Get a dictionary having attributes to be compared i.e. excluding self._compare_exclude
-
lint(spec: Union[str, None, Type[List]] = None) → Generator[Any, None, None][source]¶ Lint the object according to the spec.
-
lint_list(spec: Optional[str] = None) → Generator[Tuple[str, Callable], None, None][source]¶ Yield specs the object provides.
This yields from each lint method yielding all specs it can provide.
-
property
rdn¶ Get an object RDN
- Returns
RDN
-
rebind(password)[source]¶ Rebind on the same connection :param password: An entry password :type password: str
-
remove_all(key)[source]¶ Remove all values defined by key (if possible).
If an attribute is multi-valued AND required all values except one will be deleted.
- Parameters
key (str) – an attribute name
-
rename(new_rdn, newsuperior=None, deloldrdn=True)[source]¶ Renames the object within the tree.
If you provide a newsuperior, this will move the object in the tree. If you only provide a new_rdn, it stays in the same branch, but just changes the rdn.
Note, if you use newsuperior, you may move this object outside of the scope of the related DSLdapObjects manager, which may cause it not to appear in .get() requests.
-
replace_many(*args)[source]¶ Replace many key, value pairs in a single operation. This is useful for configuration changes that require atomic operation, and ease of use.
An example of usage is replace_many((key, value), (key, value))
No wrapping list is needed for the arguments.
- Parameters
*args –
tuples of key,value to replace.
-
request_sso_token()[source]¶ From an authenticated connection, request a single sign on token (cookie) for future use.
Note this function will fail if the connection was itself authenticated with a token - this is to prevent token renewal from being infinite which may be a security risk.
- Returns
String of the token for use with authenticate_sso_token
-
reset_password(new_password)[source]¶ Set the password of the account: This requires write permission to the userPassword attribute, so likely is only possible as an administrator of the directory.
- Parameters
new_password (str) – The new password value to set
-
sasl_bind(*args, **kwargs)[source]¶ Open a new connection and bind with the entry via SASL. You can pass arguments that will be pass to clone.
- Returns
Connection with a sasl binding to the entry.