authentik.providers.ldap.models
LDAP Provider
1"""LDAP Provider""" 2 3from collections.abc import Iterable 4 5from django.db import models 6from django.templatetags.static import static 7from django.utils.translation import gettext_lazy as _ 8from rest_framework.serializers import Serializer 9 10from authentik.core.models import BackchannelProvider 11from authentik.crypto.models import CertificateKeyPair 12from authentik.outposts.models import OutpostModel 13 14 15class APIAccessMode(models.TextChoices): 16 """API Access modes""" 17 18 DIRECT = "direct" 19 CACHED = "cached" 20 21 22class LDAPProvider(OutpostModel, BackchannelProvider): 23 """Allow applications to authenticate against authentik's users using LDAP.""" 24 25 base_dn = models.TextField( 26 default="DC=ldap,DC=goauthentik,DC=io", 27 help_text=_("DN under which objects are accessible."), 28 ) 29 30 tls_server_name = models.TextField( 31 default="", 32 blank=True, 33 ) 34 certificate = models.ForeignKey( 35 CertificateKeyPair, 36 on_delete=models.SET_NULL, 37 null=True, 38 blank=True, 39 ) 40 41 uid_start_number = models.IntegerField( 42 default=2000, 43 help_text=_( 44 "The start for uidNumbers, this number is added to the user.pk to make sure that the " 45 "numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't " 46 "collide with local users uidNumber" 47 ), 48 ) 49 50 gid_start_number = models.IntegerField( 51 default=4000, 52 help_text=_( 53 "The start for gidNumbers, this number is added to a number generated from the " 54 "group.pk to make sure that the numbers aren't too low for POSIX groups. Default " 55 "is 4000 to ensure that we don't collide with local groups or users " 56 "primary groups gidNumber" 57 ), 58 ) 59 60 bind_mode = models.TextField(default=APIAccessMode.DIRECT, choices=APIAccessMode.choices) 61 search_mode = models.TextField(default=APIAccessMode.DIRECT, choices=APIAccessMode.choices) 62 63 mfa_support = models.BooleanField( 64 default=True, 65 verbose_name="MFA Support", 66 help_text=_( 67 "When enabled, code-based multi-factor authentication can be used by appending a " 68 "semicolon and the TOTP code to the password. This should only be enabled if all " 69 "users that will bind to this provider have a TOTP device configured, as otherwise " 70 "a password may incorrectly be rejected if it contains a semicolon." 71 ), 72 ) 73 74 @property 75 def launch_url(self) -> str | None: 76 """LDAP never has a launch URL""" 77 return None 78 79 @property 80 def component(self) -> str: 81 return "ak-provider-ldap-form" 82 83 @property 84 def icon_url(self) -> str | None: 85 return static("authentik/sources/ldap.png") 86 87 @property 88 def serializer(self) -> type[Serializer]: 89 from authentik.providers.ldap.api import LDAPProviderSerializer 90 91 return LDAPProviderSerializer 92 93 def __str__(self): 94 return f"LDAP Provider {self.name}" 95 96 def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]: 97 required = [self, "authentik_core.view_user", "authentik_core.view_group"] 98 if self.certificate is not None: 99 required.append(("authentik_crypto.view_certificatekeypair", self.certificate)) 100 required.append( 101 ("authentik_crypto.view_certificatekeypair_certificate", self.certificate) 102 ) 103 required.append(("authentik_crypto.view_certificatekeypair_key", self.certificate)) 104 return required 105 106 class Meta: 107 verbose_name = _("LDAP Provider") 108 verbose_name_plural = _("LDAP Providers") 109 permissions = [ 110 ("search_full_directory", _("Search full LDAP directory")), 111 ]
class
APIAccessMode(django.db.models.enums.TextChoices):
16class APIAccessMode(models.TextChoices): 17 """API Access modes""" 18 19 DIRECT = "direct" 20 CACHED = "cached"
API Access modes
DIRECT =
APIAccessMode.DIRECT
CACHED =
APIAccessMode.CACHED
class
LDAPProvider(authentik.outposts.models.OutpostModel, authentik.core.models.BackchannelProvider):
23class LDAPProvider(OutpostModel, BackchannelProvider): 24 """Allow applications to authenticate against authentik's users using LDAP.""" 25 26 base_dn = models.TextField( 27 default="DC=ldap,DC=goauthentik,DC=io", 28 help_text=_("DN under which objects are accessible."), 29 ) 30 31 tls_server_name = models.TextField( 32 default="", 33 blank=True, 34 ) 35 certificate = models.ForeignKey( 36 CertificateKeyPair, 37 on_delete=models.SET_NULL, 38 null=True, 39 blank=True, 40 ) 41 42 uid_start_number = models.IntegerField( 43 default=2000, 44 help_text=_( 45 "The start for uidNumbers, this number is added to the user.pk to make sure that the " 46 "numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't " 47 "collide with local users uidNumber" 48 ), 49 ) 50 51 gid_start_number = models.IntegerField( 52 default=4000, 53 help_text=_( 54 "The start for gidNumbers, this number is added to a number generated from the " 55 "group.pk to make sure that the numbers aren't too low for POSIX groups. Default " 56 "is 4000 to ensure that we don't collide with local groups or users " 57 "primary groups gidNumber" 58 ), 59 ) 60 61 bind_mode = models.TextField(default=APIAccessMode.DIRECT, choices=APIAccessMode.choices) 62 search_mode = models.TextField(default=APIAccessMode.DIRECT, choices=APIAccessMode.choices) 63 64 mfa_support = models.BooleanField( 65 default=True, 66 verbose_name="MFA Support", 67 help_text=_( 68 "When enabled, code-based multi-factor authentication can be used by appending a " 69 "semicolon and the TOTP code to the password. This should only be enabled if all " 70 "users that will bind to this provider have a TOTP device configured, as otherwise " 71 "a password may incorrectly be rejected if it contains a semicolon." 72 ), 73 ) 74 75 @property 76 def launch_url(self) -> str | None: 77 """LDAP never has a launch URL""" 78 return None 79 80 @property 81 def component(self) -> str: 82 return "ak-provider-ldap-form" 83 84 @property 85 def icon_url(self) -> str | None: 86 return static("authentik/sources/ldap.png") 87 88 @property 89 def serializer(self) -> type[Serializer]: 90 from authentik.providers.ldap.api import LDAPProviderSerializer 91 92 return LDAPProviderSerializer 93 94 def __str__(self): 95 return f"LDAP Provider {self.name}" 96 97 def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]: 98 required = [self, "authentik_core.view_user", "authentik_core.view_group"] 99 if self.certificate is not None: 100 required.append(("authentik_crypto.view_certificatekeypair", self.certificate)) 101 required.append( 102 ("authentik_crypto.view_certificatekeypair_certificate", self.certificate) 103 ) 104 required.append(("authentik_crypto.view_certificatekeypair_key", self.certificate)) 105 return required 106 107 class Meta: 108 verbose_name = _("LDAP Provider") 109 verbose_name_plural = _("LDAP Providers") 110 permissions = [ 111 ("search_full_directory", _("Search full LDAP directory")), 112 ]
Allow applications to authenticate against authentik's users using LDAP.
def
base_dn(unknown):
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
def
tls_server_name(unknown):
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
certificate
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example::
class Child(Model):
parent = ForeignKey(Parent, related_name='children')
Child.parent is a ForwardManyToOneDescriptor instance.
def
uid_start_number(unknown):
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
def
gid_start_number(unknown):
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
def
bind_mode(unknown):
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
def
search_mode(unknown):
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
def
mfa_support(unknown):
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
launch_url: str | None
75 @property 76 def launch_url(self) -> str | None: 77 """LDAP never has a launch URL""" 78 return None
LDAP never has a launch URL
serializer: type[rest_framework.serializers.Serializer]
88 @property 89 def serializer(self) -> type[Serializer]: 90 from authentik.providers.ldap.api import LDAPProviderSerializer 91 92 return LDAPProviderSerializer
Get serializer for this model
def
get_required_objects( self) -> Iterable[django.db.models.base.Model | str | tuple[str, django.db.models.base.Model]]:
97 def get_required_objects(self) -> Iterable[models.Model | str | tuple[str, models.Model]]: 98 required = [self, "authentik_core.view_user", "authentik_core.view_group"] 99 if self.certificate is not None: 100 required.append(("authentik_crypto.view_certificatekeypair", self.certificate)) 101 required.append( 102 ("authentik_crypto.view_certificatekeypair_certificate", self.certificate) 103 ) 104 required.append(("authentik_crypto.view_certificatekeypair_key", self.certificate)) 105 return required
Return a list of all required objects
def
get_bind_mode_display(unknown):
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
def
get_search_mode_display(unknown):
Method descriptor with partial application of the given arguments and keywords.
Supports wrapping existing descriptors and handles non-descriptor callables as instance methods.
provider_ptr
Accessor to the related object on the forward side of a one-to-one relation.
In the example::
class Restaurant(Model):
place = OneToOneField(Place, related_name='restaurant')
Restaurant.place is a ForwardOneToOneDescriptor instance.
Inherited Members
- authentik.core.models.Provider
- name
- authentication_flow
- invalidation_flow
- property_mappings
- backchannel_application
- is_backchannel
- objects
- authentication_flow_id
- invalidation_flow_id
- backchannel_application_id
- id
- application
- outpost_set
- oauth2provider
- ldapprovider
- racprovider
- radiusprovider
- samlprovider
- scimprovider
- googleworkspaceprovider
- microsoftentraprovider
- ssfprovider
class
LDAPProvider.DoesNotExist(django.core.exceptions.ObjectDoesNotExist):
The requested object does not exist
class
LDAPProvider.MultipleObjectsReturned(django.core.exceptions.MultipleObjectsReturned):
The query returned multiple objects when only one was expected.