atoti_plus.user_service_client.ldap.security module#

class atoti_plus.LdapSecurity#

Allows mapping roles granted by the authentication provider to the roles to use in the session.

Users who do not have the ROLE_USER session role will not be able to access the session.

Note

This requires LdapConfig to be configured.

Example
>>> from atoti_plus import UserServiceClient
>>> session = tt.Session(
...     authentication=tt.LdapConfig(
...         url="ldap://example.com:389",
...         base_dn="dc=example,dc=com",
...         user_search_base="ou=people",
...         group_search_base="ou=roles",
...     )
... )
>>> client = UserServiceClient.from_session(session)
>>> mathematicians_role = client.create_role(
...     "ROLE_MATHS", restrictions={("Restrictions example", "City"): ["Paris"]}
... )

Roles from the authentication provider can be mapped to roles in the session.

>>> client.ldap.role_mapping["MATHEMATICIANS"] = [
...     "ROLE_MATHS",
...     "ROLE_USER",
... ]
>>> sorted(client.ldap.role_mapping["MATHEMATICIANS"])
['ROLE_MATHS', 'ROLE_USER']

Default roles can be given to users who had no individual or mapped roles granted.

>>> client.ldap.default_roles.add("ROLE_USER")
>>> client.ldap.default_roles
{'ROLE_USER'}
property default_roles: DefaultRoles#
property role_mapping: RoleMapping#