USER_BASE configuration parameter

oidc_ldap_bridge/__init__.py

@@ -1,8 +1,6 @@
 import ldap
 import os
 import toml
-from flask import Flask, g, request, render_template
-from flask_babel import Babel
 
 import oidc_ldap_bridge.admin
 import oidc_ldap_bridge.admin.tokens
@@ -12,12 +10,18 @@ import oidc_ldap_bridge.oauth
 import oidc_ldap_bridge.routes
 import oidc_ldap_bridge.tokens
 import oidc_ldap_bridge.well_known
+
 from cryptography.hazmat.primitives import serialization as crypto_serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.backends import default_backend as crypto_default_backend
+
+from flask import Flask, g, request, render_template
+from flask_babel import Babel
+
 from .flaskutils import current_user
 from .ldaputils import LDAPObjectHelper
 from .oauth2utils import config_oauth
+from .models import User
 
 
 def create_app(config=None):
@@ -86,6 +90,11 @@ def setup_dev_keypair(app):
 def setup_app(app):
     app.url_map.strict_slashes = False
 
+    base = app.config["LDAP"]["USER_BASE"]
+    if base.endswith(app.config["LDAP"]["ROOT_DN"]):
+        base = base[: -len(app.config["LDAP"]["ROOT_DN"]) - 1]
+    User.base = base
+
     config_oauth(app)
     app.register_blueprint(oidc_ldap_bridge.routes.bp)
     app.register_blueprint(oidc_ldap_bridge.oauth.bp, url_prefix="/oauth")

oidc_ldap_bridge/conf/config.sample.toml

@@ -21,6 +21,9 @@ ROOT_DN = "dc=mydomain,dc=tld"
 BIND_DN = "cn=admin,dc=mydomain,dc=tld"
 BIND_PW = "admin"
 
+# Where to search for users?
+USER_BASE = "ou=users,dc=mydomain,dc=tld"
+
 # Filter to match users on sign in. Supports a variable
 # {login}. For sigin against either uid or mail use:
 # USER_FILTER = "(|(uid={login})(mail={login}))"

oidc_ldap_bridge/models.py

@@ -13,7 +13,6 @@ from .ldaputils import LDAPObjectHelper
 
 class User(LDAPObjectHelper):
     objectClass = ["person", "simpleSecurityObject", "uidObject"]
-    base = "ou=users"
     id = "cn"
     admin = False
 

tests/conftest.py

@@ -89,6 +89,7 @@ def slapd_server():
         conn.simple_bind_s(slapd.root_dn, slapd.root_pw)
         LDAPObjectHelper.root_dn = slapd.suffix
         Client.initialize(conn)
+        User.base = "ou=users"
         User.initialize(conn)
         Token.initialize(conn)
         AuthorizationCode.initialize(conn)
@@ -123,6 +124,7 @@ def app(slapd_server, keypair_path):
                 "URI": slapd_server.ldap_uri,
                 "BIND_DN": slapd_server.root_dn,
                 "BIND_PW": slapd_server.root_pw,
+                "USER_BASE": "ou=users",
                 "USER_FILTER": "(|(uid={login})(cn={login}))",
                 "ADMIN_FILTER": "uid=admin",
             },