User Accounts

Usage example

# There is a basic way to work with it
from lib389.idm.user import UserAccounts

users = UserAccounts(standalone, DEFAULT_SUFFIX)
user_properties = {
       'uid': USER_NAME,
       'cn' : USER_NAME,
       'sn' : USER_NAME,
       'userpassword' : USER_PWD,
       'uidNumber' : '1000',
       'gidNumber' : '2000',1
       'homeDirectory' : '/home/{}'.format(USER_NAME)
        }
testuser = users.create(properties=user_properties)

# After this you can:
# Get the list of them
users.list()

# Get some user:
testuser = users.get('testuser')
# or
testuser = users.list()[0] # You can loop through 'for user in users:'

# Set some attribute to the entry
testuser.set('userPassword', 'password')

# Bind as the user
conn = testuser.bind('password') # It will create a new connection
conn.modify_s()
conn.unbind_s()

# Delete
testuser.delete()

Module documentation

class lib389.idm.user.UserAccounts(instance, basedn, rdn='ou=People')[source]

DSLdapObjects that represents all User Account entries in suffix. By default it uses ‘ou=People’ as rdn.

This is the classic “user account” style of cn + sn. You should consider nsUserAccounts instead.

Parameters:
  • instance (lib389.DirSrv) – An instance
  • basedn (str) – Suffix DN
  • rdn (str) – The DN that will be combined wit basedn
create(rdn=None, properties=None)[source]

Create an object under base DN of our entry

Parameters:
  • rdn (str) – RDN of the new entry
  • properties (dict) – Attributes for the new entry
Returns:

DSLdapObject of the created entry

create_test_user(uid=1000, gid=2000)[source]

Create a test user with uid=test_user_UID rdn

Parameters:
  • uid (int) – User id
  • gid (int) – Group id
Returns:

DSLdapObject of the created entry

ensure_state(rdn=None, properties=None)[source]

Create an object under base DN of our entry, or assert it exists and update it’s properties.

Parameters:
  • rdn (str) – RDN of the new entry
  • properties (dict) – Attributes for the new entry
Returns:

DSLdapObject of the created entry

get(selector=[], dn=None, json=False)[source]

Get a child entry (DSLdapObject, Replica, etc.) with dn or selector using a base DN and objectClasses of our object (DSLdapObjects, Replicas, etc.)

Note that * is not a valid selector, you should use “list()” instead.

Parameters:
  • dn (str) – DN of wanted entry
  • selector – An additional filter to search for, i.e. ‘backend_name’. The attributes selected are based on object type, ie user will search for uid and cn.
Returns:

A child entry

list()[source]

Get a list of children entries (DSLdapObject, Replica, etc.) using a base DN and objectClasses of our object (DSLdapObjects, Replicas, etc.)

Returns:A list of children entries
class lib389.idm.user.UserAccount(instance, dn=None)[source]

A single instance of User Account entry

This is the classic “user account” style of cn + sn. You should consider nsUserAccount instead.

Parameters:
  • instance (lib389.DirSrv) – An instance
  • dn (str) – Entry DN
add(key, value)[source]

Add an attribute with a value

Parameters:
  • key (str) – an attribute name
  • value (str) – an attribute value
apply_mods(mods)[source]

Perform modification operation using several mods at once

Parameters:mods (list of tuples) – [(action, key, value),]
Raises:ValueError - if a provided mod op is invalid
bind(password=None, *args, **kwargs)[source]

Open a new connection and bind with the entry. You can pass arguments that will be passed to openConnection.

Parameters:password (str) – An entry password
Returns:Connection with a binding as the entry
bind_gssapi()[source]

Bind this account with gssapi credntials (if available)

classmethod compare(obj1, obj2)[source]

Compare if two RDN objects have same attributes and values.

This comparison is a loose comparison, not a strict one i.e. “this object is this other object” It will just check if the attributes are same. ‘nsUniqueId’ attribute is not checked intentionally because we want to compare arbitrary objects i.e they may have different ‘nsUniqueId’ but same attributes.

Example:

cn=user1,ou=a
cn=user1,ou=b

Comparision of these two objects should result in same, even though their ‘nsUniqueId’ attribute differs.

Parameters:
  • obj1 (lib389._mapped_object.DSLdapObject) – An entry to check
  • obj2 (lib389._mapped_object.DSLdapObject) – An entry to check
Returns:

True if objects have same attributes else returns False

Raises:

ValueError - if obj1 or obj2 don’t inherit DSLdapObject

create(rdn=None, properties=None, basedn=None)[source]

Add a new entry

Parameters:
  • rdn (str) – RDN of the new entry
  • properties (dict) – Attributes for the new entry
  • basedn – Base DN of the new entry
Returns:

DSLdapObject of the created entry

create_keytab()[source]

Create a keytab for this account valid to bind with.

delete()[source]

Deletes the object defined by self._dn. This can be changed with the self._protected flag!

display()[source]

Get an entry but represent it as a string LDIF

Returns:LDIF formatted string
display_attr(attr)[source]

Get all values of given attribute - ‘attr: value’

Returns:Formatted string
dn

Get an object DN

Returns:DN
enroll_certificate(der_path)[source]

Enroll a certificate for certmap verification. Because of the userCertificate attribute, we have to do this on userAccount which has support for it.

Parameters:der_path (str) – the certificate file in DER format to include.
ensure_present(attr, value)[source]

Ensure that an attribute and value are present in a state, or add it.

Parameters:
  • key (str) – an attribute name
  • value (str) – an attribute value
ensure_state(rdn=None, properties=None, basedn=None)[source]

Ensure an entry exists with the following state, created if necessary.

Parameters:
  • rdn (str) – RDN of the new entry
  • properties (dict) – Attributes for the new entry
  • basedn – Base DN of the new entry
Returns:

DSLdapObject of the created entry

exists()[source]

Check if the entry exists

Returns:True if it exists
get_all_attrs(use_json=False)[source]

Get a dictionary having all the attributes of the entry

Returns:Dict with real attributes and operational attributes
get_attr_val_bytes(key, use_json=False)[source]

Get a single attribute value from the entry in bytes type

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_attr_val_int(key, use_json=False)[source]

Get a single attribute value from the entry in int type

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_attr_val_utf8(key, use_json=False)[source]

Get a single attribute value from the entry in utf8 type

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_attr_val_utf8_l(key, use_json=False)[source]

Get a single attribute value from the entry in utf8 type

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_attr_vals_bytes(key, use_json=False)[source]

Get attribute values from the entry in bytes type

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_attr_vals_int(key, use_json=False)[source]

Get attribute values from the entry in int type

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_attr_vals_utf8(key, use_json=False)[source]

Get attribute values from the entry in utf8 type

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_attr_vals_utf8_l(key, use_json=False)[source]

Get attribute values from the entry in utf8 type and lowercase

Parameters:key (str) – An attribute name
Returns:A single bytes value
Raises:ValueError - if instance is offline
get_compare_attrs(use_json=False)[source]

Get a dictionary having attributes to be compared i.e. excluding self._compare_exclude

is_locked()[source]

Check if nsAccountLock is set

Returns:True if account is locked
lint()[source]

Override this to create a linter for a type. This means that we can detect and report common administrative errors in the server from our cli and rest tools.

The structure of a result is:

{
  dsle: '<identifier>'. dsle == ds lint error. Will be a code unique to
                      this module for the error, IE DSBLE0001.
  severity: '[HIGH:MEDIUM:LOW]'. severity of the error.
  items: '(dn,dn,dn)'. List of affected DNs or names.
  detail: 'msg ...'. An explination of the error.
  fix: 'msg ...'. Steps to resolve the error.
}
Returns:An array of these dicts, on None if there are no errors.
lock()[source]

Set nsAccountLock to ‘true’

present(attr, value=None)[source]

Assert that some attr, or some attr / value exist on the entry.

Parameters:
  • attr (str) – an attribute name
  • value (str) – an attribute value
Returns:

True if attr is present

raw_entry()[source]

Get an Entry object

Returns:Entry object
rdn

Get an object RDN

Returns:RDN
remove(key, value)[source]

Remove a value defined by key

Parameters:
  • key (str) – an attribute name
  • value (str) – an attribute value
remove_all(key)[source]

Remove all values defined by key (if possible).

If an attribute is multi-valued AND required all values except one will be deleted.

Parameters:key (str) – an attribute name
rename(new_rdn, newsuperior=None)[source]

Renames the object within the tree.

If you provide a newsuperior, this will move the object in the tree. If you only provide a new_rdn, it stays in the same branch, but just changes the rdn.

Note, if you use newsuperior, you may move this object outside of the scope of the related DSLdapObjects manager, which may cause it not to appear in .get() requests.

Parameters:
  • new_rdn (str) – RDN of the new entry
  • newsuperior (str) – New parent DN
replace(key, value)[source]

Replace an attribute with a value

Parameters:
  • key (str) – an attribute name
  • value (str) – an attribute value
replace_many(*args)[source]

Replace many key, value pairs in a single operation. This is useful for configuration changes that require atomic operation, and ease of use.

An example of usage is replace_many((key, value), (key, value))

No wrapping list is needed for the arguments.

Parameters:*args

tuples of key,value to replace.

sasl_bind(*args, **kwargs)[source]

Open a new connection and bind with the entry via SASL. You can pass arguments that will be pass to clone.

Returns:Connection with a sasl binding to the entry.
set(key, value, action=2)[source]

Perform a specified action on a key with value

Parameters:
  • key (str) – an attribute name
  • value (str) – an attribute value
  • action (int) –
    • ldap.MOD_REPLACE - by default
    • ldap.MOD_ADD
    • ldap.MOD_DELETE
Returns:

result of modify_s operation

Raises:

ValueError - if instance is not online

unlock()[source]

Unset nsAccountLock