Flask-SimpleLDAP

Flask-SimpleLDAP

Flask-SimpleLDAP provides LDAP authentication for Flask and is compatible with and tested on Python 3.8+.

Quickstart

First, install Flask-SimpleLDAP:

pip install flask-simpleldap

Flask-SimpleLDAP depends, and will install for you, a recent version of Flask (2.2.5 or later) and python-ldap. Please consult the python-ldap installation instructions if you get an error during installation.

Next, add an LDAP instance to your code and at least the three required configuration options. The complete sample from examples/basic_auth/app.py looks like this:

from flask import Flask, g
from flask_simpleldap import LDAP

app = Flask(__name__)
# app.config["LDAP_HOST"] = "ldap.example.org"  # defaults to localhost
app.config["LDAP_BASE_DN"] = "OU=users,dc=example,dc=org"
app.config["LDAP_USERNAME"] = "CN=user,OU=Users,DC=example,DC=org"
app.config["LDAP_PASSWORD"] = "password"

ldap = LDAP(app)

@app.route("/")
@ldap.basic_auth_required
def index():
    return f"Welcome, {g.ldap_username}!"

if __name__ == "__main__":
    app.run()

When the user visits the protected URL, the browser will prompt for the login and password via the built-in HTTP authentication window. Note that with the default value of LDAP_USER_OBJECT_FILTER the login is expected to match the userPrincipalName attribute of the LDAP user, e.g. me@mydomain.com.

Once you get the basic example working, check out the more complex ones:

• examples/groups demonstrates using:
  • @ldap.login_required for form/cookie-based auth, instead of basic HTTP authentication.
  • @ldap.group_required() to restrict access to pages based on the user's LDAP groups.
• examples/blueprints implements the same functionality, but uses Flask's application factories and blueprints.

OpenLDAP

Add the LDAP instance to your code and depending on your OpenLDAP configuration, add the following at least LDAP_USER_OBJECT_FILTER and LDAP_USER_OBJECT_FILTER.

from flask import Flask, g
from flask_simpleldap import LDAP

app = Flask(__name__)

# Base
app.config["LDAP_REALM_NAME"] = "OpenLDAP Authentication"
app.config["LDAP_HOST"] = "openldap.example.org"
app.config["LDAP_BASE_DN"] = "dc=users,dc=openldap,dc=org"
app.config["LDAP_USERNAME"] = "cn=user,ou=servauth-users,dc=users,dc=openldap,dc=org"
app.config["LDAP_PASSWORD"] = "password"

# OpenLDAP
app.config["LDAP_OBJECTS_DN"] = "dn"
app.config["LDAP_OPENLDAP"] = True
app.config["LDAP_USER_OBJECT_FILTER"] = "(&(objectclass=inetOrgPerson)(uid=%s))"

# Groups
app.config["LDAP_GROUP_MEMBERS_FIELD"] = "uniquemember"
app.config["LDAP_GROUP_OBJECT_FILTER"] = "(&(objectclass=groupOfUniqueNames)(cn=%s))"
app.config["LDAP_GROUP_MEMBER_FILTER"] = "(&(cn=*)(objectclass=groupOfUniqueNames)(uniquemember=%s))"
app.config["LDAP_GROUP_MEMBER_FILTER_FIELD"] = "cn"

ldap = LDAP(app)

@app.route("/")
@ldap.basic_auth_required
def index():
    return f"Welcome, {g.ldap_username}!"

if __name__ == "__main__":
    app.run()

Configuration

Setting	Description
LDAP_HOST	The host name or IP address of your LDAP server. Default: "localhost".
LDAP_PORT	The port number of your LDAP server. Default: 389.
LDAP_SCHEMA	The LDAP schema to use between "ldap", "ldapi" and "ldaps". Default: "ldap".
LDAP_SOCKET_PATH	If LDAP_SCHEMA is set to "ldapi", the path to the Unix socket path. Default: "/".
LDAP_USERNAME	Required: The username used to bind.
LDAP_PASSWORD	Required: The password used to bind.
LDAP_TIMEOUT	How long (seconds) a connection can take to be opened before timing out. Default: 10.
LDAP_LOGIN_VIEW	Views decorated with .login_required() or.group_required() will redirect unauthenticated requests to this view. Default: "login".
LDAP_REALM_NAME	Views decorated with .basic_auth_required() will use this as the "realm" part of HTTP Basic Authentication when responding to unauthenticated requests.
LDAP_OPENLDAP	Set to True if your server is running OpenLDAP. Default: False.
LDAP_USE_SSL	Set to True if your server uses SSL. Default: False.
LDAP_USE_TLS	Set to True if your server uses TLS. Default: False.
LDAP_REQUIRE_CERT	Set to True if your server requires a certificate. Default: False.
LDAP_CERT_PATH	Path to the certificate if LDAP_REQUIRE_CERT is True.
LDAP_CUSTOM_OPTIONS	dict of ldap options you want to set in this format: {option: value}. Default: None.
LDAP_BASE_DN	Required: The distinguished name to use as the search base.
LDAP_OBJECTS_DN	The field to use as the objects' distinguished name. Default: "distinguishedName".
LDAP_USER_FIELDS	list of fields to return when searching for a user's object details. Default: [] (all).
LDAP_USER_GROUPS_FIELD	The field to return when searching for a user's groups. Default: "memberOf".
LDAP_USER_OBJECT_FILTER	The filter to use when searching for a user object. Default: "(&(objectclass=Person)(userPrincipalName=%s))"
LDAP_USERS_OBJECT_FILTER	The filter to use when searching for users objects. Default: "objectclass=Person"
LDAP_GROUP_FIELDS	list of fields to return when searching for a group's object details. Default: [] (all).
LDAP_GROUP_MEMBER_FILTER	The group member filter to use when using OpenLDAP. Default: "*".
LDAP_GROUP_MEMBER_FILTER_FIELD	The group member filter field to use when using OpenLDAP. Default: "*".
LDAP_GROUP_MEMBERS_FIELD	The field to return when searching for a group's members. Default: "member".
LDAP_GROUP_OBJECT_FILTER	The filter to use when searching for a group object. Default: "(&(objectclass=Group)(userPrincipalName=%s))".
LDAP_GROUPS_OBJECT_FILTER	The filter to use when searching for groups objects. Default: "objectclass=Group".