Documentation

12.5. Python API LDAP Authentication

12.5.1. Introduction

SFTPPlus allows developers to write custom authentication handling code to augment the standard LDAP authentication functionality.

The extension code is executed in the main application thread. It should not block the thread.

12.5.2. API interface

The code for the extension needs to be placed in a Python file (module) inside the extension/ folder from the SFTPPlus installation folder. The Python file should contain a class that implements a set of methods that are the interface of the LDAP authentication extension.

The class can have any name, but it should implement using the same method name and all the arguments with the exact argument names.

class chevah.server.extension.auth_ldap_noop.AuthLDAPNoop(configuration)

This is an LDAP authentication extension that has no extra functionality.

It servers as a documentation for the extension interface.

The extension is implicitly started at initialization.

__init__(configuration)

Called when the associated LDAP authentication starts.

Parameters

configuration -- A text which can be formatted as JSON. But each extension can parse it as it wants. JSON format is not required. It is only recommended.

augmentEntry(entry, credentials, ldap_client)

Called after BIND was successful and we got the LDAP entry for the account.

Raises

chevah.server.commons.exception.ServerException on any error condition, with a text containing the error details.

Parameters
  • entry -- The LDAP entry that was just authenticated.

  • credentials -- Used for the authorization to LDAP server.

  • ldap_client -- A LDAP client that is already authenticated and that can be used for further LDAP operations.

  • base_dn -- The base_dn from which the account was authenticated.

Returns

The augmented LDAP entry on success.

getExtraAttributes()

Return the list of extra LDAP attributes to be used during the entry search operation.

stop()

Called when the extension is no longer used.

updateCredentials(credentials)

Called before BIND to allow mutating the credentials.

This can be used to mutate the credentials to be used during the BIND operation.

For more details about the usage of this API get in touch with our support team.

12.5.3. Usage

You can find a skeleton example inside the extension/auth_ldap_noop.py file of the default SFTPPlus installation. It can be used as the base for implementing custom functionality.

This extension handler can be configured as:

[authentications/d87d-4a3c-d732]
type = ldap
name = Authenticate from LDAP with Python API extension

extension_entry_point = python:auth_ldap_noop.AuthLDAPNoop
extension_configuration = {
    "key": "value"
    }