},

            {

                "name": "attr_firstname",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "LDAP Attribute to map to first name",

                "formname": "First Name Attribute"

            },

            {

                "name": "attr_lastname",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "LDAP Attribute to map to last name",

                "formname": "Last Name Attribute"

            },

            {

                "name": "attr_email",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "LDAP Attribute to map to email address",

                "formname": "Email Attribute"

            }

        ]

        return settings

    def use_fake_password(self):

        return True

    def user_activation_state(self):

        def_user_perms = User.get_default_user().AuthUser.permissions['global']

        return 'hg.extern_activate.auto' in def_user_perms

    def auth(self, userobj, username, password, settings, **kwargs):

        """

        Given a user object (which may be null), username, a plaintext password,

        and a settings object (containing all the keys needed as listed in settings()),

        authenticate this user's login attempt.

        Return None on failure. On success, return a dictionary of the form:

            see: KallitheaAuthPluginBase.auth_func_attrs

        This is later validated for correctness

        """

        if not username or not password:

            log.debug('Empty username or password skipping...')

            return None

        kwargs = {

            'server': settings.get('host', ''),

            'base_dn': settings.get('base_dn', ''),

            'port': settings.get('port'),

            'bind_dn': settings.get('dn_user'),

            'bind_pass': settings.get('dn_pass'),

            'tls_kind': settings.get('tls_kind'),

            'tls_reqcert': settings.get('tls_reqcert'),

            'ldap_filter': settings.get('filter'),

            'search_scope': settings.get('search_scope'),

            'attr_login': settings.get('attr_login'),

            'ldap_version': 3,

        }

        if kwargs['bind_dn'] and not kwargs['bind_pass']:

            log.debug('Using dynamic binding.')

            kwargs['bind_dn'] = kwargs['bind_dn'].replace('$login', username)

            kwargs['bind_pass'] = password

        log.debug('Checking for ldap authentication')

        try:

            aldap = AuthLdap(**kwargs)

            (user_dn, ldap_attrs) = aldap.authenticate_ldap(username, password)

            log.debug('Got ldap DN response %s', user_dn)

            get_ldap_attr = lambda k: ldap_attrs.get(settings.get(k), [''])[0]

            # old attrs fetched from Kallithea database

            admin = getattr(userobj, 'admin', False)

            active = getattr(userobj, 'active', self.user_activation_state())

            email = getattr(userobj, 'email', '')

            firstname = getattr(userobj, 'firstname', '')

            lastname = getattr(userobj, 'lastname', '')

            user_data = {

                'username': username,

                'firstname': safe_unicode(get_ldap_attr('attr_firstname') or firstname),

                'lastname': safe_unicode(get_ldap_attr('attr_lastname') or lastname),

                'groups': [],

                'email': get_ldap_attr('attr_email') or email,

                'admin': admin,

                'active': active,

                "active_from_extern": None,

                'extern_name': user_dn,

            }

            log.info('user %s authenticated correctly', user_data['username'])

            return user_data

    def get_managed_fields(self):

        return ['username', 'firstname', 'lastname', 'email', 'password']