# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

Authentication modules

"""

import logging

import traceback

from kallithea import EXTERN_TYPE_INTERNAL

from kallithea.lib.compat import importlib

from kallithea.lib.utils2 import str2bool

from kallithea.lib.compat import formatted_json, hybrid_property

from kallithea.lib.auth import PasswordGenerator

from kallithea.model.user import UserModel

from kallithea.model.db import Setting, User

from kallithea.model.meta import Session

from kallithea.model.user_group import UserGroupModel

log = logging.getLogger(__name__)

class LazyFormencode(object):

    def __init__(self, formencode_obj, *args, **kwargs):

        self.formencode_obj = formencode_obj

        self.args = args

        self.kwargs = kwargs

    def __call__(self, *args, **kwargs):

        from inspect import isfunction

        formencode_obj = self.formencode_obj

        if isfunction(formencode_obj):

            #case we wrap validators into functions

            formencode_obj = self.formencode_obj(*args, **kwargs)

        return formencode_obj(*self.args, **self.kwargs)

class KallitheaAuthPluginBase(object):

    auth_func_attrs = {

        "username": "unique username",

        "firstname": "first name",

        "lastname": "last name",

        "email": "email address",

        "groups": '["list", "of", "groups"]',

        "extern_name": "name in external source of record",

        "admin": 'True|False defines if user should be Kallithea admin',

        "active": 'True|False defines active state of user in Kallithea',

        "active_from_extern": "True|False|None, active state from the external auth, "

                              "None means use value from the auth plugin"

    }

    @property

    def validators(self):

        """

        Exposes Kallithea validators modules

        """

        # this is a hack to overcome issues with pylons threadlocals and

        # translator object _() not being registered properly.

        class LazyCaller(object):

            def __init__(self, name):

                self.validator_name = name

            def __call__(self, *args, **kwargs):

                from kallithea.model import validators as v

                obj = getattr(v, self.validator_name)

                #log.debug('Initializing lazy formencode object: %s' % obj)

                return LazyFormencode(obj, *args, **kwargs)

        class ProxyGet(object):

            def __getattribute__(self, name):

                return LazyCaller(name)

        return ProxyGet()

    @hybrid_property

    def name(self):

        """

        Returns the name of this authentication plugin.

        :returns: string

        """

        raise NotImplementedError("Not implemented in base class")

    @hybrid_property

    def is_container_auth(self):

        """

        Returns bool if this module uses container auth.

        This property will trigger an automatic call to authenticate on

        a visit to the website or during a push/pull.

        :returns: bool

        """

        return False

    def accepts(self, user, accepts_empty=True):

        """

        Checks if this authentication module should accept a request for

        the current user.

        :param user: user object fetched using plugin's get_user() method.

        :param accepts_empty: if True accepts don't allow the user to be empty

        :returns: boolean

        """

        plugin_name = self.name

        if not user and not accepts_empty:

            log.debug('User is empty not allowed to authenticate')

            return False

        if user and user.extern_type and user.extern_type != plugin_name:

            log.debug('User %s should authenticate using %s this is %s, skipping'

                      % (user, user.extern_type, plugin_name))

            return False

        return True

    def get_user(self, username=None, **kwargs):

        """

        Helper method for user fetching in plugins, by default it's using

        simple fetch by username, but this method can be customized in plugins

        eg. container auth plugin to fetch user by environ params

        :param username: username if given to fetch from database

        :param kwargs: extra arguments needed for user fetching.

        """

        user = None

        log.debug('Trying to fetch user `%s` from Kallithea database'

                  % (username))

        if username:

            user = User.get_by_username(username)

            if not user:

                log.debug('Fallback to fetch user in case insensitive mode')

                user = User.get_by_username(username, case_insensitive=True)

        else:

            log.debug('provided username:`%s` is empty skipping...' % username)

        return user

    def settings(self):

        """

        Return a list of the form:

        [

            {

                "name": "OPTION_NAME",

                "type": "[bool|password|string|int|select]",

                ["values": ["opt1", "opt2", ...]]

                "validator": "expr"

                "description": "A short description of the option" [,

                "default": Default Value],

                ["formname": "Friendly Name for Forms"]

            } [, ...]

        ]

        This is used to interrogate the authentication plugin as to what

        settings it expects to be present and configured.

        'type' is a shorthand notation for what kind of value this option is.

        This is primarily used by the auth web form to control how the option

        is configured.

                bool : checkbox

                password : password input box

                string : input box

                select : single select dropdown

        'validator' is an lazy instantiated form field validator object, ala

        formencode. You need to *call* this object to init the validators.

        All calls to Kallithea validators should be used through self.validators

        which is a lazy loading proxy of formencode module.

        """

        raise NotImplementedError("Not implemented in base class")

    def plugin_settings(self):

        """

        This method is called by the authentication framework, not the .settings()

        method. This method adds a few default settings (e.g., "enabled"), so that

        plugin authors don't have to maintain a bunch of boilerplate.

        OVERRIDING THIS METHOD WILL CAUSE YOUR PLUGIN TO FAIL.

        """

        rcsettings = self.settings()

        rcsettings.insert(0, {

            "name": "enabled",

            "validator": self.validators.StringBoolean(if_missing=False),

            "type": "bool",

            "description": "Enable or Disable this Authentication Plugin",

            "formname": "Enabled"

            }

        )

        return rcsettings

    def user_activation_state(self):

        """

        Defines user activation state when creating new users

        :returns: boolean

        """

        raise NotImplementedError("Not implemented in base class")

    def auth(self, userobj, username, passwd, settings, **kwargs):

        """

        Given a user object (which may be None), username, a plaintext password,

        and a settings object (containing all the keys needed as listed in settings()),

        authenticate this user's login attempt.

        Return None on failure. On success, return a dictionary with keys from

        KallitheaAuthPluginBase.auth_func_attrs.

        This is later validated for correctness.

        """

        raise NotImplementedError("not implemented in base class")

    def _authenticate(self, userobj, username, passwd, settings, **kwargs):

        """

        Wrapper to call self.auth() that validates call on it

        :param userobj: userobj

        :param username: username

        :param passwd: plaintext password

        :param settings: plugin settings

        """

        user_data = self.auth(userobj, username, passwd, settings, **kwargs)

        if user_data is not None:

            return self._validate_auth_return(user_data)

        return None

    def _validate_auth_return(self, user_data):

        if not isinstance(user_data, dict):

            raise Exception('returned value from auth must be a dict')

        for k in self.auth_func_attrs:

            if k not in user_data:

                raise Exception('Missing %s attribute from returned data' % k)

        return user_data

class KallitheaExternalAuthPlugin(KallitheaAuthPluginBase):

    def use_fake_password(self):

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.auth_modules.auth_container

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kallithea container based authentication plugin

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Created on Nov 17, 2012

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

from kallithea.lib import auth_modules

from kallithea.lib.utils2 import str2bool, safe_unicode

from kallithea.lib.compat import hybrid_property

from kallithea.model.db import User

log = logging.getLogger(__name__)

class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):

    def __init__(self):

        pass

    @hybrid_property

    def name(self):

        return "container"

    @hybrid_property

    def is_container_auth(self):

        return True

    def settings(self):

        settings = [

            {

                "name": "header",

                "validator": self.validators.UnicodeString(strip=True, not_empty=True),

                "type": "string",

                "description": "Header to extract the user from",

                "default": "REMOTE_USER",

                "formname": "Header"

            },

            {

                "name": "fallback_header",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Header to extract the user from when main one fails",

                "default": "HTTP_X_FORWARDED_USER",

                "formname": "Fallback header"

            },

            {

                "name": "clean_username",

                "validator": self.validators.StringBoolean(if_missing=False),

                "type": "bool",

                "description": "Perform cleaning of user, if passed user has @ in username "

                               "then first part before @ is taken. "

                               "If there's \\ in the username only the part after \\ is taken",

                "default": "True",

                "formname": "Clean username"

            },

        ]

        return settings

    def use_fake_password(self):

        return True

    def user_activation_state(self):

        def_user_perms = User.get_default_user().AuthUser.permissions['global']

        return 'hg.extern_activate.auto' in def_user_perms

    def _clean_username(self, username):

        # Removing realm and domain from username

        username = username.partition('@')[0]

        username = username.rpartition('\\')[2]

        return username

    def _get_username(self, environ, settings):

        username = None

        environ = environ or {}

        if not environ:

            log.debug('got empty environ: %s' % environ)

        settings = settings or {}

        if settings.get('header'):

            header = settings.get('header')

            username = environ.get(header)

            log.debug('extracted %s:%s' % (header, username))

        # fallback mode

        if not username and settings.get('fallback_header'):

            header = settings.get('fallback_header')

            username = environ.get(header)

            log.debug('extracted %s:%s' % (header, username))

        if username and str2bool(settings.get('clean_username')):

            log.debug('Received username %s from container' % username)

            username = self._clean_username(username)

            log.debug('New cleanup user is: %s' % username)

        return username

    def get_user(self, username=None, **kwargs):

        """

        Helper method for user fetching in plugins, by default it's using

        simple fetch by username, but this method can be customized in plugins

        eg. container auth plugin to fetch user by environ params

        :param username: username if given to fetch

        :param kwargs: extra arguments needed for user fetching.

        """

        environ = kwargs.get('environ') or {}

        settings = kwargs.get('settings') or {}

        username = self._get_username(environ, settings)

        # we got the username, so use default method now

        return super(KallitheaAuthPlugin, self).get_user(username)

    def auth(self, userobj, username, password, settings, **kwargs):

        """

        Gets the container_auth username (or email). It tries to get username

        from REMOTE_USER if this plugin is enabled, if that fails

        it tries to get username from HTTP_X_FORWARDED_USER if fallback header

        is set. clean_username extracts the username from this data if it's

        having @ in it.

        Return None on failure. On success, return a dictionary of the form:

            see: KallitheaAuthPluginBase.auth_func_attrs

        :param userobj:

        :param username:

        :param password:

        :param settings:

        :param kwargs:

        """

        environ = kwargs.get('environ')

        if not environ:

            log.debug('Empty environ data skipping...')

            return None

        if not userobj:

            userobj = self.get_user('', environ=environ, settings=settings)

        # we don't care passed username/password for container auth plugins.

        # only way to log in is using environ

        username = None

        if userobj:

            username = getattr(userobj, 'username')

        if not username:

            # we don't have any objects in DB, user doesn't exist, extract

            # username from environ based on the settings

            username = self._get_username(environ, settings)

        # if cannot fetch username, it's a no-go for this plugin to proceed

        if not username:

            return None

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = getattr(userobj, 'email', '')

        firstname = getattr(userobj, 'firstname', '')

        lastname = getattr(userobj, 'lastname', '')

        user_data = {

            'username': username,

            'firstname': safe_unicode(firstname or username),

            'lastname': safe_unicode(lastname or ''),

            'groups': [],

            'email': email or '',

            'admin': admin or False,

            'active': active,

            'active_from_extern': True,

            'extern_name': username,

        }

        log.info('user `%s` authenticated correctly' % user_data['username'])

        return user_data

import urllib2

from kallithea.lib import auth_modules

from kallithea.lib.compat import json, formatted_json, hybrid_property

from kallithea.model.db import User

log = logging.getLogger(__name__)

class CrowdServer(object):

    def __init__(self, *args, **kwargs):

        """

        Create a new CrowdServer object that points to IP/Address 'host',

        on the given port, and using the given method (https/http). user and

        passwd can be set here or with set_credentials. If unspecified,

        "version" defaults to "latest".

        example::

            cserver = CrowdServer(host="127.0.0.1",

                                  port="8095",

                                  user="some_app",

                                  passwd="some_passwd",

                                  version="1")

        """

        if not "port" in kwargs:

            kwargs["port"] = "8095"

        self._logger = kwargs.get("logger", logging.getLogger(__name__))

        self._uri = "%s://%s:%s/crowd" % (kwargs.get("method", "http"),

                                    kwargs.get("host", "127.0.0.1"),

                                    kwargs.get("port", "8095"))

        self.set_credentials(kwargs.get("user", ""),

                             kwargs.get("passwd", ""))

        self._version = kwargs.get("version", "latest")

        self._url_list = None

        self._appname = "crowd"

    def set_credentials(self, user, passwd):

        self.user = user

        self.passwd = passwd

        self._make_opener()

    def _make_opener(self):

        mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()

        mgr.add_password(None, self._uri, self.user, self.passwd)

        handler = urllib2.HTTPBasicAuthHandler(mgr)

        self.opener = urllib2.build_opener(handler)

    def _request(self, url, body=None, headers=None,

                 method=None, noformat=False,

                 empty_response_ok=False):

        _headers = {"Content-type": "application/json",

                    "Accept": "application/json"}

        if self.user and self.passwd:

            authstring = base64.b64encode("%s:%s" % (self.user, self.passwd))

            _headers["Authorization"] = "Basic %s" % authstring

        if headers:

            _headers.update(headers)

        log.debug("Sent crowd: \n%s"

                  % (formatted_json({"url": url, "body": body,

                                           "headers": _headers})))

        request = urllib2.Request(url, body, _headers)

        if method:

            request.get_method = lambda: method

        global msg

        msg = ""

        try:

            rdoc = self.opener.open(request)

            msg = "".join(rdoc.readlines())

            if not msg and empty_response_ok:

                rval = {}

                rval["status"] = True

                rval["error"] = "Response body was empty"

            elif not noformat:

                rval = json.loads(msg)

                rval["status"] = True

            else:

                rval = "".join(rdoc.readlines())

        except Exception, e:

            if not noformat:

                rval = {"status": False,

                        "body": body,

                        "error": str(e) + "\n" + msg}

            else:

                rval = None

        return rval

    def user_auth(self, username, password):

        """Authenticate a user against crowd. Returns brief information about

        the user."""

        url = ("%s/rest/usermanagement/%s/authentication?username=%s"

               % (self._uri, self._version, username))

        body = json.dumps({"value": password})

        return self._request(url, body)

    def user_groups(self, username):

        """Retrieve a list of groups to which this user belongs."""

        url = ("%s/rest/usermanagement/%s/user/group/nested?username=%s"

               % (self._uri, self._version, username))

        return self._request(url)

class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):

    @hybrid_property

    def name(self):

        return "crowd"

    def settings(self):

        settings = [

            {

                "name": "host",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "The FQDN or IP of the Atlassian CROWD Server",

                "default": "127.0.0.1",

                "formname": "Host"

            },

            {

                "name": "port",

                "validator": self.validators.Number(strip=True),

                "type": "int",

                "description": "The Port in use by the Atlassian CROWD Server",

                "default": 8095,

                "formname": "Port"

            },

            {

                "name": "app_name",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "The Application Name to authenticate to CROWD",

                "default": "",

                "formname": "Application Name"

            },

            {

                "name": "app_password",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "The password to authenticate to CROWD",

                "default": "",

                "formname": "Application Password"

            },

            {

                "name": "admin_groups",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "A comma separated list of group names that identify users as Kallithea Administrators",

                "formname": "Admin Groups"

            }

        ]

        return settings

    def use_fake_password(self):

        return True

    def user_activation_state(self):

        def_user_perms = User.get_default_user().AuthUser.permissions['global']

        return 'hg.extern_activate.auto' in def_user_perms

    def auth(self, userobj, username, password, settings, **kwargs):

        """

        Given a user object (which may be null), username, a plaintext password,

        and a settings object (containing all the keys needed as listed in settings()),

        authenticate this user's login attempt.

        Return None on failure. On success, return a dictionary of the form:

            see: KallitheaAuthPluginBase.auth_func_attrs

        This is later validated for correctness

        """

        if not username or not password:

            log.debug('Empty username or password skipping...')

            return None

        log.debug("Crowd settings: \n%s" % (formatted_json(settings)))

        server = CrowdServer(**settings)

        server.set_credentials(settings["app_name"], settings["app_password"])

        crowd_user = server.user_auth(username, password)

        log.debug("Crowd returned: \n%s" % (formatted_json(crowd_user)))

        if not crowd_user["status"]:

            return None

        res = server.user_groups(crowd_user["name"])

        log.debug("Crowd groups: \n%s" % (formatted_json(res)))

        crowd_user["groups"] = [x["name"] for x in res["groups"]]

        # old attrs fetched from Kallithea database

        admin = getattr(userobj, 'admin', False)

        active = getattr(userobj, 'active', True)

        email = getattr(userobj, 'email', '')

        firstname = getattr(userobj, 'firstname', '')

        lastname = getattr(userobj, 'lastname', '')

        user_data = {

            'username': username,

            'firstname': crowd_user["first-name"] or firstname,

            'lastname': crowd_user["last-name"] or lastname,

            'groups': crowd_user["groups"],

            'email': crowd_user["email"] or email,

            'admin': admin,

            'active': active,

            'active_from_extern': crowd_user.get('active'),

            'extern_name': crowd_user["name"],

        }

        # set an admin if we're in admin_groups of crowd

        for group in settings["admin_groups"].split(","):

            if group in user_data["groups"]:

                user_data["admin"] = True

        log.debug("Final crowd user object: \n%s" % (formatted_json(user_data)))

        log.info('user %s authenticated correctly' % user_data['username'])

        return user_data

# -*- coding: utf-8 -*-

# This program is free software: you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

#

# You should have received a copy of the GNU General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""

kallithea.lib.auth_modules.auth_internal

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Kallithea authentication plugin for built in internal auth

This file was forked by the Kallithea project in July 2014.

Original author and date, and relevant copyright and licensing information is below:

:created_on: Created on Nov 17, 2012

:author: marcink

:copyright: (c) 2013 RhodeCode GmbH, and others.

:license: GPLv3, see LICENSE.md for more details.

"""

import logging

from kallithea import EXTERN_TYPE_INTERNAL

from kallithea.lib import auth_modules

from kallithea.lib.compat import formatted_json, hybrid_property

from kallithea.model.db import User

log = logging.getLogger(__name__)

class KallitheaAuthPlugin(auth_modules.KallitheaAuthPluginBase):

    def __init__(self):

        pass

    @hybrid_property

    def name(self):

        return EXTERN_TYPE_INTERNAL

    def settings(self):

        return []

    def user_activation_state(self):

        def_user_perms = User.get_default_user().AuthUser.permissions['global']

        return 'hg.register.auto_activate' in def_user_perms

    def accepts(self, user, accepts_empty=True):

        """

        Custom accepts for this auth that doesn't accept empty users. We

        know that user exists in database.

        """

        return super(KallitheaAuthPlugin, self).accepts(user,

                                                        accepts_empty=False)

    def auth(self, userobj, username, password, settings, **kwargs):

        if not userobj:

            log.debug('userobj was:%s skipping' % (userobj, ))

            return None

        if userobj.extern_type != self.name:

            log.warning("userobj:%s extern_type mismatch got:`%s` expected:`%s`"

                     % (userobj, userobj.extern_type, self.name))

            return None

        user_data = {

            "username": userobj.username,

            "firstname": userobj.firstname,

            "lastname": userobj.lastname,

            "groups": [],

            "email": userobj.email,

            "admin": userobj.admin,

            "active": userobj.active,

            "active_from_extern": userobj.active,

            "extern_name": userobj.user_id,

        }

        log.debug(formatted_json(user_data))

        if userobj.active:

            from kallithea.lib import auth

            password_match = auth.KallitheaCrypto.hash_check(password, userobj.password)

            if userobj.username == User.DEFAULT_USER and userobj.active:

                log.info('user %s authenticated correctly as anonymous user' %

                         username)

                return user_data

            elif userobj.username == username and password_match:

                log.info('user %s authenticated correctly' % user_data['username'])

                return user_data

            log.error("user %s had a bad password" % username)

            return None

        else:

            log.warning('user %s tried auth but is disabled' % username)

            return None

                    log.debug('Trying simple bind with %s' % dn)

                    server.simple_bind_s(dn, safe_str(password))

                    attrs = server.search_ext_s(dn, ldap.SCOPE_BASE,

                                                '(objectClass=*)')[0][1]

                    break

                except ldap.INVALID_CREDENTIALS:

                    log.debug("LDAP rejected password for user '%s' (%s): %s"

                              % (uid, username, dn))

            else:

                log.debug("No matching LDAP objects for authentication "

                          "of '%s' (%s)", uid, username)

                raise LdapPasswordError()

        except ldap.NO_SUCH_OBJECT:

            log.debug("LDAP says no such user '%s' (%s)" % (uid, username))

            raise LdapUsernameError()

        except ldap.SERVER_DOWN:

            raise LdapConnectionError("LDAP can't access authentication server")

        return dn, attrs

class KallitheaAuthPlugin(auth_modules.KallitheaExternalAuthPlugin):

    def __init__(self):

        self._logger = logging.getLogger(__name__)

        self._tls_kind_values = ["PLAIN", "LDAPS", "START_TLS"]

        self._tls_reqcert_values = ["NEVER", "ALLOW", "TRY", "DEMAND", "HARD"]

        self._search_scopes = ["BASE", "ONELEVEL", "SUBTREE"]

    @hybrid_property

    def name(self):

        return "ldap"

    def settings(self):

        settings = [

            {

                "name": "host",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Host of the LDAP Server",

                "formname": "LDAP Host"

            },

            {

                "name": "port",

                "validator": self.validators.Number(strip=True, not_empty=True),

                "type": "string",

                "description": "Port that the LDAP server is listening on",

                "default": 389,

                "formname": "Port"

            },

            {

                "name": "dn_user",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "User to connect to LDAP",

                "formname": "Account"

            },

            {

                "name": "dn_pass",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "password",

                "description": "Password to connect to LDAP",

                "formname": "Password"

            },

            {

                "name": "tls_kind",

                "validator": self.validators.OneOf(self._tls_kind_values),

                "type": "select",

                "values": self._tls_kind_values,

                "description": "TLS Type",

                "default": 'PLAIN',

                "formname": "Connection Security"

            },

            {

                "name": "tls_reqcert",

                "validator": self.validators.OneOf(self._tls_reqcert_values),

                "type": "select",

                "values": self._tls_reqcert_values,

                "description": "Require Cert over TLS?",

                "formname": "Certificate Checks"

            },

            {

                "name": "base_dn",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Base DN to search (e.g., dc=mydomain,dc=com)",

                "formname": "Base DN"

            },

            {

                "name": "filter",

                "validator": self.validators.UnicodeString(strip=True),

                "type": "string",

                "description": "Filter to narrow results (e.g., ou=Users, etc)",

                "formname": "LDAP Search Filter"

            },

            {

                "name": "search_scope",

                "validator": self.validators.OneOf(self._search_scopes),

                "type": "select",

                "values": self._search_scopes,

                "description": "How deep to search LDAP",