Lookup additional LDAP user info

README.md

@@ -169,6 +169,11 @@ If set to True, escape special chars in userdn when authenticating in LDAP.
 On some LDAP servers, when userdn contains chars like '(', ')', '\' authentication may fail when those chars
 are not escaped.
 
+#### `LDAPAuthenticator.auth_state_attributes` ####
+
+An optional list of attributes to be fetched for a user after login.
+If found these will be returned as `auth_state`.
+
 #### `LDAPAuthenticator.use_lookup_dn_username` ####
 
 If set to True (the default) the username used to build the DN string is returned as the username when `lookup_dn` is True.

ldapauthenticator/ldapauthenticator.py

@@ -214,6 +214,10 @@ def _server_port_default(self):
 
     attributes = List(config=True, help="List of attributes to be searched")
 
+    auth_state_attributes = List(
+        config=True, help="List of attributes to be returned in auth_state for a user"
+    )
+
     use_lookup_dn_username = Bool(
         True,
         config=True,
@@ -287,6 +291,16 @@ def get_connection(self, userdn, password):
         )
         return conn
 
+    def get_user_attributes(self, conn, userdn):
+        attrs = {}
+        if self.auth_state_attributes:
+            found = conn.search(
+                userdn, "(objectClass=*)", attributes=self.auth_state_attributes
+            )
+            if found:
+                attrs = conn.entries[0].entry_attributes_as_dict
+        return attrs
+
     @gen.coroutine
     def authenticate(self, handler, data):
         username = data["username"]
@@ -410,10 +424,14 @@ def authenticate(self, handler, data):
                 self.log.warning(msg.format(username=username))
                 return None
 
-        if self.use_lookup_dn_username:
-            return username
-        else:
-            return data["username"]
+        if not self.use_lookup_dn_username:
+            username = data["username"]
+
+        user_info = self.get_user_attributes(conn, userdn)
+        if user_info:
+            self.log.debug("username:%s attributes:%s", username, user_info)
+            return {"name": username, "auth_state": user_info}
+        return username
 
 
 if __name__ == "__main__":

ldapauthenticator/tests/test_ldapauthenticator.py

@@ -90,3 +90,13 @@ async def test_ldap_auth_search_filter(authenticator):
         None, {"username": "zoidberg", "password": "zoidberg"}
     )
     assert authorized is None
+
+
+async def test_ldap_auth_state_attributes(authenticator):
+    authenticator.auth_state_attributes = ["employeeType"]
+    # proper username and password in allowed group
+    authorized = await authenticator.get_authenticated_user(
+        None, {"username": "fry", "password": "fry"}
+    )
+    assert authorized["name"] == "fry"
+    assert authorized["auth_state"] == {"employeeType": ["Delivery boy"]}