tanner/spaceport
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improve LDAP logging and group functions

Browse Source
This commit is contained in:
Tanner Collin 2020-09-14 00:13:00 +00:00
parent bfd90768c2
commit 2d7c67a207
2 changed files with 54 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
ldapserver/ldap_functions.py
View File

@ -1,3 +1,8 @@
import logging
logger = logging.getLogger(__name__)
logging.info('Logging enabled.')
import time import time
import ldap import ldap
import ldap.modlist as modlist import ldap.modlist as modlist
@ -7,14 +12,14 @@ import base64
from flask import abort from flask import abort
HTTP_NOTFOUND = 404 HTTP_NOTFOUND = 404
BASE_MEMBERS = 'OU=MembersOU,DC=ps,DC=protospace,DC=ca' # prod BASE_MEMBERS = 'OU=MembersOU,DC=lab39,DC=lab' # prod
BASE_GROUPS = 'OU=GroupsOU,DC=ps,DC=protospace,DC=ca' # prod BASE_GROUPS = 'OU=MembersOU,DC=lab39,DC=lab' # prod
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './ProtospaceAD.cer') ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './lab39-dc1.cer')
def init_ldap(): def init_ldap():
ldap_conn = ldap.initialize('ldaps://ldap.ps.protospace.ca:636') ldap_conn = ldap.initialize('ldaps://ldap.lab39.lab:636')
ldap_conn.set_option(ldap.OPT_REFERRALS, 0) ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
@ -32,7 +37,10 @@ def convert(data):
else: else:
return [convert(element) for element in data] return [convert(element) for element in data]
elif isinstance(data, (bytes, bytearray)): elif isinstance(data, (bytes, bytearray)):
try:
return data.decode() return data.decode()
except UnicodeDecodeError:
return data.hex()
else: else:
return data return data
@ -42,10 +50,13 @@ def find_user(query):
''' '''
ldap_conn = init_ldap() ldap_conn = init_ldap()
try: try:
logger.info('Looking up user', query)
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
criteria = '(&(objectClass=user)(|(mail={})(sAMAccountName={}))(!(objectClass=computer)))'.format(query, query) criteria = '(&(objectClass=user)(|(mail={})(sAMAccountName={}))(!(objectClass=computer)))'.format(query, query)
results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email']) results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'])
logger.info(results)
if len(results) != 1: if len(results) != 1:
abort(HTTP_NOTFOUND) abort(HTTP_NOTFOUND)
@ -91,7 +102,9 @@ def create_user(first, last, username, email, password):
('company', [b'Spaceport']), ('company', [b'Spaceport']),
] ]
ldap_conn.add_s(dn, ldif) result = ldap_conn.add_s(dn, ldif)
logger.info(result)
# set password # set password
pass_quotes = '"{}"'.format(password) pass_quotes = '"{}"'.format(password)
@ -99,9 +112,13 @@ def create_user(first, last, username, email, password):
change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])] change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])]
result = ldap_conn.modify_s(dn, change_des) result = ldap_conn.modify_s(dn, change_des)
logger.info(result)
# 512 will set user account to enabled # 512 will set user account to enabled
mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', b'512')] mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', b'512')]
result = ldap_conn.modify_s(dn, mod_acct) result = ldap_conn.modify_s(dn, mod_acct)
logger.info(result)
finally: finally:
ldap_conn.unbind() ldap_conn.unbind()
@ -131,10 +148,13 @@ def find_group(groupname):
''' '''
ldap_conn = init_ldap() ldap_conn = init_ldap()
try: try:
logger.info('Looking up group', groupname)
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname) criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] ) results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] )
logger.info(results)
if len(results) != 1: if len(results) != 1:
abort(HTTP_NOTFOUND) abort(HTTP_NOTFOUND)
@ -172,8 +192,8 @@ def add_to_group(groupname, username):
ldap_conn = init_ldap() ldap_conn = init_ldap()
try: try:
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
group_dn = find_group(groupname)
user_dn = find_user(username) user_dn = find_user(username)
group_dn = find_group(groupname)
if not is_member(groupname, username): if not is_member(groupname, username):
mod_acct = [(ldap.MOD_ADD, 'member', user_dn.encode())] mod_acct = [(ldap.MOD_ADD, 'member', user_dn.encode())]
@ -192,8 +212,8 @@ def remove_from_group(groupname, username):
ldap_conn = init_ldap() ldap_conn = init_ldap()
try: try:
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
group_dn = find_group(groupname)
user_dn = find_user(username) user_dn = find_user(username)
group_dn = find_group(groupname)
if is_member(groupname, username): if is_member(groupname, username):
mod_acct = [(ldap.MOD_DELETE, 'member', user_dn.encode())] mod_acct = [(ldap.MOD_DELETE, 'member', user_dn.encode())]
@ -248,8 +268,8 @@ def dump_users():
ldap_conn = init_ldap() ldap_conn = init_ldap()
try: try:
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
criteria = '(&(objectClass=user)(sAMAccountName=*))' criteria = '(&(objectClass=user)(objectGUID=*))'
attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount'] attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount', 'objectGUID']
results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes) results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes)
results = convert(results) results = convert(results)
@ -261,7 +281,6 @@ def dump_users():
import json import json
return json.dumps(output, indent=4) return json.dumps(output, indent=4)
finally: finally:
ldap_conn.unbind() ldap_conn.unbind()
@ -275,8 +294,8 @@ def dump_users():
if __name__ == '__main__': if __name__ == '__main__':
pass pass
#print(find_user('tanner.collin')) #print(create_user('Elon', 'Tusk', 'elon.tusk', 'elont@example.com', 'protospace*&^g87g6'))
#print(find_user('mail@tannercollin.com')) print(find_user('test.testerb'))
#print(set_password('tanner.collin', 'Supersecret@@')) #print(set_password('tanner.collin', 'Supersecret@@'))
#print(find_dn('CN=Tanner Collin,OU=MembersOU,DC=ps,DC=protospace,DC=ca')) #print(find_dn('CN=Tanner Collin,OU=MembersOU,DC=ps,DC=protospace,DC=ca'))
#print("============================================================") #print("============================================================")

26
ldapserver/server.py
View File

@ -1,6 +1,24 @@
from flask import Flask, abort, request from flask import Flask, abort, request
app = Flask(__name__) app = Flask(__name__)
from logging.config import dictConfig
dictConfig({
'version': 1,
'formatters': {'default': {
'format': '[%(asctime)s] [%(process)d] [%(levelname)7s] %(message)s',
}},
'handlers': {'wsgi': {
'class': 'logging.StreamHandler',
'stream': 'ext://flask.logging.wsgi_errors_stream',
'formatter': 'default'
}},
'root': {
'level': 'INFO',
'handlers': ['wsgi']
}
})
import ldap_functions import ldap_functions
import secrets import secrets
@ -50,8 +68,8 @@ def set_password():
def add_to_group(): def add_to_group():
check_auth() check_auth()
groupname = request.form['groupname'] groupname = request.form['group']
username = request.form['username'] username = request.form.get('username', None) or request.form.get('email', None)
ldap_functions.add_to_group(groupname, username) ldap_functions.add_to_group(groupname, username)
return '' return ''
@ -60,8 +78,8 @@ def add_to_group():
def remove_from_group(): def remove_from_group():
check_auth() check_auth()
groupname = request.form['groupname'] groupname = request.form['group']
username = request.form['username'] username = request.form.get('username', None) or request.form.get('email', None)
ldap_functions.remove_from_group(groupname, username) ldap_functions.remove_from_group(groupname, username)
return '' return ''