tanner/spaceport
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Initialize LDAP connection on each API call

Browse Source
This commit is contained in:
Tanner Collin 2020-02-08 19:51:16 -07:00
parent cc900595df
commit 4febe1ce47
1 changed files with 64 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
ldapserver/ldap_functions.py
View File

@ -5,39 +5,49 @@ import secrets
import base64 import base64
from flask import abort from flask import abort
HTTP_NOTFOUND = 404 HTTP_NOTFOUND = 404
#BASE_MEMBERS = 'OU=Test,OU=GroupsOU,DC=ps,DC=protospace,DC=ca' # testing
BASE_MEMBERS = 'OU=MembersOU,DC=ps,DC=protospace,DC=ca' # prod
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './ProtospaceAD.cer') ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './ProtospaceAD.cer')
l = ldap.initialize('ldaps://ldap.ps.protospace.ca:636')
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.set_option(ldap.OPT_X_TLS_DEMAND, True)
l.set_option(ldap.OPT_DEBUG_LEVEL, 255)
BASE_MEMBERS = 'OU=Test,OU=GroupsOU,DC=ps,DC=protospace,DC=ca' # testing def init_ldap():
#BASE_MEMBERS = 'OU=MembersOU,DC=ps,DC=protospace,DC=ca' # prod ldap_conn = ldap.initialize('ldaps://ldap.ps.protospace.ca:636')
ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
ldap_conn.set_option(ldap.OPT_X_TLS_DEMAND, True)
ldap_conn.set_option(ldap.OPT_DEBUG_LEVEL, 255)
return ldap_conn
def find_user(username): def find_user(username):
''' '''
Search for a user by sAMAccountname Search for a user by sAMAccountname
''' '''
l.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn = init_ldap()
try:
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username) criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username)
results = l.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] ) results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] )
if len(results) != 1: if len(results) != 1:
abort(HTTP_NOTFOUND) abort(HTTP_NOTFOUND)
return results[0][0] return results[0][0]
finally:
ldap_conn.unbind()
def create_user(first, last, username, email, password): def create_user(first, last, username, email, password):
''' '''
Create a User; required data is first, last, email, username, password Create a User; required data is first, last, email, username, password
Note: this creates a disabled user, then sets a password, then enables the user Note: this creates a disabled user, then sets a password, then enables the user
''' '''
l.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn = init_ldap()
try:
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
dn = 'CN={} {},{}'.format(first, last, BASE_MEMBERS) dn = 'CN={} {},{}'.format(first, last, BASE_MEMBERS)
full_name = '{} {}'.format(first, last) full_name = '{} {}'.format(first, last)
@ -53,22 +63,26 @@ def create_user(first, last, username, email, password):
('mail', [email.encode()]), ('mail', [email.encode()]),
] ]
l.add_s(dn, ldif) ldap_conn.add_s(dn, ldif)
# set password # set password
pass_quotes = '"{}"'.format(password) pass_quotes = '"{}"'.format(password)
pass_uni = pass_quotes.encode('utf-16-le') pass_uni = pass_quotes.encode('utf-16-le')
change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])] change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])]
result = l.modify_s(dn, change_des) result = ldap_conn.modify_s(dn, change_des)
# 512 will set user account to enabled # 512 will set user account to enabled
mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', b'512')] mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', b'512')]
result = l.modify_s(dn, mod_acct) result = ldap_conn.modify_s(dn, mod_acct)
finally:
ldap_conn.unbind()
def set_password(username, password): def set_password(username, password):
l.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) ldap_conn = init_ldap()
try:
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username) criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username)
results = l.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] ) results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] )
if len(results) != 1: if len(results) != 1:
abort(HTTP_NOTFOUND) abort(HTTP_NOTFOUND)
@ -79,7 +93,9 @@ def set_password(username, password):
pass_quotes = '"{}"'.format(password) pass_quotes = '"{}"'.format(password)
pass_uni = pass_quotes.encode('utf-16-le') pass_uni = pass_quotes.encode('utf-16-le')
change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])] change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])]
result = l.modify_s(dn, change_des) result = ldap_conn.modify_s(dn, change_des)
finally:
ldap_conn.unbind()
if __name__ == '__main__': if __name__ == '__main__':
#print(find_user('tanner.collin')) #print(find_user('tanner.collin'))