From 2d7c67a2075f50c77e09e20d9892010122181752 Mon Sep 17 00:00:00 2001 From: Tanner Collin Date: Mon, 14 Sep 2020 00:13:00 +0000 Subject: [PATCH 1/3] Improve LDAP logging and group functions --- ldapserver/ldap_functions.py | 45 +++++++++++++++++++++++++----------- ldapserver/server.py | 26 +++++++++++++++++---- 2 files changed, 54 insertions(+), 17 deletions(-) diff --git a/ldapserver/ldap_functions.py b/ldapserver/ldap_functions.py index 4e14e6f..1763bf0 100644 --- a/ldapserver/ldap_functions.py +++ b/ldapserver/ldap_functions.py @@ -1,3 +1,8 @@ +import logging +logger = logging.getLogger(__name__) + +logging.info('Logging enabled.') + import time import ldap import ldap.modlist as modlist @@ -7,14 +12,14 @@ import base64 from flask import abort HTTP_NOTFOUND = 404 -BASE_MEMBERS = 'OU=MembersOU,DC=ps,DC=protospace,DC=ca' # prod -BASE_GROUPS = 'OU=GroupsOU,DC=ps,DC=protospace,DC=ca' # prod +BASE_MEMBERS = 'OU=MembersOU,DC=lab39,DC=lab' # prod +BASE_GROUPS = 'OU=MembersOU,DC=lab39,DC=lab' # prod ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) -ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './ProtospaceAD.cer') +ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './lab39-dc1.cer') def init_ldap(): - ldap_conn = ldap.initialize('ldaps://ldap.ps.protospace.ca:636') + ldap_conn = ldap.initialize('ldaps://ldap.lab39.lab:636') ldap_conn.set_option(ldap.OPT_REFERRALS, 0) ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) @@ -32,7 +37,10 @@ def convert(data): else: return [convert(element) for element in data] elif isinstance(data, (bytes, bytearray)): - return data.decode() + try: + return data.decode() + except UnicodeDecodeError: + return data.hex() else: return data @@ -42,10 +50,13 @@ def find_user(query): ''' ldap_conn = init_ldap() try: + logger.info('Looking up user', query) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) criteria = '(&(objectClass=user)(|(mail={})(sAMAccountName={}))(!(objectClass=computer)))'.format(query, query) results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email']) + logger.info(results) + if len(results) != 1: abort(HTTP_NOTFOUND) @@ -91,7 +102,9 @@ def create_user(first, last, username, email, password): ('company', [b'Spaceport']), ] - ldap_conn.add_s(dn, ldif) + result = ldap_conn.add_s(dn, ldif) + + logger.info(result) # set password pass_quotes = '"{}"'.format(password) @@ -99,9 +112,13 @@ def create_user(first, last, username, email, password): change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])] result = ldap_conn.modify_s(dn, change_des) + logger.info(result) + # 512 will set user account to enabled mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', b'512')] result = ldap_conn.modify_s(dn, mod_acct) + + logger.info(result) finally: ldap_conn.unbind() @@ -131,10 +148,13 @@ def find_group(groupname): ''' ldap_conn = init_ldap() try: + logger.info('Looking up group', groupname) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname) results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] ) + logger.info(results) + if len(results) != 1: abort(HTTP_NOTFOUND) @@ -172,8 +192,8 @@ def add_to_group(groupname, username): ldap_conn = init_ldap() try: ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) - group_dn = find_group(groupname) user_dn = find_user(username) + group_dn = find_group(groupname) if not is_member(groupname, username): mod_acct = [(ldap.MOD_ADD, 'member', user_dn.encode())] @@ -192,8 +212,8 @@ def remove_from_group(groupname, username): ldap_conn = init_ldap() try: ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) - group_dn = find_group(groupname) user_dn = find_user(username) + group_dn = find_group(groupname) if is_member(groupname, username): mod_acct = [(ldap.MOD_DELETE, 'member', user_dn.encode())] @@ -248,8 +268,8 @@ def dump_users(): ldap_conn = init_ldap() try: ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) - criteria = '(&(objectClass=user)(sAMAccountName=*))' - attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount'] + criteria = '(&(objectClass=user)(objectGUID=*))' + attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount', 'objectGUID'] results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes) results = convert(results) @@ -261,7 +281,6 @@ def dump_users(): import json return json.dumps(output, indent=4) - finally: ldap_conn.unbind() @@ -275,8 +294,8 @@ def dump_users(): if __name__ == '__main__': pass - #print(find_user('tanner.collin')) - #print(find_user('mail@tannercollin.com')) + #print(create_user('Elon', 'Tusk', 'elon.tusk', 'elont@example.com', 'protospace*&^g87g6')) + print(find_user('test.testerb')) #print(set_password('tanner.collin', 'Supersecret@@')) #print(find_dn('CN=Tanner Collin,OU=MembersOU,DC=ps,DC=protospace,DC=ca')) #print("============================================================") diff --git a/ldapserver/server.py b/ldapserver/server.py index e2f7009..39174e6 100644 --- a/ldapserver/server.py +++ b/ldapserver/server.py @@ -1,6 +1,24 @@ from flask import Flask, abort, request app = Flask(__name__) +from logging.config import dictConfig + +dictConfig({ + 'version': 1, + 'formatters': {'default': { + 'format': '[%(asctime)s] [%(process)d] [%(levelname)7s] %(message)s', + }}, + 'handlers': {'wsgi': { + 'class': 'logging.StreamHandler', + 'stream': 'ext://flask.logging.wsgi_errors_stream', + 'formatter': 'default' + }}, + 'root': { + 'level': 'INFO', + 'handlers': ['wsgi'] + } +}) + import ldap_functions import secrets @@ -50,8 +68,8 @@ def set_password(): def add_to_group(): check_auth() - groupname = request.form['groupname'] - username = request.form['username'] + groupname = request.form['group'] + username = request.form.get('username', None) or request.form.get('email', None) ldap_functions.add_to_group(groupname, username) return '' @@ -60,8 +78,8 @@ def add_to_group(): def remove_from_group(): check_auth() - groupname = request.form['groupname'] - username = request.form['username'] + groupname = request.form['group'] + username = request.form.get('username', None) or request.form.get('email', None) ldap_functions.remove_from_group(groupname, username) return '' From 7e2a4ba6733f72b3ad3980e42742bca13bf2f670 Mon Sep 17 00:00:00 2001 From: Tanner Collin Date: Tue, 15 Sep 2020 00:18:38 +0000 Subject: [PATCH 2/3] Improve LDAP logging and secrets management --- ldapserver/ldap_functions.py | 40 +++++++++++++++-------------------- ldapserver/log.py | 22 +++++++++++++++++++ ldapserver/secrets.py.example | 6 ++++++ ldapserver/server.py | 18 ---------------- 4 files changed, 45 insertions(+), 41 deletions(-) create mode 100644 ldapserver/log.py diff --git a/ldapserver/ldap_functions.py b/ldapserver/ldap_functions.py index 1763bf0..91dd0c1 100644 --- a/ldapserver/ldap_functions.py +++ b/ldapserver/ldap_functions.py @@ -1,8 +1,4 @@ -import logging -logger = logging.getLogger(__name__) - -logging.info('Logging enabled.') - +from log import logger import time import ldap import ldap.modlist as modlist @@ -12,14 +8,12 @@ import base64 from flask import abort HTTP_NOTFOUND = 404 -BASE_MEMBERS = 'OU=MembersOU,DC=lab39,DC=lab' # prod -BASE_GROUPS = 'OU=MembersOU,DC=lab39,DC=lab' # prod ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) -ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './lab39-dc1.cer') +ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, secrets.LDAP_CERTFILE) def init_ldap(): - ldap_conn = ldap.initialize('ldaps://ldap.lab39.lab:636') + ldap_conn = ldap.initialize(secrets.LDAP_URL) ldap_conn.set_option(ldap.OPT_REFERRALS, 0) ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3) ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) @@ -50,10 +44,10 @@ def find_user(query): ''' ldap_conn = init_ldap() try: - logger.info('Looking up user', query) + logger.info('Looking up user ' + query) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) criteria = '(&(objectClass=user)(|(mail={})(sAMAccountName={}))(!(objectClass=computer)))'.format(query, query) - results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email']) + results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email']) logger.info(results) @@ -86,7 +80,7 @@ def create_user(first, last, username, email, password): ldap_conn = init_ldap() try: ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) - dn = 'CN={} {},{}'.format(first, last, BASE_MEMBERS) + dn = 'CN={} {},{}'.format(first, last, secrets.BASE_MEMBERS) full_name = '{} {}'.format(first, last) ldif = [ @@ -127,7 +121,7 @@ def set_password(username, password): try: ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username) - results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] ) + results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] ) if len(results) != 1: abort(HTTP_NOTFOUND) @@ -148,10 +142,10 @@ def find_group(groupname): ''' ldap_conn = init_ldap() try: - logger.info('Looking up group', groupname) + logger.info('Looking up group ' + groupname) ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname) - results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] ) + results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] ) logger.info(results) @@ -169,7 +163,7 @@ def create_group(groupname, description): ldap_conn = init_ldap() try: ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) - dn = 'CN={},{}'.format(groupname, BASE_GROUPS) + dn = 'CN={},{}'.format(groupname, secrets.BASE_GROUPS) ldif = [ ('objectClass', [b'top', b'group']), @@ -235,7 +229,7 @@ def list_group(groupname): group_dn = find_group(groupname) criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname) - results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member']) + results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member']) members_tmp = results[0][1] members = members_tmp.get('member', []) return [find_dn(dn.decode()) for dn in members] @@ -254,7 +248,7 @@ def is_member(groupname, username): user_dn = find_user(username).encode() memflag = False criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname) - results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'] ) + results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'] ) members_tmp = results[0][1] members = members_tmp.get('member', []) return user_dn in members @@ -270,7 +264,7 @@ def dump_users(): ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) criteria = '(&(objectClass=user)(objectGUID=*))' attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount', 'objectGUID'] - results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes) + results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes) results = convert(results) output = {} @@ -295,7 +289,7 @@ def dump_users(): if __name__ == '__main__': pass #print(create_user('Elon', 'Tusk', 'elon.tusk', 'elont@example.com', 'protospace*&^g87g6')) - print(find_user('test.testerb')) + #print(find_user('test.testerb')) #print(set_password('tanner.collin', 'Supersecret@@')) #print(find_dn('CN=Tanner Collin,OU=MembersOU,DC=ps,DC=protospace,DC=ca')) #print("============================================================") @@ -314,6 +308,6 @@ if __name__ == '__main__': #print(list_group("newgroup")) #print(dump_users()) - #users = list_group('Laser Users') - #import json - #print(json.dumps(users, indent=4)) + users = list_group('Laser Users') + import json + print(json.dumps(users, indent=4)) diff --git a/ldapserver/log.py b/ldapserver/log.py new file mode 100644 index 0000000..23cd69e --- /dev/null +++ b/ldapserver/log.py @@ -0,0 +1,22 @@ +import logging +import logging.config + +logging.config.dictConfig({ + 'version': 1, + 'formatters': {'default': { + 'format': '[%(asctime)s] [%(process)d] [%(levelname)7s] %(message)s', + }}, + 'handlers': {'wsgi': { + 'class': 'logging.StreamHandler', + 'stream': 'ext://flask.logging.wsgi_errors_stream', + 'formatter': 'default' + }}, + 'root': { + 'level': 'INFO', + 'handlers': ['wsgi'] + } +}) + +logger = logging.getLogger(__name__) + +logger.info('Logging enabled.') diff --git a/ldapserver/secrets.py.example b/ldapserver/secrets.py.example index d73a4e4..3078416 100644 --- a/ldapserver/secrets.py.example +++ b/ldapserver/secrets.py.example @@ -8,3 +8,9 @@ AUTH_TOKEN = '' LDAP_USERNAME = '' LDAP_PASSWORD = '' + +LDAP_CERTFILE = '' +LDAP_URL = '' + +BASE_MEMBERS = '' +BASE_GROUPS = '' diff --git a/ldapserver/server.py b/ldapserver/server.py index 39174e6..f7f43d2 100644 --- a/ldapserver/server.py +++ b/ldapserver/server.py @@ -1,24 +1,6 @@ from flask import Flask, abort, request app = Flask(__name__) -from logging.config import dictConfig - -dictConfig({ - 'version': 1, - 'formatters': {'default': { - 'format': '[%(asctime)s] [%(process)d] [%(levelname)7s] %(message)s', - }}, - 'handlers': {'wsgi': { - 'class': 'logging.StreamHandler', - 'stream': 'ext://flask.logging.wsgi_errors_stream', - 'formatter': 'default' - }}, - 'root': { - 'level': 'INFO', - 'handlers': ['wsgi'] - } -}) - import ldap_functions import secrets From 5e1d62caf36c9726f637f5bc394700ca1856f8e2 Mon Sep 17 00:00:00 2001 From: Tanner Collin Date: Tue, 15 Sep 2020 21:01:07 +0000 Subject: [PATCH 3/3] Add more logging --- ldapserver/ldap_functions.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/ldapserver/ldap_functions.py b/ldapserver/ldap_functions.py index 91dd0c1..9de2772 100644 --- a/ldapserver/ldap_functions.py +++ b/ldapserver/ldap_functions.py @@ -194,6 +194,7 @@ def add_to_group(groupname, username): ldap_conn.modify_s(group_dn, mod_acct) return True else: + logger.info('Already a member, skipping') return False finally: @@ -214,6 +215,7 @@ def remove_from_group(groupname, username): ldap_conn.modify_s(group_dn, mod_acct) return True else: + logger.info('Not a member, skipping') return False finally: @@ -243,6 +245,7 @@ def is_member(groupname, username): ''' ldap_conn = init_ldap() try: + logger.info('Checking group membership...') ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD) group_dn = find_group(groupname) user_dn = find_user(username).encode() @@ -308,6 +311,6 @@ if __name__ == '__main__': #print(list_group("newgroup")) #print(dump_users()) - users = list_group('Laser Users') - import json - print(json.dumps(users, indent=4)) + #users = list_group('Laser Users') + #import json + #print(json.dumps(users, indent=4))