Merge remote-tracking branch 'github/ldap-functions'
This commit is contained in:
commit
649b2061bc
|
@ -1,3 +1,4 @@
|
||||||
|
from log import logger
|
||||||
import time
|
import time
|
||||||
import ldap
|
import ldap
|
||||||
import ldap.modlist as modlist
|
import ldap.modlist as modlist
|
||||||
|
@ -7,14 +8,12 @@ import base64
|
||||||
from flask import abort
|
from flask import abort
|
||||||
|
|
||||||
HTTP_NOTFOUND = 404
|
HTTP_NOTFOUND = 404
|
||||||
BASE_MEMBERS = 'OU=MembersOU,DC=ps,DC=protospace,DC=ca' # prod
|
|
||||||
BASE_GROUPS = 'OU=GroupsOU,DC=ps,DC=protospace,DC=ca' # prod
|
|
||||||
|
|
||||||
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
|
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
|
||||||
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './ProtospaceAD.cer')
|
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, secrets.LDAP_CERTFILE)
|
||||||
|
|
||||||
def init_ldap():
|
def init_ldap():
|
||||||
ldap_conn = ldap.initialize('ldaps://ldap.ps.protospace.ca:636')
|
ldap_conn = ldap.initialize(secrets.LDAP_URL)
|
||||||
ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
|
ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
|
||||||
ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
|
ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
|
||||||
ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
|
ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
|
||||||
|
@ -32,7 +31,10 @@ def convert(data):
|
||||||
else:
|
else:
|
||||||
return [convert(element) for element in data]
|
return [convert(element) for element in data]
|
||||||
elif isinstance(data, (bytes, bytearray)):
|
elif isinstance(data, (bytes, bytearray)):
|
||||||
|
try:
|
||||||
return data.decode()
|
return data.decode()
|
||||||
|
except UnicodeDecodeError:
|
||||||
|
return data.hex()
|
||||||
else:
|
else:
|
||||||
return data
|
return data
|
||||||
|
|
||||||
|
@ -42,9 +44,12 @@ def find_user(query):
|
||||||
'''
|
'''
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
|
logger.info('Looking up user ' + query)
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
criteria = '(&(objectClass=user)(|(mail={})(sAMAccountName={}))(!(objectClass=computer)))'.format(query, query)
|
criteria = '(&(objectClass=user)(|(mail={})(sAMAccountName={}))(!(objectClass=computer)))'.format(query, query)
|
||||||
results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'])
|
results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'])
|
||||||
|
|
||||||
|
logger.info(results)
|
||||||
|
|
||||||
if len(results) != 1:
|
if len(results) != 1:
|
||||||
abort(HTTP_NOTFOUND)
|
abort(HTTP_NOTFOUND)
|
||||||
|
@ -75,7 +80,7 @@ def create_user(first, last, username, email, password):
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
dn = 'CN={} {},{}'.format(first, last, BASE_MEMBERS)
|
dn = 'CN={} {},{}'.format(first, last, secrets.BASE_MEMBERS)
|
||||||
full_name = '{} {}'.format(first, last)
|
full_name = '{} {}'.format(first, last)
|
||||||
|
|
||||||
ldif = [
|
ldif = [
|
||||||
|
@ -91,7 +96,9 @@ def create_user(first, last, username, email, password):
|
||||||
('company', [b'Spaceport']),
|
('company', [b'Spaceport']),
|
||||||
]
|
]
|
||||||
|
|
||||||
ldap_conn.add_s(dn, ldif)
|
result = ldap_conn.add_s(dn, ldif)
|
||||||
|
|
||||||
|
logger.info(result)
|
||||||
|
|
||||||
# set password
|
# set password
|
||||||
pass_quotes = '"{}"'.format(password)
|
pass_quotes = '"{}"'.format(password)
|
||||||
|
@ -99,9 +106,13 @@ def create_user(first, last, username, email, password):
|
||||||
change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])]
|
change_des = [(ldap.MOD_REPLACE, 'unicodePwd', [pass_uni])]
|
||||||
result = ldap_conn.modify_s(dn, change_des)
|
result = ldap_conn.modify_s(dn, change_des)
|
||||||
|
|
||||||
|
logger.info(result)
|
||||||
|
|
||||||
# 512 will set user account to enabled
|
# 512 will set user account to enabled
|
||||||
mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', b'512')]
|
mod_acct = [(ldap.MOD_REPLACE, 'userAccountControl', b'512')]
|
||||||
result = ldap_conn.modify_s(dn, mod_acct)
|
result = ldap_conn.modify_s(dn, mod_acct)
|
||||||
|
|
||||||
|
logger.info(result)
|
||||||
finally:
|
finally:
|
||||||
ldap_conn.unbind()
|
ldap_conn.unbind()
|
||||||
|
|
||||||
|
@ -110,7 +121,7 @@ def set_password(username, password):
|
||||||
try:
|
try:
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username)
|
criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username)
|
||||||
results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] )
|
results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] )
|
||||||
|
|
||||||
if len(results) != 1:
|
if len(results) != 1:
|
||||||
abort(HTTP_NOTFOUND)
|
abort(HTTP_NOTFOUND)
|
||||||
|
@ -131,9 +142,12 @@ def find_group(groupname):
|
||||||
'''
|
'''
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
|
logger.info('Looking up group ' + groupname)
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
|
criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
|
||||||
results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] )
|
results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] )
|
||||||
|
|
||||||
|
logger.info(results)
|
||||||
|
|
||||||
if len(results) != 1:
|
if len(results) != 1:
|
||||||
abort(HTTP_NOTFOUND)
|
abort(HTTP_NOTFOUND)
|
||||||
|
@ -149,7 +163,7 @@ def create_group(groupname, description):
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
dn = 'CN={},{}'.format(groupname, BASE_GROUPS)
|
dn = 'CN={},{}'.format(groupname, secrets.BASE_GROUPS)
|
||||||
|
|
||||||
ldif = [
|
ldif = [
|
||||||
('objectClass', [b'top', b'group']),
|
('objectClass', [b'top', b'group']),
|
||||||
|
@ -172,14 +186,15 @@ def add_to_group(groupname, username):
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
group_dn = find_group(groupname)
|
|
||||||
user_dn = find_user(username)
|
user_dn = find_user(username)
|
||||||
|
group_dn = find_group(groupname)
|
||||||
|
|
||||||
if not is_member(groupname, username):
|
if not is_member(groupname, username):
|
||||||
mod_acct = [(ldap.MOD_ADD, 'member', user_dn.encode())]
|
mod_acct = [(ldap.MOD_ADD, 'member', user_dn.encode())]
|
||||||
ldap_conn.modify_s(group_dn, mod_acct)
|
ldap_conn.modify_s(group_dn, mod_acct)
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
logger.info('Already a member, skipping')
|
||||||
return False
|
return False
|
||||||
|
|
||||||
finally:
|
finally:
|
||||||
|
@ -192,14 +207,15 @@ def remove_from_group(groupname, username):
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
group_dn = find_group(groupname)
|
|
||||||
user_dn = find_user(username)
|
user_dn = find_user(username)
|
||||||
|
group_dn = find_group(groupname)
|
||||||
|
|
||||||
if is_member(groupname, username):
|
if is_member(groupname, username):
|
||||||
mod_acct = [(ldap.MOD_DELETE, 'member', user_dn.encode())]
|
mod_acct = [(ldap.MOD_DELETE, 'member', user_dn.encode())]
|
||||||
ldap_conn.modify_s(group_dn, mod_acct)
|
ldap_conn.modify_s(group_dn, mod_acct)
|
||||||
return True
|
return True
|
||||||
else:
|
else:
|
||||||
|
logger.info('Not a member, skipping')
|
||||||
return False
|
return False
|
||||||
|
|
||||||
finally:
|
finally:
|
||||||
|
@ -215,7 +231,7 @@ def list_group(groupname):
|
||||||
group_dn = find_group(groupname)
|
group_dn = find_group(groupname)
|
||||||
|
|
||||||
criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
|
criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
|
||||||
results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'])
|
results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'])
|
||||||
members_tmp = results[0][1]
|
members_tmp = results[0][1]
|
||||||
members = members_tmp.get('member', [])
|
members = members_tmp.get('member', [])
|
||||||
return [find_dn(dn.decode()) for dn in members]
|
return [find_dn(dn.decode()) for dn in members]
|
||||||
|
@ -229,12 +245,13 @@ def is_member(groupname, username):
|
||||||
'''
|
'''
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
|
logger.info('Checking group membership...')
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
group_dn = find_group(groupname)
|
group_dn = find_group(groupname)
|
||||||
user_dn = find_user(username).encode()
|
user_dn = find_user(username).encode()
|
||||||
memflag = False
|
memflag = False
|
||||||
criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
|
criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
|
||||||
results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'] )
|
results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'] )
|
||||||
members_tmp = results[0][1]
|
members_tmp = results[0][1]
|
||||||
members = members_tmp.get('member', [])
|
members = members_tmp.get('member', [])
|
||||||
return user_dn in members
|
return user_dn in members
|
||||||
|
@ -248,9 +265,9 @@ def dump_users():
|
||||||
ldap_conn = init_ldap()
|
ldap_conn = init_ldap()
|
||||||
try:
|
try:
|
||||||
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
|
||||||
criteria = '(&(objectClass=user)(sAMAccountName=*))'
|
criteria = '(&(objectClass=user)(objectGUID=*))'
|
||||||
attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount']
|
attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount', 'objectGUID']
|
||||||
results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes)
|
results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes)
|
||||||
results = convert(results)
|
results = convert(results)
|
||||||
|
|
||||||
output = {}
|
output = {}
|
||||||
|
@ -261,7 +278,6 @@ def dump_users():
|
||||||
|
|
||||||
import json
|
import json
|
||||||
return json.dumps(output, indent=4)
|
return json.dumps(output, indent=4)
|
||||||
|
|
||||||
finally:
|
finally:
|
||||||
ldap_conn.unbind()
|
ldap_conn.unbind()
|
||||||
|
|
||||||
|
@ -275,8 +291,8 @@ def dump_users():
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
pass
|
pass
|
||||||
#print(find_user('tanner.collin'))
|
#print(create_user('Elon', 'Tusk', 'elon.tusk', 'elont@example.com', 'protospace*&^g87g6'))
|
||||||
#print(find_user('mail@tannercollin.com'))
|
#print(find_user('test.testerb'))
|
||||||
#print(set_password('tanner.collin', 'Supersecret@@'))
|
#print(set_password('tanner.collin', 'Supersecret@@'))
|
||||||
#print(find_dn('CN=Tanner Collin,OU=MembersOU,DC=ps,DC=protospace,DC=ca'))
|
#print(find_dn('CN=Tanner Collin,OU=MembersOU,DC=ps,DC=protospace,DC=ca'))
|
||||||
#print("============================================================")
|
#print("============================================================")
|
||||||
|
|
22
ldapserver/log.py
Normal file
22
ldapserver/log.py
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
import logging
|
||||||
|
import logging.config
|
||||||
|
|
||||||
|
logging.config.dictConfig({
|
||||||
|
'version': 1,
|
||||||
|
'formatters': {'default': {
|
||||||
|
'format': '[%(asctime)s] [%(process)d] [%(levelname)7s] %(message)s',
|
||||||
|
}},
|
||||||
|
'handlers': {'wsgi': {
|
||||||
|
'class': 'logging.StreamHandler',
|
||||||
|
'stream': 'ext://flask.logging.wsgi_errors_stream',
|
||||||
|
'formatter': 'default'
|
||||||
|
}},
|
||||||
|
'root': {
|
||||||
|
'level': 'INFO',
|
||||||
|
'handlers': ['wsgi']
|
||||||
|
}
|
||||||
|
})
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
logger.info('Logging enabled.')
|
|
@ -8,3 +8,9 @@ AUTH_TOKEN = ''
|
||||||
|
|
||||||
LDAP_USERNAME = ''
|
LDAP_USERNAME = ''
|
||||||
LDAP_PASSWORD = ''
|
LDAP_PASSWORD = ''
|
||||||
|
|
||||||
|
LDAP_CERTFILE = ''
|
||||||
|
LDAP_URL = ''
|
||||||
|
|
||||||
|
BASE_MEMBERS = ''
|
||||||
|
BASE_GROUPS = ''
|
||||||
|
|
|
@ -50,8 +50,8 @@ def set_password():
|
||||||
def add_to_group():
|
def add_to_group():
|
||||||
check_auth()
|
check_auth()
|
||||||
|
|
||||||
groupname = request.form['groupname']
|
groupname = request.form['group']
|
||||||
username = request.form['username']
|
username = request.form.get('username', None) or request.form.get('email', None)
|
||||||
|
|
||||||
ldap_functions.add_to_group(groupname, username)
|
ldap_functions.add_to_group(groupname, username)
|
||||||
return ''
|
return ''
|
||||||
|
@ -60,8 +60,8 @@ def add_to_group():
|
||||||
def remove_from_group():
|
def remove_from_group():
|
||||||
check_auth()
|
check_auth()
|
||||||
|
|
||||||
groupname = request.form['groupname']
|
groupname = request.form['group']
|
||||||
username = request.form['username']
|
username = request.form.get('username', None) or request.form.get('email', None)
|
||||||
|
|
||||||
ldap_functions.remove_from_group(groupname, username)
|
ldap_functions.remove_from_group(groupname, username)
|
||||||
return ''
|
return ''
|
||||||
|
|
Loading…
Reference in New Issue
Block a user