Improve LDAP logging and secrets management

2020-09-15 00:18:38 +00:00 · 2020-09-15 00:18:38 +00:00 · 7e2a4ba673
commit 7e2a4ba673
parent 2d7c67a207
4 changed files with 45 additions and 41 deletions
--- a/ldapserver/ldap_functions.py
+++ b/ldapserver/ldap_functions.py
@ -1,8 +1,4 @@
-import logging
+from log import logger
 logger = logging.getLogger(__name__)
 logging.info('Logging enabled.')
 import time
 import ldap
 import ldap.modlist as modlist
@ -12,14 +8,12 @@ import base64
 from flask import abort
 HTTP_NOTFOUND = 404
 BASE_MEMBERS = 'OU=MembersOU,DC=lab39,DC=lab' # prod
 BASE_GROUPS = 'OU=MembersOU,DC=lab39,DC=lab' # prod
 ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
-ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, './lab39-dc1.cer')
+ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, secrets.LDAP_CERTFILE)
 def init_ldap():
-    ldap_conn = ldap.initialize('ldaps://ldap.lab39.lab:636')
+    ldap_conn = ldap.initialize(secrets.LDAP_URL)
    ldap_conn.set_option(ldap.OPT_REFERRALS, 0)
    ldap_conn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
    ldap_conn.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
@ -50,10 +44,10 @@ def find_user(query):
    '''
    ldap_conn = init_ldap()
    try:
-        logger.info('Looking up user', query)
+        logger.info('Looking up user ' + query)
        ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
        criteria = '(&(objectClass=user)(|(mail={})(sAMAccountName={}))(!(objectClass=computer)))'.format(query, query)
-        results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'])
+        results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'])
        logger.info(results)
@ -86,7 +80,7 @@ def create_user(first, last, username, email, password):
    ldap_conn = init_ldap()
    try:
        ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
-        dn = 'CN={} {},{}'.format(first, last, BASE_MEMBERS)
+        dn = 'CN={} {},{}'.format(first, last, secrets.BASE_MEMBERS)
        full_name = '{} {}'.format(first, last)
        ldif = [
@ -127,7 +121,7 @@ def set_password(username, password):
    try:
        ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
        criteria = '(&(objectClass=user)(sAMAccountName={})(!(objectClass=computer)))'.format(username)
-        results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] )
+        results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, ['displayName','sAMAccountName','email'] )
        if len(results) != 1:
            abort(HTTP_NOTFOUND)
@ -148,10 +142,10 @@ def find_group(groupname):
    '''
    ldap_conn = init_ldap()
    try:
-        logger.info('Looking up group', groupname)
+        logger.info('Looking up group ' + groupname)
        ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
        criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
-        results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] )
+        results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['name','groupType'] )
        logger.info(results)
@ -169,7 +163,7 @@ def create_group(groupname, description):
    ldap_conn = init_ldap()
    try:
        ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
-        dn = 'CN={},{}'.format(groupname, BASE_GROUPS)
+        dn = 'CN={},{}'.format(groupname, secrets.BASE_GROUPS)
        ldif = [
            ('objectClass', [b'top', b'group']),
@ -235,7 +229,7 @@ def list_group(groupname):
        group_dn = find_group(groupname)
        criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
-        results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'])
+        results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'])
        members_tmp = results[0][1]
        members = members_tmp.get('member', [])
        return [find_dn(dn.decode()) for dn in members]
@ -254,7 +248,7 @@ def is_member(groupname, username):
        user_dn = find_user(username).encode()
        memflag = False
        criteria = '(&(objectClass=group)(sAMAccountName={}))'.format(groupname)
-        results = ldap_conn.search_s(BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'] )
+        results = ldap_conn.search_s(secrets.BASE_GROUPS, ldap.SCOPE_SUBTREE, criteria, ['member'] )
        members_tmp = results[0][1]
        members = members_tmp.get('member', [])
        return user_dn in members
@ -270,7 +264,7 @@ def dump_users():
        ldap_conn.simple_bind_s(secrets.LDAP_USERNAME, secrets.LDAP_PASSWORD)
        criteria = '(&(objectClass=user)(objectGUID=*))'
        attributes = ['cn', 'sAMAccountName', 'mail', 'displayName', 'givenName', 'name', 'sn', 'logonCount', 'objectGUID']
-        results = ldap_conn.search_s(BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes)
+        results = ldap_conn.search_s(secrets.BASE_MEMBERS, ldap.SCOPE_SUBTREE, criteria, attributes)
        results = convert(results)
        output = {}
@ -295,7 +289,7 @@ def dump_users():
 if __name__ == '__main__':
    pass
    #print(create_user('Elon', 'Tusk', 'elon.tusk', 'elont@example.com', 'protospace*&^g87g6'))
-    print(find_user('test.testerb'))
+    #print(find_user('test.testerb'))
    #print(set_password('tanner.collin', 'Supersecret@@'))
    #print(find_dn('CN=Tanner Collin,OU=MembersOU,DC=ps,DC=protospace,DC=ca'))
    #print("============================================================")
@ -314,6 +308,6 @@ if __name__ == '__main__':
    #print(list_group("newgroup"))
    #print(dump_users())
-    #users = list_group('Laser Users')
+    users = list_group('Laser Users')
-    #import json
+    import json
-    #print(json.dumps(users, indent=4))
+    print(json.dumps(users, indent=4))
--- a/ldapserver/log.py
+++ b/ldapserver/log.py
@ -0,0 +1,22 @@
 import logging
 import logging.config
 logging.config.dictConfig({
    'version': 1,
    'formatters': {'default': {
        'format': '[%(asctime)s] [%(process)d] [%(levelname)7s] %(message)s',
    }},
    'handlers': {'wsgi': {
        'class': 'logging.StreamHandler',
        'stream': 'ext://flask.logging.wsgi_errors_stream',
        'formatter': 'default'
    }},
    'root': {
        'level': 'INFO',
        'handlers': ['wsgi']
    }
 })
 logger = logging.getLogger(__name__)
 logger.info('Logging enabled.')
--- a/ldapserver/secrets.py.example
+++ b/ldapserver/secrets.py.example
@ -8,3 +8,9 @@ AUTH_TOKEN = ''
 LDAP_USERNAME = ''
 LDAP_PASSWORD = ''
 LDAP_CERTFILE = ''
 LDAP_URL = ''
 BASE_MEMBERS = ''
 BASE_GROUPS = ''
--- a/ldapserver/server.py
+++ b/ldapserver/server.py
@ -1,24 +1,6 @@
 from flask import Flask, abort, request
 app = Flask(__name__)
 from logging.config import dictConfig
 dictConfig({
    'version': 1,
    'formatters': {'default': {
        'format': '[%(asctime)s] [%(process)d] [%(levelname)7s] %(message)s',
    }},
    'handlers': {'wsgi': {
        'class': 'logging.StreamHandler',
        'stream': 'ext://flask.logging.wsgi_errors_stream',
        'formatter': 'default'
    }},
    'root': {
        'level': 'INFO',
        'handlers': ['wsgi']
    }
 })
 import ldap_functions
 import secrets