def delete_group(self, group, group_type):
write_json_log({
'action': 'delete_group',
'group': group,
'group_type': group_type,
'message': 'Deleting group',
'log-type': 'information'
})
group_cn = build_group_cn(group)
group_dn = build_group_dn(group_cn, group_type,
self.settings['base_group_ou_dn'])
if delete_group(group_dn, self.tree_base, self.connection):
write_json_log({
'action': 'delete_group_success',
'group': group,
'group_type': group_type,
'group_cn': group_cn,
'group_dn': group_dn,
'message': 'Deleted group',
'log-type': 'information'
})
else:
write_json_error({
'action': 'delete_group_fail',
'group': group,
'group_type': group_type,
'group_cn': group_cn,
'group_dn': group_dn,
'message': 'Failed to delete group',
'log-type': 'warning'
})
def add_to_group(target_dn, group_dn, tree_base, connection):
if not check_group_membership(target_dn, group_dn, tree_base, connection):
add_member = form_add_member_action(target_dn)
result = modify_object(group_dn, add_member, connection)
if result:
write_json_log({
'action': 'add_to_group',
'target_dn': target_dn,
'group_dn': group_dn,
'tree_base': tree_base,
'message': 'Successfully set group membership.',
'log-type': 'information'
})
return result
else:
write_json_error({
'action': 'add_to_group_fail',
'target_dn': target_dn,
'group_dn': group_dn,
'tree_base': tree_base,
'message': 'Failed to set group membership.',
'log-type': 'error'
})
return False
return True
def set_password(dn, password, connection):
write_json_log({
'action': 'set_password',
'dn': dn,
'message': 'Reached set_password.',
'log-type': 'information'
})
unicode_passwd = build_unicode_password(password)
set_password_action = form_set_password_action(unicode_passwd)
result = modify_object(dn, set_password_action, connection)
if result:
write_json_log({
'action': 'set_password_success',
'dn': dn,
'message': 'Successfully set password.',
'log-type': 'information'
})
return result
else:
write_json_error({
'action': 'set_password_fail',
'dn': dn,
'message': 'Failed to set password',
'log-type': 'error'
})
return False
def remove_from_group(target_dn, group_dn, tree_base, connection):
if check_group_membership(target_dn, group_dn, tree_base, connection):
del_member = form_del_member_action(target_dn)
result = modify_object(group_dn, del_member, connection)
if result:
write_json_log({
'action': 'remove_from_group',
'target_dn': target_dn,
'group_dn': group_dn,
'tree_base': tree_base,
'message': 'Successfully removed group membership.',
'log-type': 'information'
})
return result
else:
write_json_error({
'action': 'remove_from_group_fail',
'target_dn': target_dn,
'group_dn': group_dn,
'tree_base': tree_base,
'message': 'Failed to terminate group membership.',
'log-type': 'error'
})
return False
return True
def perform_search(ldap_filter, base_dn, connection, attributes):
try:
results = connection.search_s(
str(base_dn).strip(' \t\n\r'), ldap.SCOPE_SUBTREE, ldap_filter,
attributes)
if not results[0][0]:
return False
else:
write_json_log({
'action': 'perform_search',
'ldap_filter': ldap_filter,
'base_dn': base_dn,
'attributes': attributes,
'message': 'Successfully performed LDAP search.',
'log-type': 'information'
})
return results
except ldap.LDAPError, error_message:
write_json_error({
'action': 'perform_search_fail',
'ldap_filter': ldap_filter,
'base_dn': base_dn,
'attributes': attributes,
'message': 'LDAP Search error.',
'error_message': str(error_message),
'log-type': 'error'
})
return False
def create_group(cn, dn, display_name, tree_base, connection):
verify_parent_ou_exists(dn, tree_base, connection)
group_object = form_group(cn, dn, display_name)
result = create_object(dn, group_object, connection)
if result:
write_json_log({
'action': 'create_group',
'cn': cn,
'dn': dn,
'display_name': display_name,
'tree_base': tree_base,
'message': 'Creating group.',
'log-type': 'information'
})
return result
else:
write_json_error({
'action': 'create_group_fail',
'cn': cn,
'dn': dn,
'display_name': display_name,
'tree_base': tree_base,
'message': 'Failed to create group',
'log-type': 'error'
})
return False
def restore_group(self, group, group_type):
write_json_log({
'action': 'restore_group',
'group': group,
'group_type': group_type,
'message': 'Restoring group',
'log-type': 'information'
})
group_cn = build_group_cn(group)
group_dn = build_group_dn(group_cn, group_type,
self.settings['base_group_ou_dn'])
if create_group(group_cn, group_dn, group['label'], self.tree_base,
self.connection):
write_json_log({
'action': 'restore_group_success',
'group': group,
'group_type': group_type,
'group_cn': group_cn,
'group_dn': group_dn,
'message': 'Restored group',
'log-type': 'information'
})
else:
write_json_error({
'action': 'restore_group_fail',
'group': group,
'group_type': group_type,
'group_cn': group_cn,
'group_dn': group_dn,
'message': 'Failed to restore group',
'log-type': 'warning'
})
def add_group_to_group(self, target_group, target_group_type, des_group,
des_group_type):
write_json_log({
'action': 'add_group_to_group',
'target_group': target_group,
'target_group_type': target_group_type,
'des_group': des_group,
'des_group_type': des_group_type,
'message': 'Adding group to group',
'log-type': 'information'
})
# Build the DNs
target_group_dn = build_group_dn(build_group_cn(target_group),
target_group_type,
self.settings['base_group_ou_dn'])
des_group_dn = build_group_dn(build_group_cn(des_group),
des_group_type,
self.settings['base_group_ou_dn'])
# Check to see if the groups exist
target_result = get_group(target_group_dn, self.tree_base,
self.connection)
des_result = get_group(des_group_dn, self.tree_base, self.connection)
# If they do not exists create them
if not target_result:
self.create_group(target_group, target_group_type)
if not des_result:
self.create_group(des_group, des_group_type)
# Add the target to the destination group
if add_to_group(target_group_dn, des_group_dn, self.tree_base,
self.connection):
write_json_log({
'action': 'add_group_to_group_success',
'target_group': target_group,
'target_group_type': target_group_type,
'des_group': des_group,
'des_group_type': des_group_type,
'message': 'Added group to group',
'log-type': 'information'
})
else:
write_json_error({
'action': 'add_group_to_group_fail',
'target_group': target_group,
'target_group_type': target_group_type,
'des_group': des_group,
'des_group_type': des_group_type,
'message': 'Failed to add group to group',
'log-type': 'warning'
})
def delete_group(dn, tree_base, connection):
group_exists = get_group(dn, tree_base, connection)
if group_exists:
result = delete_object(dn, connection)
if not result:
return False
write_json_log({
'action': 'delete_group',
'dn': dn,
'tree_base': tree_base,
'message': 'Deleted group.',
'log-type': 'information'
})
return True
def check_group_membership(target_dn, group_dn, tree_base, connection):
ldap_filter = '(&(distinguishedName=' + target_dn + ')(memberof=' + group_dn + '))'
result = perform_search(ldap_filter, tree_base, connection, ['objectGUID'])
if result:
write_json_log({
'action': 'check_group_membership',
'target_dn': target_dn,
'group_dn': group_dn,
'tree_base': tree_base,
'message': 'Successfully checked group membership.',
'log-type': 'information'
})
return True
else:
return False
def delete_object(dn, connection):
try:
write_json_log({
'action': 'delete_object',
'object': dn,
'message': 'Deleting object.',
'log-type': 'information'
})
return connection.delete_s(dn)
except ldap.LDAPError, error_message:
write_json_error({
'action': 'delete_object_fail',
'object': dn,
'message': 'Failed to delete object',
'error_message': str(error_message),
'log-type': 'error'
})
return False
def disable_account(dn, connection):
disable_account_action = form_set_account_control_action('514')
result = modify_object(dn, disable_account_action, connection)
if result:
write_json_log({
'action': 'disable_account',
'dn': dn,
'message': 'Successfully disabled account.',
'log-type': 'information'
})
return result
else:
write_json_error({
'action': 'disable_account_fail',
'dn': dn,
'message': 'Failed to disable account',
'log-type': 'error'
})
return False
def connect(bind_user, bind_pass, hosts):
write_json_log({
'action': 'connect_ldap',
'bind_user': bind_user,
'hosts': hosts,
'message': 'Connecting to LDAP',
'log-type': 'information'
})
connection = False
for host in hosts:
try:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0)
ldap.set_option(ldap.OPT_REFERRALS, 0)
ldap.protocol_version = ldap.VERSION3
connection = ldap.initialize('ldaps://' + host + ':636')
connection.simple_bind_s(bind_user, bind_pass)
if connection:
write_json_log({
'action':
'connect_ldap_success',
'bind_user':
bind_user,
'hosts':
hosts,
'host':
host,
'message':
'Successfully connected to LDAP host: ' + host,
'log-type':
'information'
})
return connection
except ldap.LDAPError, error_message:
write_json_error({
'action': 'connect_ldap_error',
'bind_user': bind_user,
'hosts': hosts,
'host': host,
'error_message': str(error_message),
'message': 'Error connecting to LDAP server: ' + host,
'log-type': 'error'
})
def create_object(dn, formed_object, connection):
try:
write_json_log({
'action': 'create_object',
'formed_object': formed_object,
'object': dn,
'message': 'Creating object.',
'log-type': 'information'
})
return connection.add_s(dn, modlist.addModlist(formed_object))
except ldap.LDAPError, error_message:
write_json_error({
'action': 'create_object_fail',
'formed_object': formed_object,
'object': dn,
'message': 'Failed to create object',
'error_message': str(error_message),
'log-type': 'error'
})
return False
def modify_object(dn, action, connection):
try:
write_json_log({
'action': 'modify_object',
'formed_action': action,
'object': dn,
'message': 'Modifying object.',
'log-type': 'information'
})
return connection.modify_s(dn, action)
except ldap.LDAPError, error_message:
write_json_error({
'action': 'modify_object_fail',
'formed_action': action,
'object': dn,
'message': 'Failed to modify object',
'error_message': str(error_message),
'log-type': 'error'
})
return False
def create_ou(cn, dn, connection):
ou_object = form_ou(cn, dn)
result = create_object(dn, ou_object, connection)
if result:
write_json_log({
'action': 'create_ou',
'cn': cn,
'dn': dn,
'message': 'Creating OU.',
'log-type': 'information'
})
return result
else:
write_json_error({
'action': 'create_ou_fail',
'cn': cn,
'dn': dn,
'message': 'Failed to create ou',
'log-type': 'error'
})
return False
def change_account_password(self, account):
write_json_log({
'action':
'change_account_password',
'account':
account,
'message':
'Changing account password: '******'username'] + ' - ' +
account['identifier'],
'log-type':
'information'
})
result = get_user_by_identifier(account['identifier'], self.tree_base,
self.connection)
if result:
account_dn = result[0][0]
if set_password(account_dn, account['password'], self.connection):
write_json_log({
'action':
'change_account_password_success',
'account':
account,
'message':
'Changing account password: '******'username'] +
' - ' + account['identifier'],
'log-type':
'information'
})
else:
write_json_error({
'action':
'change_account_password_fail',
'account':
account,
'message':
'Failed to change account password: '******'username'] + ' - ' + account['identifier'],
'log-type':
'warning'
})
def disable_account(self, account):
write_json_log({
'action':
'disable_account',
'account':
account,
'message':
'Disable account: ' + account['username'] + ' - ' +
account['identifier'],
'log-type':
'information'
})
result = get_user_by_identifier(account['identifier'], self.tree_base,
self.connection)
if result:
account_dn = result[0][0]
if disable_account(account_dn, self.connection):
write_json_log({
'action':
'disable_account_success',
'account':
account,
'message':
'Disabled account: ' + account['username'] + ' - ' +
account['identifier'],
'log-type':
'information'
})
else:
write_json_error({
'action':
'disable_account_fail',
'account':
account,
'message':
'Failed to disable account: ' + account['username'] +
' - ' + account['identifier'],
'log-type':
'warning'
})
def rename_object(current_dn, new_cn, new_ou, connection):
try:
write_json_log({
'action': 'rename_object',
'current_dn': current_dn,
'new_cn': new_cn,
'new_ou': new_ou,
'message': 'Renaming object.',
'log-type': 'information'
})
return connection.rename_s(current_dn, 'CN=' + new_cn, new_ou)
except ldap.LDAPError, error_message:
write_json_error({
'action': 'rename_object_fail',
'current_dn': current_dn,
'new_cn': new_cn,
'new_ou': new_ou,
'message': 'Failed to rename object',
'error_message': str(error_message),
'log-type': 'error'
})
return False
def restore_account(self, account):
write_json_log({
'action':
'restore_account',
'account':
account,
'message':
'Restoring account: ' + account['username'] + ' - ' +
account['identifier'],
'log-type':
'information'
})
if create_or_modify_account(account, self.connection, self.tree_base,
self.settings):
write_json_log({
'action':
'restore_account_success',
'account':
account,
'message':
'Restored account: ' + account['username'] + ' - ' +
account['identifier'],
'log-type':
'information'
})
self.enable_account(account)
else:
write_json_error({
'action':
'restore_account_fail',
'account':
account,
'message':
'Failed to restore account: ' + account['username'] + ' - ' +
account['identifier'],
'log-type':
'warning'
})
def remove_group_from_group(self, target_group, target_group_type,
des_group, des_group_type):
write_json_log({
'action': 'remove_group_from_group',
'target_group': target_group,
'target_group_type': target_group_type,
'des_group': des_group,
'des_group_type': des_group_type,
'message': 'Removing group from group',
'log-type': 'information'
})
target_group_dn = build_group_dn(build_group_cn(target_group),
target_group_type,
self.settings['base_group_ou_dn'])
des_group_dn = build_group_dn(build_group_cn(des_group),
des_group_type,
self.settings['base_group_ou_dn'])
if remove_from_group(target_group_dn, des_group_dn, self.tree_base,
self.connection):
write_json_log({
'action': 'remove_group_from_group_success',
'target_group': target_group,
'target_group_type': target_group_type,
'des_group': des_group,
'des_group_type': des_group_type,
'message': 'Removed group from group',
'log-type': 'information'
})
else:
write_json_error({
'action': 'remove_group_from_group_fail',
'target_group': target_group,
'target_group_type': target_group_type,
'des_group': des_group,
'des_group_type': des_group_type,
'message': 'Failed to remove group from group',
'log-type': 'warning'
})
def delete_account(self, account):
write_json_log({
'action':
'delete_account',
'account':
account,
'message':
'Deleting/Disabling account: ' + account['username'] + ' - ' +
account['identifier'],
'log-type':
'information'
})
if delete_or_disable_account(account, self.connection, self.settings):
write_json_log({
'action':
'delete_account_success',
'account':
account,
'message':
'Deleted/Disabled account: ' + account['username'] + ' - ' +
account['identifier'],
'log-type':
'information'
})
else:
write_json_error({
'action':
'delete_account_fail',
'account':
account,
'message':
'Failed to delete/disable account: ' + account['username'] +
' - ' + account['identifier'],
'log-type':
'warning'
})
})
return connection
except ldap.LDAPError, error_message:
write_json_error({
'action': 'connect_ldap_error',
'bind_user': bind_user,
'hosts': hosts,
'host': host,
'error_message': str(error_message),
'message': 'Error connecting to LDAP server: ' + host,
'log-type': 'error'
})
write_json_log({
'action': 'connect_ldap_success',
'bind_user': bind_user,
'hosts': hosts,
'message': 'Successfully connected to LDAP.',
'log-type': 'information'
})
return connection
def build_duty_ou_dn(name, base_account_ou):
return 'OU=' + ldap.dn.escape_dn_chars(name) + ',' + base_account_ou
def build_trash_ou_dn(base_account_ou):
return 'OU=Trash,' + base_account_ou
def build_group_cn(group):
def remove_account_from_group(self, account, group, group_type):
write_json_log({
'action': 'remove_account_from_group',
'account': account,
'group': group,
'group_type': group_type,
'message': 'Removing account from group',
'log-type': 'information'
})
result = get_user_by_identifier(account['identifier'], self.tree_base,
self.connection)
if result:
account_dn = result[0][0]
group_cn = build_group_cn(group)
group_dn = build_group_dn(group_cn, group_type,
self.settings['base_group_ou_dn'])
group_result = get_group(group_dn, self.tree_base, self.connection)
if not group_result:
self.create_group(group, group_type)
if remove_from_group(account_dn, group_dn, self.tree_base,
self.connection):
write_json_log({
'action':
'remove_account_from_group_success',
'account':
account,
'account_dn':
account_dn,
'group':
group,
'group_type':
group_type,
'group_cn':
group_cn,
'group_dn':
group_dn,
'message':
'Removed account from group: ' + account['username'] +
' - ' + account['identifier'] + ' ---- ' + group_cn,
'log-type':
'information'
})
else:
write_json_error({
'action':
'remove_account_from_group_fail',
'account':
account,
'account_dn':
account_dn,
'group':
group,
'group_type':
group_type,
'group_cn':
group_cn,
'group_dn':
group_dn,
'message':
'Failed to remove account from group: ' +
account['username'] + ' - ' + account['identifier'] +
' --!! ' + group_cn,
'log-type':
'warning'
})
