def editUser(self, userDN, fields): t = { 'name': 'cn', 'surname': 'sn', 'homeDirectory': 'homeDirectory', 'address': 'homePostalAddress', 'mail': 'mail', 'phone': 'homePhone', 'loginShell': 'loginShell', 'password': '******' } change = {} for i in t.keys(): if not userDN.has_key(t[i]): userDN[t[i]] = [''] if not fields.has_key(i): fields[i] = '' if userDN[t[i]][0] <> fields[i]: change[t[i]] = fields[i] if change == {}: return if change.has_key('userPassword'): from passlib.hash import ldap_salted_sha1 change['userPassword'] = \ ldap_salted_sha1.encrypt( change['userPassword']) con = self.__getCon() for i in change.keys(): con.modify("uid=%s" % userDN['uid'][0], i, change[i]) del con
def editUser(self, userDN, fields): t = {'name':'cn', 'surname':'sn', 'homeDirectory': 'homeDirectory', 'address':'homePostalAddress', 'mail':'mail', 'phone':'homePhone', 'loginShell': 'loginShell', 'password':'******' } change = {} for i in t.keys(): if not userDN.has_key(t[i]) : userDN[t[i]] = [''] if not fields.has_key(i): fields[i] = '' if userDN[t[i]][0] <> fields[i]: change[t[i]] = fields[i] if change == {}: return if change.has_key('userPassword'): from passlib.hash import ldap_salted_sha1 change['userPassword'] = \ ldap_salted_sha1.encrypt( change['userPassword']) con = self.__getCon() for i in change.keys(): con.modify("uid=%s" % userDN['uid'][0], i, change[i]) del con
def encrypt_password(self, password): """ Use passlib library to make a RFC2307 LDAP encrypted password salt size = 8, use sha-1 algorithm. Returns encrypted password. """ #Keep consistency with Java Senslab's LDAP API #RFC2307SSHAPasswordEncryptor so set the salt size to 8 bytres return lssha.encrypt(password, salt_size = 8)
def encrypt_password(password): """ Use passlib library to make a RFC2307 LDAP encrypted password salt size is 8, use sha-1 algorithm. :param password: password not encrypted. :type password: string :returns: Returns encrypted password. :rtype: string """ #Keep consistency with Java Iotlab's LDAP API #RFC2307SSHAPasswordEncryptor so set the salt size to 8 bytes return lssha.encrypt(password, salt_size=8)
def save(self, *args, **kwargs): """ save the model and set implicit attributes like sambaSID etc """ # userGroups is given as kwarg by the view as list of strings # we get the corresponding ldapgroups and check which are new # and which can be deleted userGroups = kwargs.pop('userGroups', []) newUserGroups = map(lambda g: get_or_none(LdapGroup, cn=g), userGroups) newUserGroups = filter(None, newUserGroups) currentUserGroups = LdapGroup.objects.filter( memberUid__contains=self.uid) deletedGroups = [ g for g in currentUserGroups if g not in newUserGroups ] for group in deletedGroups: group.memberUid.remove(self.uid) group.save() for group in newUserGroups: if self.uid not in group.memberUid: group.memberUid.append(self.uid) group.save() # implicit attributes self.cn = self.givenName + ' ' + self.sn self.sambaSID = settings.SAMBA_SID + '-' + str(self.uidNumber * 2 + 1000) self.homeDirectory = '/home/' + self.uid self.loginShell = settings.DEFAULT_SHELL # build unix timestamp from given date format (dd.mm.yyyy) if self.deIappBirthday: self.deIappBirthday = date2timestamp(self.deIappBirthday) # password is given as kwarg by the view # sha1, lm/nt hashes are build from this password and will be saved password = kwargs.pop('password', False) if password: from passlib.hash import ldap_salted_sha1 as lss from passlib.hash import lmhash from passlib.hash import nthash self.userPassword = lss.encrypt(password) self.sambaLMPassword = lmhash.encrypt(password).upper() self.sambaNTPassword = nthash.encrypt(password).upper() super(LdapUser, self).save(*args, **kwargs)
def save(self, *args, **kwargs): """ save the model and set implicit attributes like sambaSID etc """ # userGroups is given as kwarg by the view as list of strings # we get the corresponding ldapgroups and check which are new # and which can be deleted userGroups = kwargs.pop('userGroups', []) newUserGroups = map(lambda g: get_or_none(LdapGroup, cn=g), userGroups) newUserGroups = filter(None, newUserGroups) currentUserGroups = LdapGroup.objects.filter(memberUid__contains=self.uid) deletedGroups = [g for g in currentUserGroups if g not in newUserGroups] for group in deletedGroups: group.memberUid.remove(self.uid) group.save() for group in newUserGroups: if self.uid not in group.memberUid: group.memberUid.append(self.uid) group.save() # implicit attributes self.cn = self.givenName + ' ' + self.sn self.sambaSID = settings.SAMBA_SID + '-' + str(self.uidNumber * 2 + 1000) self.homeDirectory = '/home/' + self.uid self.loginShell = settings.DEFAULT_SHELL # build unix timestamp from given date format (dd.mm.yyyy) if self.deIappBirthday: self.deIappBirthday = date2timestamp(self.deIappBirthday) # password is given as kwarg by the view # sha1, lm/nt hashes are build from this password and will be saved password = kwargs.pop('password', False) if password: from passlib.hash import ldap_salted_sha1 as lss from passlib.hash import lmhash from passlib.hash import nthash self.userPassword = lss.encrypt(password) self.sambaLMPassword = lmhash.encrypt(password).upper() self.sambaNTPassword = nthash.encrypt(password).upper() super(LdapUser, self).save(*args, **kwargs)
def pass_encrypt(passwd): return ssha.encrypt(passwd, salt_size=16)
def hashPassword(password): """ Generate a password in SSHA format suitable for ldap """ return ldap_salted_sha1.encrypt(password)
def make_secret(password): return ldap_salted_sha1.encrypt(password)
def ldap_create_password(raw_password): return ldap_salted_sha1.encrypt(raw_password)
def ___void___encrypt_password___(self, password): self.password = passlib___ldap_salted_sha1.encrypt(password)
def get_pwhash_for_user(self, textplain_passwd): # Only needed for that from passlib.hash import ldap_salted_sha1 password_hash = ldap_salted_sha1.encrypt(textplain_passwd) return password_hash
def add_member(request): """Add kiberpipa memeber with all the stuff""" if not request.user.is_staff: return form = NewMemberForm(request.POST or None) if request.method == "POST" and form.is_valid(): # create ldap record password = "".join(random.sample(string.letters + string.digits, 8)) password_hash = ldap_salted_sha1.encrypt(password) uid = int( subprocess.Popen( "getent passwd | awk -F: '$3 < 3000 { print $3 }' | sort -n | tail -1", stdout=subprocess.PIPE, shell=True, ) .communicate()[0] .strip() ) uid += 1 gid = int( subprocess.Popen( "getent group | awk -F: '$3 < 3000 { print $3 }' | sort -n | tail -1", stdout=subprocess.PIPE, shell=True, ) .communicate()[0] .strip() ) gid += 1 ldif_template = get_template("org/member_add.ldif").render( Context(dict(data=form.cleaned_data, password_hash=password_hash, uid=uid, gid=gid)) ) with tempfile.NamedTemporaryFile() as f: f.write(ldif_template.encode("utf-8")) f.flush() subprocess.check_call( "sudo -u root ldapadd -D cn=admin,dc=kiberpipa,dc=org -f %s -w %s" % (f.name, settings.LDAP_PASSWORD), shell=True, ) # create home folder # TODO: dogbert login # subprocess.check_call('sudo -u root mkdir -p /home/%s' % form.cleaned_data['username'], # shell=True) # TODO: chown it (sudoers should be very strict about this) # subprocess.check_call('sudo -u root chown -p /home/%s' % form.cleaned_data['username'], # shell=True) # TODO: add member to redmine group # add him to pipa-org if form.cleaned_data["add_to_private_mailinglist"]: mailman_list = List.objects.get(id=2) try: mailman_list.subscribe(form.cleaned_data["email"]) except: pass # member is already subscribed # send email to new user html = get_template("mail/member_add_welcome_email.html").render( Context(dict(username=form.cleaned_data["username"], password=password)) ) send_mail(u"Dobrodošel/a v Kiberpipi!", html, settings.DEFAULT_FROM_EMAIL, [form.cleaned_data["email"]]) # add a diary we added a member diary = Diary( log_formal=u"Dodal novega člana: %s (%s %s)" % (form.cleaned_data["username"], form.cleaned_data["firstname"], form.cleaned_data["surname"]), author=request.user, length=datetime.time(1), # 1h task=Project.objects.get(id=2), ) diary.save() return render_to_response( "org/member_add_success.html", {"email": form.cleaned_data["email"]}, context_instance=RequestContext(request), ) return render_to_response("org/member_add.html", {"form": form}, context_instance=RequestContext(request))
def ldap_create(raw_password): return ldap_salted_sha1.encrypt(raw_password)
} currentUid = 10 rownb = 0 def getField(row, idx, fieldname): if row[idx] is '': raise Exception("Empty " + fieldname + " on row " + str(rownb)) return row[idx] for row in inputReader: employeeNumber = row[0] # user id uid = getField(row, 1, 'uid') # login userPassword = ldap_salted_sha1.encrypt(getField( row, 2, 'userPassword')) # password mail = getField(row, 3, 'mail') # email givenName = row[4] # first name sn = row[5] # second name o = row[6] # org / company title = row[7] # job situation telephoneNumber = row[8] # phone number currentGroups = getField(row, 9, 'groups').replace(' ', '').split(GROUP_SEPARATOR) for currentGroup in currentGroups: if not groups.has_key(currentGroup): groups[currentGroup] = {'users': [], 'id': currentUid} currentUid += 1 groups[currentGroup]['users'].append("uid=" + uid + ",ou=users," + LDAP_ROOT_DN)
}, } currentUid = 10 rownb = 0 def getField(row, idx, fieldname): if row[idx] is '': raise Exception("Empty "+fieldname+" on row " + str(rownb)) return row[idx] for row in inputReader: employeeNumber = row[0] # user id uid = getField(row, 1, 'uid') # login userPassword = ldap_salted_sha1.encrypt(getField(row, 2, 'userPassword')) # password mail = getField(row, 3, 'mail') # email givenName = row[4] # first name sn = row[5] # second name o = row[6] # org / company title = row[7] # job situation telephoneNumber = row[8] # phone number currentGroups = getField(row, 9, 'groups').replace(' ', '').split(GROUP_SEPARATOR) for currentGroup in currentGroups: if not groups.has_key(currentGroup): groups[currentGroup] = {'users': [], 'id': currentUid} currentUid += 1 groups[currentGroup]['users'].append("uid="+uid+",ou=users," + LDAP_ROOT_DN) rownb += 1
def add_member(request): """Add kiberpipa memeber with all the stuff""" if not request.user.is_staff: return form = NewMemberForm(request.POST or None) if request.method == "POST" and form.is_valid(): # create ldap record password = ''.join(random.sample(string.letters + string.digits, 8)) password_hash = ldap_salted_sha1.encrypt(password) ldif_template = get_template('org/member_add.ldif').render(Context(dict( data=form.cleaned_data, password_hash=password_hash, ))) with tempfile.NamedTemporaryFile() as f: f.write(ldif_template.encode('utf-8')) f.flush() p = subprocess.Popen('sudo -u root ldapadd -D cn=admin,dc=kiberpipa,dc=org -f %s -w %s' % (f.name, settings.LDAP_PASSWORD), stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) stdout, stderr = p.communicate() if p.returncode != 0: raise Exception("Failed adding a member to opendalp.") # add him to pipa-org if form.cleaned_data['add_to_private_mailinglist']: mailman_list = List.objects.get(id=2) try: mailman_list.subscribe(form.cleaned_data['email']) except: pass # member is already subscribed # send email to new user html = get_template('mail/member_add_welcome_email.html').render( Context(dict( username=form.cleaned_data['username'], password=password, ))) send_mail(u'Dobrodošel/a v Kiberpipi!', html, settings.DEFAULT_FROM_EMAIL, [form.cleaned_data['email']]) # add a diary we added a member diary = Diary( log_formal=u"Dodal novega člana: %s (%s %s)" % (form.cleaned_data['username'], form.cleaned_data['firstname'], form.cleaned_data['surname']), author=request.user, length=datetime.time(1), # 1h task=Project.objects.get(id=2), ) diary.save() return render_to_response( 'org/member_add_success.html', {'email': form.cleaned_data['email']}, context_instance=RequestContext(request)) return render_to_response( 'org/member_add.html', {'form': form}, context_instance=RequestContext(request))
def main(roles, orgs): currentRoleUid = len(roles) + 1 currentOrgUid = len(orgs) + 1 rownb = 0 if os.path.isfile(USERS_FILE): inputUsersReader = csv.reader( open(USERS_FILE, 'r'), delimiter=CSV_DELIMITER, quotechar=CSV_QUOTECHAR) if HEADER: next(inputUsersReader) for row in inputUsersReader: employeeNumber = row[0].strip() # user id uid = getField(rownb, row[1].strip(), 'uid') # login userPassword = ldap_salted_sha1.encrypt( getField(rownb, row[2].strip(), 'userPassword')) # password mail = getField(rownb, row[3].strip(), 'mail') # email if not mail.strip(): uid + '@empty.com' givenName = row[4].strip() # first name sn = row[5].strip() # second name if not sn.strip(): sn = uid o = row[6].strip() # org / company title = row[7].strip() # job situation telephoneNumber = row[8].strip() # phone number postalAddress = row[9].strip() # address currentRoles = getField(rownb, row[11], 'roles').replace( ' ', '').split(ROLE_SEPARATOR) for currentRole in currentRoles: currentRole = currentRole.strip() if not currentRole in roles: roles[currentRole] = {'users': [], 'id': currentRoleUid} currentRoleUid += 1 roles[currentRole]['users'].append( "uid=" + uid + ",ou=users," + LDAP_ROOT_DN) currentOrg = getField(rownb, row[6].strip(), 'org') if not currentOrg in orgs: orgs[currentOrg] = {'users': [], 'id': currentOrgUid} currentOrgUid += 1 orgs[currentOrg]['users'].append( "uid=" + uid + ",ou=users," + LDAP_ROOT_DN) user = [ '# user, ' + uid, 'dn: uid=' + uid + ',ou=users,' + LDAP_ROOT_DN, 'objectClass: inetOrgPerson', 'objectClass: organizationalPerson', 'objectClass: person', 'objectClass: shadowAccount', 'objectClass: top', 'uid: ' + uid, 'userPassword: '******'sn: ' + sn, 'cn: ' + givenName + ' ' + sn, 'mail: ' + mail ] if employeeNumber.strip() is not '': user.append('employeeNumber: ' + employeeNumber) if givenName.strip() is not '': user.append('givenName: ' + givenName) if title.strip() is not '': user.append('title: ' + title) if telephoneNumber.strip() is not '': user.append('telephoneNumber: ' + telephoneNumber) if postalAddress.strip() is not '': user.append( 'postalAddress:: ' + base64.b64encode(postalAddress.encode('windows-1252')).decode('utf8')) print(EOL.join(user) + EOL) rownb += 1 for roleName, roleValues in roles.items(): if roleName: role = [ '# role, ' + roleName, 'dn: cn=' + roleName + ',ou=roles,' + LDAP_ROOT_DN, 'objectClass: groupOfMembers', 'objectClass: top', 'cn: ' + roleName ] # print(roleValues['users']) for member in roleValues['users']: role.append('member: ' + member) print(EOL.join(role) + EOL) if os.path.isfile(ORGS_FILE): inputOrgsReader = csv.reader( open(ORGS_FILE, 'r'), delimiter=CSV_DELIMITER, quotechar=CSV_QUOTECHAR) if HEADER: next(inputOrgsReader) for row in inputOrgsReader: ou = getField(rownb, row[1].strip(), 'ou') # ou (obj 2) o1 = ou.lower() # o (obj 1) o2 = getField(rownb, row[2].strip(), 'o2') # o (obj 2) businessCategory = row[3].strip() # businessCategory (obj 1) postalAddress = row[4].strip() # postalAddress (obj 1) description = row[5].strip() # description (obj 1) registered = row[6].strip() # businessCategory (obj 2) org1 = [ '# org, organization, ' + o1, 'dn: o=' + o1 + ', ou=orgs, ' + LDAP_ROOT_DN, 'objectClass: organization', 'objectClass: top', 'o: ' + o1, 'businessCategory: ' + businessCategory ] if postalAddress: org1.append('postalAddress:: ' + base64.b64encode(postalAddress.encode( 'windows-1252')).decode('utf8')) print(EOL.join(org1) + EOL) org2 = [ '# org, groupOfMembers, ' + o1, 'dn: cn=' + o1 + ', ou=orgs, ' + LDAP_ROOT_DN, 'objectClass: groupOfMembers', 'objectClass: top', 'cn: ' + o1, 'o: ' + o2, 'ou: ' + ou, 'seeAlso: o=' + o1 + ', ou=orgs, ' + LDAP_ROOT_DN ] if description: org2.append('description:: ' + base64.b64encode(description.encode( 'windows-1252')).decode('utf8')) if registered: org2.append('businessCategory: REGISTERED') for orgName, orgValues in orgs.items(): if orgName.lower() == o1: for member in orgValues['users']: org2.append('member: ' + member) print(EOL.join(org2) + EOL)