def query_user(conn, obj_user, user, group, tempList): try: r = Reader(conn, obj_user, user) result = r.search_subtree() ldapUserPN = str(result[0]['userPrincipalName']).lower() email = str(result[0]['mail']).lower() ldapUserDisplayName = str(result[0]['displayName']) ldapUsername = f'{ldapUserPN.split("@")[-1].split(".")[0]}\\{ldapUserPN.split("@")[0]}' ldapUserNoDomain = ldapUserPN.split('@')[0] ldapGroupDN = group ldapGroupCN = group.split(',')[0].strip('CN=') tempList['ldapUsers'].append({ 'ldapUsername': ldapUsername, 'ldapUserPN': ldapUserPN, 'ldapUserNoDomain': ldapUserNoDomain, 'ldapUserDisplayName': ldapUserDisplayName, 'email': email, 'ldapGroupDN': ldapGroupDN, 'ldapGroupCN': ldapGroupCN }) print(f'Adding {email} to tempList') return except Exception as e: print(f'Error with user: {user}') print(str(e))
r = Reader(conn, obj_person, 'cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org', 'uid:=admin') print(r) r.search() print(r[0]) obj_person = ObjectDef(['person', 'posixaccount', 'krbprincipalaux'], conn) print(obj_person) r = Reader(conn, obj_person, 'dc=demo1,dc=freeipa,dc=org', 'uid:=admin') r.search() print(r[0]) print(r[0].krblastpwdchange.raw_values) print(r[0].krbloginfailedcount.value) print(r[0].krbloginfailedcount.raw_values) r.search_level() print(r) print(len(r)) r.search_subtree() print(len(r)) r = Reader(conn, obj_inetorgperson, 'ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org') r.search() w = Writer.from_cursor(r) print(w) print(w[0]) w[0].sn += 'Smyth' w[0].sn += 'Johnson' w[0].sn -= 'Young' print(w[0].entry_changes) print(w[0]) w[0].sn.discard() w[0].sn += ['Smith', 'Johnson'] w[0].sn -= 'Young'
def authenticate(self, request, ticket, service): """Verifies CAS ticket and gets or creates User object""" user = super(CASLDAPBackend, self).authenticate(request, ticket, service) # Populate user attributes if user: try: server = Server(settings.LDAP_GROUPS_SERVER_URI) connection = Connection( server=server, auto_bind=True, user=settings.LDAP_GROUPS_BIND_DN, password=settings.LDAP_GROUPS_BIND_PASSWORD, raise_exceptions=True) connection.start_tls() account_def = ObjectDef('user') account_def += AttrDef('userPrincipalName') account_def += AttrDef('displayName') account_def += AttrDef('givenName') account_def += AttrDef('sn') account_def += AttrDef('mail') account_reader = Reader( connection=connection, object_def=account_def, query="userPrincipalName: {principal_name}".format( principal_name=user.username), base=settings.LDAP_GROUPS_BASE_DN) account_reader.search_subtree() user_info = account_reader.entries[0] except Exception as msg: logger.exception(msg, exc_info=True, extra={'request': request}) else: principal_name = str(user_info["userPrincipalName"]) username = principal_name.split("@")[0] user_group_objects = Reader( connection=connection, object_def=account_def, query= '(&(member=CN={username},OU=People,OU=Enterprise,OU=Accounts,DC=ad,DC=calpoly,DC=edu)(objectClass=group))' .format(username=username), base=settings.LDAP_GROUPS_BASE_DN).search() user_groups = [] for group in user_group_objects: user_groups.append(group.entry_dn) def AD_get_children(connection, parent): connection.search( settings.LDAP_GROUPS_BASE_DN, "(&(objectCategory=group)(memberOf={group_name}))". format(group_name=escape_query(parent))) children = connection.entries results = [] for child in children: results.append(child.entry_dn) return results def get_descendants(connection, parent): descendants = [] queue = [] queue.append(parent) visited = set() while len(queue): node = queue.pop() if node not in visited: children = AD_get_children(connection, node) for child in children: if child not in descendants: descendants.append(child) queue.append(child) visited.add(node) return descendants # New Code should use the ad_groups property of the user to enforce permissions user.ad_groups.clear() for group_id, group_dn in ADGroup.objects.all().values_list( 'id', 'distinguished_name'): if group_dn in user_groups: user.ad_groups.add(group_id) else: children = get_descendants(connection, group_dn) for child in children: if child in user_groups: user.ad_groups.add(group_id) if not user.ad_groups.exists(): raise PermissionDenied( 'User %s is not in any of the allowed groups.' % principal_name) if not user.ad_groups.all().filter( distinguished_name= 'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu' ).exists() and settings.RESTRICT_LOGIN_TO_DEVELOPERS: raise PermissionDenied( 'Only developers can access the site on this server. Please use the primary site.' ) def get_group_members(group): cache_key = 'group_members::' + ( group if " " not in group else group.replace(" ", "_")) group_members = cache.get(cache_key) if group_members is None: try: group_members = LDAPADGroup( group).get_tree_members() except InvalidGroupDN: logger.exception( 'Could not retrieve group members for DN: ' + group, exc_info=True, extra={'request': request}) return [] group_members = [ member["userPrincipalName"] for member in group_members ] cache.set(cache_key, group_members, 60) return group_members # Django Flags developer_list = get_group_members( 'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu' ) user.is_developer = principal_name in developer_list user.is_staff = principal_name in developer_list user.is_superuser = principal_name in developer_list user.full_name = user_info["displayName"] user.first_name = user_info["givenName"] user.last_name = user_info["sn"] user.email = user_info["mail"] user.save() return user
def authenticate(self, ticket, service, request): """Verifies CAS ticket and gets or creates User object""" user = super(CASLDAPBackend, self).authenticate(ticket, service, request) # Populate user attributes if user: try: server = Server(settings.LDAP_GROUPS_SERVER_URI) connection = Connection( server=server, auto_bind=True, user=settings.LDAP_GROUPS_BIND_DN, password=settings.LDAP_GROUPS_BIND_PASSWORD, raise_exceptions=True) connection.start_tls() account_def = ObjectDef('user') account_def.add(AttrDef('userPrincipalName')) account_def.add(AttrDef('displayName')) account_def.add(AttrDef('givenName')) account_def.add(AttrDef('sn')) account_def.add(AttrDef('mail')) account_reader = Reader( connection=connection, object_def=account_def, query="userPrincipalName: {principal_name}".format( principal_name=user.username), base=settings.LDAP_GROUPS_BASE_DN) account_reader.search_subtree() user_info = account_reader.entries[0] except Exception as msg: logger.exception(msg, exc_info=True, extra={'request': request}) else: principal_name = str(user_info["userPrincipalName"]) def get_group_members(group): cache_key = 'group_members::' + group group_members = cache.get(cache_key) if group_members is None: try: group_members = LDAPADGroup( group).get_tree_members() except InvalidGroupDN: logger.exception( 'Could not retrieve group members for DN: ' + group, exc_info=True, extra={'request': request}) return [] group_members = [ member["userPrincipalName"] for member in group_members ] cache.set(cache_key, group_members, 60) return group_members def check_group_for_user(group): group_members = get_group_members(group.distinguished_name) if principal_name in group_members: user.ad_groups.add(group) # New Code should use the ad_groups property of the user to enforce permissions user.ad_groups.clear() with ThreadPoolExecutor(ADGroup.objects.count()) as pool: pool.map(check_group_for_user, ADGroup.objects.all()) if not user.ad_groups.exists(): raise PermissionDenied( 'User %s is not in any of the allowed groups.' % principal_name) if not user.ad_groups.all().filter( distinguished_name= 'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu' ).exists() and settings.RESTRICT_LOGIN_TO_DEVELOPERS: raise PermissionDenied( 'Only developers can access the site on this server. Please use the primary site.' ) # Django Flags developer_list = get_group_members( 'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu' ) user.is_developer = principal_name in developer_list user.is_staff = principal_name in developer_list user.is_superuser = principal_name in developer_list user.full_name = user_info["displayName"] user.first_name = user_info["givenName"] user.last_name = user_info["sn"] user.email = user_info["mail"] user.save() return user
'uid:=admin') print(r) r.search() print(r[0]) obj_person = ObjectDef(['person', 'posixaccount', 'krbprincipalaux'], conn) print(obj_person) r = Reader(conn, obj_person, 'dc=demo1,dc=freeipa,dc=org', 'uid:=admin') r.search() print(r[0]) print(r[0].krblastpwdchange.raw_values) print(r[0].krbloginfailedcount.value) print(r[0].krbloginfailedcount.raw_values) r.search_level() print(r) print(len(r)) r.search_subtree() print(len(r)) r = Reader(conn, obj_inetorgperson, 'ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org') r.search() w = Writer.from_cursor(r) print(w) print(w[0]) w[0].sn += 'Smyth' w[0].sn += 'Johnson' w[0].sn -= 'Young' print(w[0].entry_changes) print(w[0]) w[0].sn.discard() w[0].sn += ['Smith', 'Johnson']