def __init__(self, uri, dn, password, storage=None, filterstr=None, **kwargs): """ Set up our object by creating a search client, connecting, and binding. """ if storage is not None: self.data = shelve.open(storage) self.uuid_dn = shelve.open(storage + 'uuid_dn') self.dn_attrs = shelve.open(storage + 'dn_attrs') self.using_shelve = True else: self.data = {} self.uuid_dn = {} self.dn_attrs = {} self.using_shelve = False self.data['cookie'] = None self.present = [] self.refresh_done = False self.filterstr = filterstr SimpleLDAPObject.__init__(self, uri, **kwargs) self.simple_bind_s(dn, password)
def ldap_delete_recursive(self, ldap_conn: SimpleLDAPObject, base_dn: str): """Delete all objects and its subordinate entries of given base_dn from ldap.""" l_search = ldap_conn.search_s(base_dn, ldap.SCOPE_ONELEVEL) for dn, _ in l_search: if not dn == base_dn: self.ldap_delete_recursive(self.ldap_conn, dn) ldap_conn.delete_s(dn)
def unbind_s(self): """ In addition to unbinding from LDAP, we need to close the shelf. """ if self.using_shelve is True: self.data.close() self.uuid_dn.close() self.dn_attrs.close() SimpleLDAPObject.unbind_s(self)
def ldap_authenticate(ldap_conn: SimpleLDAPObject, user_dn: str, password: str): """Validates/binds the provided dn/password with the LDAP sever.""" try: LOG.debug(f"LDAP bind TRY with username: '******'") ldap_conn.simple_bind_s(who=user_dn, cred=password) LOG.debug(f"LDAP bind SUCCESS with username: '******'") return True except ldap.INVALID_CREDENTIALS: return False
def __delete_dn(self, ldap_conn: SimpleLDAPObject, dn: str): """Delete given DN from ldap.""" try: ldap_conn.delete_s(dn) except ldap.NO_SUCH_OBJECT: pass except Exception as e: self.logger.error(f'Failed to delete DN: {dn}\n') raise e
def __delete_dn(ldap_conn: SimpleLDAPObject, dn: str): """Delete given DN from ldap.""" try: ldap_conn.delete_s(dn) except ldap.NO_SUCH_OBJECT: pass except Exception as e: sys.stderr.write(f'Failed to delete DN: {dn}\n') raise e
def __delete_access_key(ldap_conn: SimpleLDAPObject, userid: str): """Delete access key of given s3userid.""" try: access_key = LdapAccountAction.__get_accesskey(ldap_conn, userid) ldap_conn.delete_s(f'ak={access_key},ou=accesskeys,dc=s3,dc=seagate,dc=com') except ldap.NO_SUCH_OBJECT: pass except Exception as e: sys.stderr.write(f'failed to delete access key of userid: {userid}\n') raise e
def __is_account_present(ldap_conn: SimpleLDAPObject, account_name: str): """Checks if account is present in ldap db.""" try: ldap_conn.search_s(f"o={account_name},ou=accounts,dc=s3,dc=seagate,dc=com", ldap.SCOPE_SUBTREE) except ldap.NO_SUCH_OBJECT: return False except Exception as e: sys.stderr.write(f'INFO: Failed to find ldap account: {account_name}, error: {str(e)}\n') raise e return True
def create_user(con: SimpleLDAPObject, dn: str, password: str): username = (dn.split(',')[0]).split('=')[1] ldap_obj = (( ('objectClass', [b'account', b'simpleSecurityObject']), ('uid', username.encode()), ('userPassword', password.encode()), )) try: con.add_s(dn, ldap_obj) except ldap.ALREADY_EXISTS: pass
def __delete_access_key(self, ldap_conn: SimpleLDAPObject, userid: str): """Delete access key of given s3userid.""" try: access_key = self.__get_accesskey(ldap_conn, userid) ldap_conn.delete_s( f'ak={access_key},ou=accesskeys,dc=s3,dc=seagate,dc=com') except ldap.NO_SUCH_OBJECT: pass except Exception as e: self.logger.error( f'failed to delete access key of userid: {userid}') raise e
def __get_accesskey(ldap_conn: SimpleLDAPObject, s3userid: str) -> str: """Get accesskey of the given userid.""" access_key = None from ldap import SCOPE_SUBTREE result_list = ldap_conn.search_s('ou=accesskeys,dc=s3,dc=seagate,dc=com', SCOPE_SUBTREE, filterstr='(ObjectClass=accessKey)') for (_, attr_dict) in result_list: if s3userid == attr_dict['s3UserId'][0].decode(): access_key = attr_dict['ak'][0].decode() break return access_key
def search_user_by_dn( ldap_conn: SimpleLDAPObject, user_dn: str = None, attrs: Optional[List[str]] = None, apply_filter: bool = False, ) -> Optional[Tuple[str, Dict]]: try: filter_str = _get_ldap_filter() if apply_filter else "(objectClass=*)" raw_search_result = ldap_conn.search_s( base=user_dn, scope=ldap.SCOPE_SUBTREE, filterstr=filter_str, attrlist=attrs, ) except ldap.NO_SUCH_OBJECT: return None return _sanitize_ldap_search_results(raw_search_result)
def search_user_by_uid( ldap_conn: SimpleLDAPObject, uid: str = None, attrs: Optional[List[str]] = None, apply_filter: bool = False, ) -> Optional[Tuple[str, Dict]]: search_filter = ( f"(&({QuerybookSettings.LDAP_UID_FIELD}={uid})" + (_get_ldap_filter() if apply_filter else "(objectClass=*)") + ")") try: raw_search_result = ldap_conn.search_s( base=QuerybookSettings.LDAP_SEARCH, scope=ldap.SCOPE_SUBTREE, filterstr=search_filter, attrlist=attrs, ) except ldap.NO_SUCH_OBJECT: return None return _sanitize_ldap_search_results(raw_search_result)
print "create userb" dn = "uid=userb,ou=people," + basedn userbdn = dn ent = Entry(dn) ent.setValues('objectclass', ['inetOrgPerson', 'myAuxOc']) ent.setValues('cn', 'User B') ent.setValues('sn', 'B') ent.setValues('givenName', 'User') userbpw = 'userb' ent.setValues('userPassword', userbpw) ent.setValues('owner', useradn) srv.add_s(ent) print "create aci to allow usera to set password in userb" aci = '(targetattr="userPassword")(version 3.0; acl "Owners can set passwords"; allow(write) userattr="owner#USERDN";)' mod = [(ldap.MOD_REPLACE, 'aci', aci)] srv.modify_s(basedn, mod) print "bind as usera" aconn = SimpleLDAPObject('ldap://%s:%d' % (host1, port1)) aconn.simple_bind_s(useradn, userapw) print "user a will modify user b userPassword" userbpw = 'anewpassword' mod = [(ldap.MOD_REPLACE, 'userPassword', userbpw)] aconn.modify_s(userbdn, mod) print "userb will attempt to bind with new password" bconn = SimpleLDAPObject('ldap://%s:%d' % (host1, port1)) bconn.simple_bind_s(userbdn, userbpw)
def delete_user(con: SimpleLDAPObject, dn: str): con.delete_s(dn)
def __init__(self, uri): # Init the ldap connection SimpleLDAPObject.__init__(self, uri)
import tempfile from ldap.ldapobject import SimpleLDAPObject import pprint host1 = "localhost.localdomain" port1 = 1110 basedn = 'dc=example,dc=com' ldapifilepath = os.environ.get('PREFIX', "") + "/var/run/slapd-srv.socket" os.environ['USE_GDB'] = "1" srv = DSAdmin.createInstance({ 'newrootpw': 'password', 'newhost': host1, 'newport': port1, 'newinst': 'srv', 'newsuffix': basedn, 'no_admin': True, 'ldapifilepath': ldapifilepath }) del os.environ['USE_GDB'] ldapiurl = ldapurl.LDAPUrl(None, "ldapi", ldapifilepath) conn = SimpleLDAPObject(ldapiurl.initializeUrl()) print "connecting to", ldapiurl.initializeUrl() conn.simple_bind_s("cn=directory manager", "password") ents = conn.search_s("", ldap.SCOPE_BASE) pprint.pprint(ents)
from dsadmin import DSAdmin, Entry from ldap.ldapobject import SimpleLDAPObject import pprint host1 = "localhost.localdomain" port1 = 1110 basedn = 'dc=example,dc=com' ldapifilepath = os.environ.get('PREFIX', "") + "/var/run/slapd-srv.socket" os.environ['USE_GDB'] = "1" srv = DSAdmin.createInstance({ 'newrootpw': 'password', 'newhost': host1, 'newport': port1, 'newinst': 'srv', 'newsuffix': basedn, 'no_admin': True, 'ldapifilepath': ldapifilepath }) del os.environ['USE_GDB'] ldapiurl = ldapurl.LDAPUrl(None, "ldapi", ldapifilepath) conn = SimpleLDAPObject(ldapiurl.initializeUrl()) print "connecting to", ldapiurl.initializeUrl() conn.simple_bind_s("cn=directory manager", "password") ents = conn.search_s("", ldap.SCOPE_BASE) pprint.pprint(ents)
def cancel(self): """ A simple wrapper to call parent class with syncrepl search ID. """ SimpleLDAPObject.cancel(self, self.search_id)
(ldap.MOD_REPLACE, 'altstateattrname', 'createTimestamp'), (ldap.MOD_REPLACE, 'specattrname', 'acctPolicySubentry'), (ldap.MOD_REPLACE, 'limitattrname', 'accountInactivityLimit')] srv.modify_s('cn=config,cn=Account Policy Plugin,cn=plugins,cn=config', mod) print "restart server for changes to take effect" srv.stop() srv.start() print "find scarter" ents = srv.search_s(basedn, ldap.SCOPE_SUBTREE, 'uid=scarter', ['lastLoginTime', 'createTimestamp']) userdn = ents[0].dn pprint.pprint(ents[0]) print "bind as", userdn conn = SimpleLDAPObject('ldap://%s:%d' % (host1, port1)) try: conn.simple_bind_s(userdn, 'sprain') except ldap.CONSTRAINT_VIOLATION: print "user is prevented from logging in after", inactivetime, "seconds of inactivity" ents = srv.search_s(basedn, ldap.SCOPE_SUBTREE, 'uid=scarter', ['lastLoginTime', 'createTimestamp']) print "lastLoginTime:", ents[0].lastLoginTime print "sleep for a while . . ." time.sleep(inactivetime) print "bind as", userdn, "again - see if there is any account policy" conn = SimpleLDAPObject('ldap://%s:%d' % (host1, port1)) try: conn.simple_bind_s(userdn, 'sprain') except ldap.CONSTRAINT_VIOLATION: print "user is prevented from logging in after", inactivetime, "seconds of inactivity"