def delete_group(self, group, group_type): write_json_log({ 'action': 'delete_group', 'group': group, 'group_type': group_type, 'message': 'Deleting group', 'log-type': 'information' }) group_cn = build_group_cn(group) group_dn = build_group_dn(group_cn, group_type, self.settings['base_group_ou_dn']) if delete_group(group_dn, self.tree_base, self.connection): write_json_log({ 'action': 'delete_group_success', 'group': group, 'group_type': group_type, 'group_cn': group_cn, 'group_dn': group_dn, 'message': 'Deleted group', 'log-type': 'information' }) else: write_json_error({ 'action': 'delete_group_fail', 'group': group, 'group_type': group_type, 'group_cn': group_cn, 'group_dn': group_dn, 'message': 'Failed to delete group', 'log-type': 'warning' })
def add_to_group(target_dn, group_dn, tree_base, connection): if not check_group_membership(target_dn, group_dn, tree_base, connection): add_member = form_add_member_action(target_dn) result = modify_object(group_dn, add_member, connection) if result: write_json_log({ 'action': 'add_to_group', 'target_dn': target_dn, 'group_dn': group_dn, 'tree_base': tree_base, 'message': 'Successfully set group membership.', 'log-type': 'information' }) return result else: write_json_error({ 'action': 'add_to_group_fail', 'target_dn': target_dn, 'group_dn': group_dn, 'tree_base': tree_base, 'message': 'Failed to set group membership.', 'log-type': 'error' }) return False return True
def set_password(dn, password, connection): write_json_log({ 'action': 'set_password', 'dn': dn, 'message': 'Reached set_password.', 'log-type': 'information' }) unicode_passwd = build_unicode_password(password) set_password_action = form_set_password_action(unicode_passwd) result = modify_object(dn, set_password_action, connection) if result: write_json_log({ 'action': 'set_password_success', 'dn': dn, 'message': 'Successfully set password.', 'log-type': 'information' }) return result else: write_json_error({ 'action': 'set_password_fail', 'dn': dn, 'message': 'Failed to set password', 'log-type': 'error' }) return False
def remove_from_group(target_dn, group_dn, tree_base, connection): if check_group_membership(target_dn, group_dn, tree_base, connection): del_member = form_del_member_action(target_dn) result = modify_object(group_dn, del_member, connection) if result: write_json_log({ 'action': 'remove_from_group', 'target_dn': target_dn, 'group_dn': group_dn, 'tree_base': tree_base, 'message': 'Successfully removed group membership.', 'log-type': 'information' }) return result else: write_json_error({ 'action': 'remove_from_group_fail', 'target_dn': target_dn, 'group_dn': group_dn, 'tree_base': tree_base, 'message': 'Failed to terminate group membership.', 'log-type': 'error' }) return False return True
def perform_search(ldap_filter, base_dn, connection, attributes): try: results = connection.search_s( str(base_dn).strip(' \t\n\r'), ldap.SCOPE_SUBTREE, ldap_filter, attributes) if not results[0][0]: return False else: write_json_log({ 'action': 'perform_search', 'ldap_filter': ldap_filter, 'base_dn': base_dn, 'attributes': attributes, 'message': 'Successfully performed LDAP search.', 'log-type': 'information' }) return results except ldap.LDAPError, error_message: write_json_error({ 'action': 'perform_search_fail', 'ldap_filter': ldap_filter, 'base_dn': base_dn, 'attributes': attributes, 'message': 'LDAP Search error.', 'error_message': str(error_message), 'log-type': 'error' }) return False
def create_group(cn, dn, display_name, tree_base, connection): verify_parent_ou_exists(dn, tree_base, connection) group_object = form_group(cn, dn, display_name) result = create_object(dn, group_object, connection) if result: write_json_log({ 'action': 'create_group', 'cn': cn, 'dn': dn, 'display_name': display_name, 'tree_base': tree_base, 'message': 'Creating group.', 'log-type': 'information' }) return result else: write_json_error({ 'action': 'create_group_fail', 'cn': cn, 'dn': dn, 'display_name': display_name, 'tree_base': tree_base, 'message': 'Failed to create group', 'log-type': 'error' }) return False
def restore_group(self, group, group_type): write_json_log({ 'action': 'restore_group', 'group': group, 'group_type': group_type, 'message': 'Restoring group', 'log-type': 'information' }) group_cn = build_group_cn(group) group_dn = build_group_dn(group_cn, group_type, self.settings['base_group_ou_dn']) if create_group(group_cn, group_dn, group['label'], self.tree_base, self.connection): write_json_log({ 'action': 'restore_group_success', 'group': group, 'group_type': group_type, 'group_cn': group_cn, 'group_dn': group_dn, 'message': 'Restored group', 'log-type': 'information' }) else: write_json_error({ 'action': 'restore_group_fail', 'group': group, 'group_type': group_type, 'group_cn': group_cn, 'group_dn': group_dn, 'message': 'Failed to restore group', 'log-type': 'warning' })
def add_group_to_group(self, target_group, target_group_type, des_group, des_group_type): write_json_log({ 'action': 'add_group_to_group', 'target_group': target_group, 'target_group_type': target_group_type, 'des_group': des_group, 'des_group_type': des_group_type, 'message': 'Adding group to group', 'log-type': 'information' }) # Build the DNs target_group_dn = build_group_dn(build_group_cn(target_group), target_group_type, self.settings['base_group_ou_dn']) des_group_dn = build_group_dn(build_group_cn(des_group), des_group_type, self.settings['base_group_ou_dn']) # Check to see if the groups exist target_result = get_group(target_group_dn, self.tree_base, self.connection) des_result = get_group(des_group_dn, self.tree_base, self.connection) # If they do not exists create them if not target_result: self.create_group(target_group, target_group_type) if not des_result: self.create_group(des_group, des_group_type) # Add the target to the destination group if add_to_group(target_group_dn, des_group_dn, self.tree_base, self.connection): write_json_log({ 'action': 'add_group_to_group_success', 'target_group': target_group, 'target_group_type': target_group_type, 'des_group': des_group, 'des_group_type': des_group_type, 'message': 'Added group to group', 'log-type': 'information' }) else: write_json_error({ 'action': 'add_group_to_group_fail', 'target_group': target_group, 'target_group_type': target_group_type, 'des_group': des_group, 'des_group_type': des_group_type, 'message': 'Failed to add group to group', 'log-type': 'warning' })
def delete_group(dn, tree_base, connection): group_exists = get_group(dn, tree_base, connection) if group_exists: result = delete_object(dn, connection) if not result: return False write_json_log({ 'action': 'delete_group', 'dn': dn, 'tree_base': tree_base, 'message': 'Deleted group.', 'log-type': 'information' }) return True
def check_group_membership(target_dn, group_dn, tree_base, connection): ldap_filter = '(&(distinguishedName=' + target_dn + ')(memberof=' + group_dn + '))' result = perform_search(ldap_filter, tree_base, connection, ['objectGUID']) if result: write_json_log({ 'action': 'check_group_membership', 'target_dn': target_dn, 'group_dn': group_dn, 'tree_base': tree_base, 'message': 'Successfully checked group membership.', 'log-type': 'information' }) return True else: return False
def delete_object(dn, connection): try: write_json_log({ 'action': 'delete_object', 'object': dn, 'message': 'Deleting object.', 'log-type': 'information' }) return connection.delete_s(dn) except ldap.LDAPError, error_message: write_json_error({ 'action': 'delete_object_fail', 'object': dn, 'message': 'Failed to delete object', 'error_message': str(error_message), 'log-type': 'error' }) return False
def disable_account(dn, connection): disable_account_action = form_set_account_control_action('514') result = modify_object(dn, disable_account_action, connection) if result: write_json_log({ 'action': 'disable_account', 'dn': dn, 'message': 'Successfully disabled account.', 'log-type': 'information' }) return result else: write_json_error({ 'action': 'disable_account_fail', 'dn': dn, 'message': 'Failed to disable account', 'log-type': 'error' }) return False
def connect(bind_user, bind_pass, hosts): write_json_log({ 'action': 'connect_ldap', 'bind_user': bind_user, 'hosts': hosts, 'message': 'Connecting to LDAP', 'log-type': 'information' }) connection = False for host in hosts: try: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, 0) ldap.set_option(ldap.OPT_REFERRALS, 0) ldap.protocol_version = ldap.VERSION3 connection = ldap.initialize('ldaps://' + host + ':636') connection.simple_bind_s(bind_user, bind_pass) if connection: write_json_log({ 'action': 'connect_ldap_success', 'bind_user': bind_user, 'hosts': hosts, 'host': host, 'message': 'Successfully connected to LDAP host: ' + host, 'log-type': 'information' }) return connection except ldap.LDAPError, error_message: write_json_error({ 'action': 'connect_ldap_error', 'bind_user': bind_user, 'hosts': hosts, 'host': host, 'error_message': str(error_message), 'message': 'Error connecting to LDAP server: ' + host, 'log-type': 'error' })
def create_object(dn, formed_object, connection): try: write_json_log({ 'action': 'create_object', 'formed_object': formed_object, 'object': dn, 'message': 'Creating object.', 'log-type': 'information' }) return connection.add_s(dn, modlist.addModlist(formed_object)) except ldap.LDAPError, error_message: write_json_error({ 'action': 'create_object_fail', 'formed_object': formed_object, 'object': dn, 'message': 'Failed to create object', 'error_message': str(error_message), 'log-type': 'error' }) return False
def modify_object(dn, action, connection): try: write_json_log({ 'action': 'modify_object', 'formed_action': action, 'object': dn, 'message': 'Modifying object.', 'log-type': 'information' }) return connection.modify_s(dn, action) except ldap.LDAPError, error_message: write_json_error({ 'action': 'modify_object_fail', 'formed_action': action, 'object': dn, 'message': 'Failed to modify object', 'error_message': str(error_message), 'log-type': 'error' }) return False
def create_ou(cn, dn, connection): ou_object = form_ou(cn, dn) result = create_object(dn, ou_object, connection) if result: write_json_log({ 'action': 'create_ou', 'cn': cn, 'dn': dn, 'message': 'Creating OU.', 'log-type': 'information' }) return result else: write_json_error({ 'action': 'create_ou_fail', 'cn': cn, 'dn': dn, 'message': 'Failed to create ou', 'log-type': 'error' }) return False
def change_account_password(self, account): write_json_log({ 'action': 'change_account_password', 'account': account, 'message': 'Changing account password: '******'username'] + ' - ' + account['identifier'], 'log-type': 'information' }) result = get_user_by_identifier(account['identifier'], self.tree_base, self.connection) if result: account_dn = result[0][0] if set_password(account_dn, account['password'], self.connection): write_json_log({ 'action': 'change_account_password_success', 'account': account, 'message': 'Changing account password: '******'username'] + ' - ' + account['identifier'], 'log-type': 'information' }) else: write_json_error({ 'action': 'change_account_password_fail', 'account': account, 'message': 'Failed to change account password: '******'username'] + ' - ' + account['identifier'], 'log-type': 'warning' })
def disable_account(self, account): write_json_log({ 'action': 'disable_account', 'account': account, 'message': 'Disable account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'information' }) result = get_user_by_identifier(account['identifier'], self.tree_base, self.connection) if result: account_dn = result[0][0] if disable_account(account_dn, self.connection): write_json_log({ 'action': 'disable_account_success', 'account': account, 'message': 'Disabled account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'information' }) else: write_json_error({ 'action': 'disable_account_fail', 'account': account, 'message': 'Failed to disable account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'warning' })
def rename_object(current_dn, new_cn, new_ou, connection): try: write_json_log({ 'action': 'rename_object', 'current_dn': current_dn, 'new_cn': new_cn, 'new_ou': new_ou, 'message': 'Renaming object.', 'log-type': 'information' }) return connection.rename_s(current_dn, 'CN=' + new_cn, new_ou) except ldap.LDAPError, error_message: write_json_error({ 'action': 'rename_object_fail', 'current_dn': current_dn, 'new_cn': new_cn, 'new_ou': new_ou, 'message': 'Failed to rename object', 'error_message': str(error_message), 'log-type': 'error' }) return False
def restore_account(self, account): write_json_log({ 'action': 'restore_account', 'account': account, 'message': 'Restoring account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'information' }) if create_or_modify_account(account, self.connection, self.tree_base, self.settings): write_json_log({ 'action': 'restore_account_success', 'account': account, 'message': 'Restored account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'information' }) self.enable_account(account) else: write_json_error({ 'action': 'restore_account_fail', 'account': account, 'message': 'Failed to restore account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'warning' })
def remove_group_from_group(self, target_group, target_group_type, des_group, des_group_type): write_json_log({ 'action': 'remove_group_from_group', 'target_group': target_group, 'target_group_type': target_group_type, 'des_group': des_group, 'des_group_type': des_group_type, 'message': 'Removing group from group', 'log-type': 'information' }) target_group_dn = build_group_dn(build_group_cn(target_group), target_group_type, self.settings['base_group_ou_dn']) des_group_dn = build_group_dn(build_group_cn(des_group), des_group_type, self.settings['base_group_ou_dn']) if remove_from_group(target_group_dn, des_group_dn, self.tree_base, self.connection): write_json_log({ 'action': 'remove_group_from_group_success', 'target_group': target_group, 'target_group_type': target_group_type, 'des_group': des_group, 'des_group_type': des_group_type, 'message': 'Removed group from group', 'log-type': 'information' }) else: write_json_error({ 'action': 'remove_group_from_group_fail', 'target_group': target_group, 'target_group_type': target_group_type, 'des_group': des_group, 'des_group_type': des_group_type, 'message': 'Failed to remove group from group', 'log-type': 'warning' })
def delete_account(self, account): write_json_log({ 'action': 'delete_account', 'account': account, 'message': 'Deleting/Disabling account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'information' }) if delete_or_disable_account(account, self.connection, self.settings): write_json_log({ 'action': 'delete_account_success', 'account': account, 'message': 'Deleted/Disabled account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'information' }) else: write_json_error({ 'action': 'delete_account_fail', 'account': account, 'message': 'Failed to delete/disable account: ' + account['username'] + ' - ' + account['identifier'], 'log-type': 'warning' })
}) return connection except ldap.LDAPError, error_message: write_json_error({ 'action': 'connect_ldap_error', 'bind_user': bind_user, 'hosts': hosts, 'host': host, 'error_message': str(error_message), 'message': 'Error connecting to LDAP server: ' + host, 'log-type': 'error' }) write_json_log({ 'action': 'connect_ldap_success', 'bind_user': bind_user, 'hosts': hosts, 'message': 'Successfully connected to LDAP.', 'log-type': 'information' }) return connection def build_duty_ou_dn(name, base_account_ou): return 'OU=' + ldap.dn.escape_dn_chars(name) + ',' + base_account_ou def build_trash_ou_dn(base_account_ou): return 'OU=Trash,' + base_account_ou def build_group_cn(group):
def remove_account_from_group(self, account, group, group_type): write_json_log({ 'action': 'remove_account_from_group', 'account': account, 'group': group, 'group_type': group_type, 'message': 'Removing account from group', 'log-type': 'information' }) result = get_user_by_identifier(account['identifier'], self.tree_base, self.connection) if result: account_dn = result[0][0] group_cn = build_group_cn(group) group_dn = build_group_dn(group_cn, group_type, self.settings['base_group_ou_dn']) group_result = get_group(group_dn, self.tree_base, self.connection) if not group_result: self.create_group(group, group_type) if remove_from_group(account_dn, group_dn, self.tree_base, self.connection): write_json_log({ 'action': 'remove_account_from_group_success', 'account': account, 'account_dn': account_dn, 'group': group, 'group_type': group_type, 'group_cn': group_cn, 'group_dn': group_dn, 'message': 'Removed account from group: ' + account['username'] + ' - ' + account['identifier'] + ' ---- ' + group_cn, 'log-type': 'information' }) else: write_json_error({ 'action': 'remove_account_from_group_fail', 'account': account, 'account_dn': account_dn, 'group': group, 'group_type': group_type, 'group_cn': group_cn, 'group_dn': group_dn, 'message': 'Failed to remove account from group: ' + account['username'] + ' - ' + account['identifier'] + ' --!! ' + group_cn, 'log-type': 'warning' })