def query_user(conn, obj_user, user, group, tempList):
try:
r = Reader(conn, obj_user, user)
result = r.search_subtree()
ldapUserPN = str(result[0]['userPrincipalName']).lower()
email = str(result[0]['mail']).lower()
ldapUserDisplayName = str(result[0]['displayName'])
ldapUsername = f'{ldapUserPN.split("@")[-1].split(".")[0]}\\{ldapUserPN.split("@")[0]}'
ldapUserNoDomain = ldapUserPN.split('@')[0]
ldapGroupDN = group
ldapGroupCN = group.split(',')[0].strip('CN=')
tempList['ldapUsers'].append({
'ldapUsername': ldapUsername,
'ldapUserPN': ldapUserPN,
'ldapUserNoDomain': ldapUserNoDomain,
'ldapUserDisplayName': ldapUserDisplayName,
'email': email,
'ldapGroupDN': ldapGroupDN,
'ldapGroupCN': ldapGroupCN
})
print(f'Adding {email} to tempList')
return
except Exception as e:
print(f'Error with user: {user}')
print(str(e))
r = Reader(conn, obj_person, 'cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org', 'uid:=admin') print(r) r.search() print(r[0]) obj_person = ObjectDef(['person', 'posixaccount', 'krbprincipalaux'], conn) print(obj_person) r = Reader(conn, obj_person, 'dc=demo1,dc=freeipa,dc=org', 'uid:=admin') r.search() print(r[0]) print(r[0].krblastpwdchange.raw_values) print(r[0].krbloginfailedcount.value) print(r[0].krbloginfailedcount.raw_values) r.search_level() print(r) print(len(r)) r.search_subtree() print(len(r)) r = Reader(conn, obj_inetorgperson, 'ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org') r.search() w = Writer.from_cursor(r) print(w) print(w[0]) w[0].sn += 'Smyth' w[0].sn += 'Johnson' w[0].sn -= 'Young' print(w[0].entry_changes) print(w[0]) w[0].sn.discard() w[0].sn += ['Smith', 'Johnson'] w[0].sn -= 'Young'
def authenticate(self, request, ticket, service):
"""Verifies CAS ticket and gets or creates User object"""
user = super(CASLDAPBackend,
self).authenticate(request, ticket, service)
# Populate user attributes
if user:
try:
server = Server(settings.LDAP_GROUPS_SERVER_URI)
connection = Connection(
server=server,
auto_bind=True,
user=settings.LDAP_GROUPS_BIND_DN,
password=settings.LDAP_GROUPS_BIND_PASSWORD,
raise_exceptions=True)
connection.start_tls()
account_def = ObjectDef('user')
account_def += AttrDef('userPrincipalName')
account_def += AttrDef('displayName')
account_def += AttrDef('givenName')
account_def += AttrDef('sn')
account_def += AttrDef('mail')
account_reader = Reader(
connection=connection,
object_def=account_def,
query="userPrincipalName: {principal_name}".format(
principal_name=user.username),
base=settings.LDAP_GROUPS_BASE_DN)
account_reader.search_subtree()
user_info = account_reader.entries[0]
except Exception as msg:
logger.exception(msg,
exc_info=True,
extra={'request': request})
else:
principal_name = str(user_info["userPrincipalName"])
username = principal_name.split("@")[0]
user_group_objects = Reader(
connection=connection,
object_def=account_def,
query=
'(&(member=CN={username},OU=People,OU=Enterprise,OU=Accounts,DC=ad,DC=calpoly,DC=edu)(objectClass=group))'
.format(username=username),
base=settings.LDAP_GROUPS_BASE_DN).search()
user_groups = []
for group in user_group_objects:
user_groups.append(group.entry_dn)
def AD_get_children(connection, parent):
connection.search(
settings.LDAP_GROUPS_BASE_DN,
"(&(objectCategory=group)(memberOf={group_name}))".
format(group_name=escape_query(parent)))
children = connection.entries
results = []
for child in children:
results.append(child.entry_dn)
return results
def get_descendants(connection, parent):
descendants = []
queue = []
queue.append(parent)
visited = set()
while len(queue):
node = queue.pop()
if node not in visited:
children = AD_get_children(connection, node)
for child in children:
if child not in descendants:
descendants.append(child)
queue.append(child)
visited.add(node)
return descendants
# New Code should use the ad_groups property of the user to enforce permissions
user.ad_groups.clear()
for group_id, group_dn in ADGroup.objects.all().values_list(
'id', 'distinguished_name'):
if group_dn in user_groups:
user.ad_groups.add(group_id)
else:
children = get_descendants(connection, group_dn)
for child in children:
if child in user_groups:
user.ad_groups.add(group_id)
if not user.ad_groups.exists():
raise PermissionDenied(
'User %s is not in any of the allowed groups.' %
principal_name)
if not user.ad_groups.all().filter(
distinguished_name=
'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu'
).exists() and settings.RESTRICT_LOGIN_TO_DEVELOPERS:
raise PermissionDenied(
'Only developers can access the site on this server. Please use the primary site.'
)
def get_group_members(group):
cache_key = 'group_members::' + (
group if " " not in group else group.replace(" ", "_"))
group_members = cache.get(cache_key)
if group_members is None:
try:
group_members = LDAPADGroup(
group).get_tree_members()
except InvalidGroupDN:
logger.exception(
'Could not retrieve group members for DN: ' +
group,
exc_info=True,
extra={'request': request})
return []
group_members = [
member["userPrincipalName"]
for member in group_members
]
cache.set(cache_key, group_members, 60)
return group_members
# Django Flags
developer_list = get_group_members(
'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu'
)
user.is_developer = principal_name in developer_list
user.is_staff = principal_name in developer_list
user.is_superuser = principal_name in developer_list
user.full_name = user_info["displayName"]
user.first_name = user_info["givenName"]
user.last_name = user_info["sn"]
user.email = user_info["mail"]
user.save()
return user
def authenticate(self, ticket, service, request):
"""Verifies CAS ticket and gets or creates User object"""
user = super(CASLDAPBackend,
self).authenticate(ticket, service, request)
# Populate user attributes
if user:
try:
server = Server(settings.LDAP_GROUPS_SERVER_URI)
connection = Connection(
server=server,
auto_bind=True,
user=settings.LDAP_GROUPS_BIND_DN,
password=settings.LDAP_GROUPS_BIND_PASSWORD,
raise_exceptions=True)
connection.start_tls()
account_def = ObjectDef('user')
account_def.add(AttrDef('userPrincipalName'))
account_def.add(AttrDef('displayName'))
account_def.add(AttrDef('givenName'))
account_def.add(AttrDef('sn'))
account_def.add(AttrDef('mail'))
account_reader = Reader(
connection=connection,
object_def=account_def,
query="userPrincipalName: {principal_name}".format(
principal_name=user.username),
base=settings.LDAP_GROUPS_BASE_DN)
account_reader.search_subtree()
user_info = account_reader.entries[0]
except Exception as msg:
logger.exception(msg,
exc_info=True,
extra={'request': request})
else:
principal_name = str(user_info["userPrincipalName"])
def get_group_members(group):
cache_key = 'group_members::' + group
group_members = cache.get(cache_key)
if group_members is None:
try:
group_members = LDAPADGroup(
group).get_tree_members()
except InvalidGroupDN:
logger.exception(
'Could not retrieve group members for DN: ' +
group,
exc_info=True,
extra={'request': request})
return []
group_members = [
member["userPrincipalName"]
for member in group_members
]
cache.set(cache_key, group_members, 60)
return group_members
def check_group_for_user(group):
group_members = get_group_members(group.distinguished_name)
if principal_name in group_members:
user.ad_groups.add(group)
# New Code should use the ad_groups property of the user to enforce permissions
user.ad_groups.clear()
with ThreadPoolExecutor(ADGroup.objects.count()) as pool:
pool.map(check_group_for_user, ADGroup.objects.all())
if not user.ad_groups.exists():
raise PermissionDenied(
'User %s is not in any of the allowed groups.' %
principal_name)
if not user.ad_groups.all().filter(
distinguished_name=
'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu'
).exists() and settings.RESTRICT_LOGIN_TO_DEVELOPERS:
raise PermissionDenied(
'Only developers can access the site on this server. Please use the primary site.'
)
# Django Flags
developer_list = get_group_members(
'CN=UH-RN-DevTeam,OU=Technology,OU=UH,OU=Manual,OU=Groups,DC=ad,DC=calpoly,DC=edu'
)
user.is_developer = principal_name in developer_list
user.is_staff = principal_name in developer_list
user.is_superuser = principal_name in developer_list
user.full_name = user_info["displayName"]
user.first_name = user_info["givenName"]
user.last_name = user_info["sn"]
user.email = user_info["mail"]
user.save()
return user
'uid:=admin')
print(r)
r.search()
print(r[0])
obj_person = ObjectDef(['person', 'posixaccount', 'krbprincipalaux'], conn)
print(obj_person)
r = Reader(conn, obj_person, 'dc=demo1,dc=freeipa,dc=org', 'uid:=admin')
r.search()
print(r[0])
print(r[0].krblastpwdchange.raw_values)
print(r[0].krbloginfailedcount.value)
print(r[0].krbloginfailedcount.raw_values)
r.search_level()
print(r)
print(len(r))
r.search_subtree()
print(len(r))
r = Reader(conn, obj_inetorgperson,
'ou=ldap3-tutorial,dc=demo1,dc=freeipa,dc=org')
r.search()
w = Writer.from_cursor(r)
print(w)
print(w[0])
w[0].sn += 'Smyth'
w[0].sn += 'Johnson'
w[0].sn -= 'Young'
print(w[0].entry_changes)
print(w[0])
w[0].sn.discard()
w[0].sn += ['Smith', 'Johnson']
