diff options
author | Markus Krogh <markus@nordu.net> | 2019-01-31 15:25:37 +0100 |
---|---|---|
committer | Markus Krogh <markus@nordu.net> | 2019-01-31 15:25:37 +0100 |
commit | 61dad730aa2846244481517417e52612686ce2f3 (patch) | |
tree | a87507f3f6d5d4443e7ec2c666d2e0264af47142 |
Initial commit
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | ldap-sasl.py | 78 | ||||
-rw-r--r-- | requirements.txt | 2 |
4 files changed, 85 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..d2127d0 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.ini diff --git a/README.md b/README.md new file mode 100644 index 0000000..c50c88e --- /dev/null +++ b/README.md @@ -0,0 +1,4 @@ +# LDAP-sasl + +Script for checking that all users in a tree has a SASL password. +If not it will change their current password to use SASL instead. diff --git a/ldap-sasl.py b/ldap-sasl.py new file mode 100644 index 0000000..031eb88 --- /dev/null +++ b/ldap-sasl.py @@ -0,0 +1,78 @@ + +import argparse +import os +from ldap3 import Server, Connection, ALL, MODIFY_REPLACE +from configparser import ConfigParser + + +class Config(object): + def __init__(self): + args = cli() + config = ConfigParser() + + if args.config: + config.read(args.config) + + self._set_attr('server', args, config, 'ldap1.nordu.net') + self._set_attr('port', args, config, 636) + self._set_attr('user', None, config) + self._set_attr('password', None, config) + self.use_tls = not args.no_tls + self.dry_run = args.dry_run + self.verbose = args.verbose + self.force = args.force + + def _set_attr(self, name, args, config, default=None): + value = default + env_name = 'LDAP_' + name.upper() + if args and getattr(args, name): + value = getattr(args, name) + elif env_name in os.environ: + value = os.environ[env_name] + elif config.has_option('LDAP', name): + value = config['LDAP'][name] + setattr(self, name, value) + + def anonymous(self): + return not self.password or not self.user + + +def cli(): + parser = argparse.ArgumentParser() + parser.add_argument('--config', '-C', help='Config file for ldap-sasl', default=None) + parser.add_argument('--server', '-s', help='Which ldaps server to use', default=None) + parser.add_argument('--port', '-p', help='Which ldap ldap port to use', type=int) + parser.add_argument('--no-tls', action='store_true', default=False, help='Disable tls connection, dont use this outside local machine testing') + parser.add_argument('--dry-run', action='store_true', default=False, help='Dont change anything') + parser.add_argument('--verbose', '-v', action='store_true', default=False, help='Print extra info') + parser.add_argument('--force', '-f', action='store_true', default=False, help='Dont stop on empty user password or missing rights') + return parser.parse_args() + + +def main(): + config = Config() + + if config.anonymous(): + print('Missing login credentials, either specify via environment or config file') + return + server = Server(config.server, port=int(config.port), use_ssl=config.use_tls, get_info=ALL) + conn = Connection(server, config.user, config.password, auto_bind=True) + + conn.search('ou=people,dc=nordu,dc=net', '(uid=*)', attributes=['uid', 'userPassword']) + + for user in conn.entries: + if not user.userPassword.value or not user.userPassword.value[:6] in ('{SASL}', b'{SASL}') : + print('[BAD]', user.uid, 'does not use SASL') + if not config.dry_run: + sasl_str = '{SASL}%s@NORDU.NET' % user.uid.value + if not conn.modify(user.entry_dn, {'userPassword': [(MODIFY_REPLACE, [sasl_str])]}): + print('[ERR]', 'Could not update password for', user.uid, 'got error:', conn.result['description']) + else: + if config.dry_run or config.verbose: + print('[OK]', user.uid, user.entry_dn) + + conn.unbind() + + +if __name__ == '__main__': + main() diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..0bd80f2 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,2 @@ +ldap3 +configparser |