LILiK login and user managment web interface
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

190 lines
8.3 KiB

#!/bin/usr/env python3
import ldap3
import utils
import config
import time
def check_result(conn):
if conn.result['result'] != 0: #see https://www.ietf.org/rfc/rfc4511.txt 4.1.9
raise RuntimeError(str(conn.result))
def connection_decorator(f):
with ldap3.Connection(config.SERVER, auto_bind=True, client_strategy=ldap3.STRATEGY_SYNC_RESTARTABLE) as conn:
def wrapped_f(*args, **kwargs):
return f(args[0], conn, *args[1:], **kwargs)
return wrapped_f
def admin_connection_decorator(f):
with ldap3.Connection(config.SERVER, user=config.ADMIN_CN, password=config.ADMIN_PASSWORD, auto_bind=True, client_strategy=ldap3.STRATEGY_SYNC_RESTARTABLE) as conn:
def wrapped_f(*args, **kwargs):
return f(args[0], conn, *args[1:], **kwargs)
return wrapped_f
class LILiK_USER(object):
_attributes = ['cn']
_read_only_attributes = ['uid']
_flags = {'mail': 'accountActive'}
_hosts = ['ltsp',
'users']
_groups = ['admin',
'wiki',
'lilik.it',
'cloud',
'projects',
'teambox',
'im']
_posix_groups = ['users_sites']
def __init__(self, entry, posix_groups):
results = {}
for attribute in self._attributes + self._read_only_attributes:
self.__setattr__(attribute, str(entry.__getattr__(attribute)))
services = {}
for service, flag in self._flags.items():
services[service] = flag in entry and str(entry[flag]) == 'TRUE'
for host in self._hosts:
services[host] = 'host' in entry and host in entry['host']
for group in self._groups:
services[group] = 'memberOf' in entry and utils.ldap_path("cn=%s"%utils.clean_value(group), config.GROUP, config.DOMAIN) in list(entry['memberOf'])
for posix_group in self._posix_groups:
services[posix_group] = posix_group in posix_groups and str(entry.uid) in list(posix_groups[posix_group])
self.__setattr__('services', services)
def to_json(self):
return json.dumps(self, default=lambda o: o.__dict__,)
def to_dict(self):
return self.__dict__
@admin_connection_decorator
def update(self, conn, new_lilik_user):
user_cn = utils.ldap_path('uid=%s'%self.uid, config.PEOPLE, config.DOMAIN)
diff = utils.DictDiffer(new_lilik_user, self.__dict__)
modifiers = {user_cn: {}}
if 'userPassword' in diff.added():
modifiers[user_cn]['userPassword'] = [(ldap3.MODIFY_REPLACE, [new_lilik_user['userPassword']])] #TODO add hash encryption?
for changed in diff.changed():
if changed == 'services':
services_diff = utils.DictDiffer(self.__dict__[changed], new_lilik_user[changed])
for service_changed in services_diff.changed():
if service_changed in self._flags:
flag = self._flags[service_changed]
modifiers[user_cn][flag] = [(ldap3.MODIFY_REPLACE, [str(new_lilik_user['services'][service_changed]).upper()])]
elif service_changed in self._hosts:
action = ldap3.MODIFY_ADD if new_lilik_user['services'][service_changed] else ldap3.MODIFY_DELETE
modifiers[user_cn]['host'] = [(action, [service_changed])]
elif service_changed in self._groups:
group_cn = utils.ldap_path('cn=%s'%service_changed, config.GROUP, config.DOMAIN)
action = ldap3.MODIFY_ADD if new_lilik_user['services'][service_changed] else ldap3.MODIFY_DELETE
modifiers[group_cn] = {'member': [(action, [user_cn])]}
elif service_changed in self._posix_groups:
group_cn = utils.ldap_path('cn=%s'%service_changed, config.GROUP, config.DOMAIN)
action = ldap3.MODIFY_ADD if new_lilik_user['services'][service_changed] else ldap3.MODIFY_DELETE
modifiers[group_cn] = {'memberUid': [(action, [self.uid])]}
else:
raise NameError('Unknown user attribute: %s'%service_changed)
elif changed in self._attributes:
if changed == 'cn':
try:
firstname, surname = new_lilik_user[changed].strip().rsplit(' ', 1)
except ValueError:
firstname = new_lilik_user[changed].strip()
surname = " "
modifiers[user_cn]['sn'] = [(ldap3.MODIFY_REPLACE, [surname])]
modifiers[user_cn]['givenname'] = [(ldap3.MODIFY_REPLACE, [firstname])]
modifiers[user_cn][changed] = [(ldap3.MODIFY_REPLACE, [new_lilik_user[changed]])]
for entry_cn, modifier in modifiers.items():
if modifier:
print(entry_cn, modifier)
conn.modify(entry_cn, modifier)
check_result(conn)
print(conn.result)
if conn.result['result'] != 0:
return False
return True
class LILiK_LDAP(object):
def login(self, user_name, password):
bind_dn = utils.ldap_path('uid=%s'%utils.clean_user_name(user_name), config.PEOPLE, config.DOMAIN)
c = ldap3.Connection(config.SERVER, user=bind_dn, password=password)
return c.bind()
@admin_connection_decorator
def get_users(self, conn):
conn.search(utils.ldap_path(config.PEOPLE, config.DOMAIN), '(objectclass=posixAccount)', attributes=['uid'])
check_result(conn)
return [str(a.uid) for a in conn.entries]
@admin_connection_decorator
def get_user(self, conn, user_name):
conn.search(utils.ldap_path(config.PEOPLE, config.DOMAIN), '(&(objectclass=posixAccount)(uid=%s))'%utils.clean_user_name(user_name), attributes=['*', 'memberOf'])
check_result(conn)
if len(conn.entries) == 0:
raise IndexError("no user found for %s"%user_name)
entry = conn.entries[0]
return LILiK_USER(entry, self.get_posix_groups())
@connection_decorator
def get_max_uidnumber(self, conn):
conn.search(utils.ldap_path(config.PEOPLE, config.DOMAIN),
"(objectClass=posixAccount)",
attributes=['uidnumber'])
check_result(conn)
max = 0
for entry in conn.response:
max = int(entry['attributes']['uidnumber'][0]) if int(entry['attributes']['uidnumber'][0]) > max else max
return max
@admin_connection_decorator
def new_user(self, conn, user_dict):
username = utils.clean_user_name(user_dict['uid'])
user_dn = "uid=%s,o=People,dc=lilik,dc=it"%username
mail_dn = "mail=%s,vd=lilik.it,o=hosting,dc=lilik,dc=it"%username
# print("delete user")
# conn.delete(user_dn)
# print("delete mail")
# conn.delete(mail_dn)
print(" creating")
conn.add(user_dn,
['top', 'inetOrgPerson', 'VirtualMailAccount', 'posixAccount', 'shadowAccount'],
{'accountactive': "FALSE",
'cn': 'undefined',
'delete': "FALSE",
'gidnumber': 100,
'givenname': 'undefined',
'homedirectory': "/home/%s"%username,
'loginshell': '/bin/bash',
'mail': username,
'othertransport': 'phamm:',
'quota': 1024000,
'smtpauth': "FALSE",
'sn': 'undefined',
'uid': username,
'uidnumber': self.get_max_uidnumber() + 1,
'userpassword': '',
'vdhome': 'undefined',
'mailbox': 'undefined',
'lastChange': int(time.time())}
)
check_result(conn)
print(conn.result)
print("user created")
conn.add(mail_dn,
['alias', 'extensibleObject'],
{'aliasedobjectname': user_dn}
)
check_result(conn)
print(conn.result)
@connection_decorator
def get_posix_groups(self, conn):
conn.search(utils.ldap_path(config.GROUP, config.DOMAIN), '(objectclass=posixGroup)', attributes=['*'])
check_result(conn)
results = {}
for group in conn.entries:
results[str(group.cn)] = list(group.memberUid) if 'memberUid' in group else []
return results