Initial commit

4 files changed, 85 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..d2127d0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.ini
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..c50c88e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,4 @@
+# LDAP-sasl
+
+Script for checking that all users in a tree has a SASL password.
+If not it will change their current password to use SASL instead.
diff --git a/ldap-sasl.py b/ldap-sasl.py
new file mode 100644
index 0000000..031eb88
--- /dev/null
+++ b/ldap-sasl.py
@@ -0,0 +1,78 @@
+
+import argparse
+import os
+from ldap3 import Server, Connection, ALL, MODIFY_REPLACE
+from configparser import ConfigParser
+
+
+class Config(object):
+    def __init__(self):
+        args = cli()
+        config = ConfigParser()
+
+        if args.config:
+            config.read(args.config)
+
+        self._set_attr('server', args, config, 'ldap1.nordu.net')
+        self._set_attr('port', args, config, 636)
+        self._set_attr('user', None, config)
+        self._set_attr('password', None, config)
+        self.use_tls = not args.no_tls
+        self.dry_run = args.dry_run
+        self.verbose = args.verbose
+        self.force = args.force
+
+    def _set_attr(self, name, args, config, default=None):
+        value = default
+        env_name = 'LDAP_' + name.upper()
+        if args and getattr(args, name):
+            value = getattr(args, name)
+        elif env_name in os.environ:
+            value = os.environ[env_name]
+        elif config.has_option('LDAP', name):
+            value = config['LDAP'][name]
+        setattr(self, name, value)
+
+    def anonymous(self):
+        return not self.password or not self.user
+
+
+def cli():
+    parser = argparse.ArgumentParser()
+    parser.add_argument('--config', '-C', help='Config file for ldap-sasl', default=None)
+    parser.add_argument('--server', '-s', help='Which ldaps server to use', default=None)
+    parser.add_argument('--port', '-p', help='Which ldap ldap port to use', type=int)
+    parser.add_argument('--no-tls', action='store_true', default=False, help='Disable tls connection, dont use this outside local machine testing')
+    parser.add_argument('--dry-run', action='store_true', default=False, help='Dont change anything')
+    parser.add_argument('--verbose', '-v', action='store_true', default=False, help='Print extra info')
+    parser.add_argument('--force', '-f', action='store_true', default=False, help='Dont stop on empty user password or missing rights')
+    return parser.parse_args()
+
+
+def main():
+    config = Config()
+
+    if config.anonymous():
+        print('Missing login credentials, either specify via environment or config file')
+        return
+    server = Server(config.server, port=int(config.port), use_ssl=config.use_tls, get_info=ALL)
+    conn = Connection(server, config.user, config.password, auto_bind=True)
+
+    conn.search('ou=people,dc=nordu,dc=net', '(uid=*)', attributes=['uid', 'userPassword'])
+
+    for user in conn.entries:
+        if not user.userPassword.value or not user.userPassword.value[:6] in ('{SASL}', b'{SASL}') :
+            print('[BAD]', user.uid, 'does not use SASL')
+            if not config.dry_run:
+                sasl_str = '{SASL}%s@NORDU.NET' % user.uid.value
+                if not conn.modify(user.entry_dn, {'userPassword': [(MODIFY_REPLACE, [sasl_str])]}):
+                    print('[ERR]', 'Could not update password for', user.uid, 'got error:', conn.result['description'])
+        else:
+            if config.dry_run or config.verbose:
+                print('[OK]', user.uid, user.entry_dn)
+
+    conn.unbind()
+
+
+if __name__ == '__main__':
+    main()
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..0bd80f2
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,2 @@
+ldap3
+configparser