一个用于常见Active Directory身份验证和查找任务的简单Python模块
项目描述
一个用于常见Active Directory身份验证和查找任务的简单Python模块
Copyright 2016 Sean Whalen Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at https://apache.ac.cn/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
为什么?
大多数针对Python和/或Flask的LDAP解决方案都侧重于成为通用的LDAP接口。开发者需要理解和解决Active Directory的怪癖。此模块旨在减少Python应用程序与Active Directory安全接口的复杂性和开发时间。
功能
Python 2和3支持
Unicode支持
通过直接绑定验证用户凭据
快速测试用户是否是组成员,包括嵌套组
查询用户和组成员属性
简单的用户和组成员搜索
获取用户是组成员的所有组,包括嵌套组
获取所有组成员用户列表,包括来自嵌套组的
将二进制数据自动转换为base64,以便JSON安全输出
安装
首先,安装系统依赖项
$ sudo apt-get install libsasl2-dev python3-dev python3-pip libldap2-dev libssl-dev
然后
$ sudo pip3 install -U easyad
示例用法
from __future__ import unicode_literals, print_function
from getpass import getpass
from json import dumps
from easyad import EasyAD
# Workaround to make input() return a string in Python 2 like it does in Python 3
# It's 2016...you should really be using Python 3
try:
input = raw_input
except NameError:
pass
# Set up configuration. You could also use a Flask app.config
config = dict(AD_SERVER="ad.example.net",
AD_DOMAIN="example.net",
CA_CERT_FILE="myrootca.crt")
# Initialize all the things!
ad = EasyAD(config)
# Authenticate a user
username = input("Username: ")
password = getpass("Password: ")
local_admin_group_name = "LocalAdministrators"
user = ad.authenticate_user(username, password, json_safe=True)
if user:
# Successful login! Let's print your details as JSON
print(dumps(user, sort_keys=True, indent=2, ensure_ascii=False))
# Lets find out if you are a member of the "LocalAdministrators" group
print(ad.user_is_member_of_group(user, local_admin_group_name))
else:
print("Those credentials are invalid. Please try again.")
exit(-1)
# You can also add service account credentials to the config to do lookups without
# passing in the credentials on every call
ad.config["AD_BIND_USERNAME"] = "SA-ADLookup"
ad.config["AD_BIND_PASSWORD"] = "12345LuggageAmazing"
user = ad.get_user("maurice.moss", json_safe=True)
print(dumps(user, sort_keys=True, indent=2, ensure_ascii=False))
group = ad.get_group("helpdesk", json_safe=True)
print(dumps(user, sort_keys=True, indent=2, ensure_ascii=False))
print("Is Jen a manager?")
print(ad.user_is_member_of_group("jen.barber", "Managers"))
# The calls below can be taxing on an AD server, especially when used frequently.
# If you just need to check if a user is a member of a group use
# EasyAD.user_is_member_of_group(). It is *much* faster.
# I wonder who all is in the "LocalAdministrators" group? Let's run a
# query that will search in nested groups.
print(dumps(ad.get_all_users_in_group(local_admin_group_name, json_safe=True)))
# Let's see all of the groups that Moss in in, including nested groups
print(dumps(ad.get_all_user_groups(user), indent=2, ensure_ascii=False))
easyad方法
convert_ad_timestamp(timestamp, json_safe=False)
Converts a LDAP timestamp to a datetime or a human-readable string
Args:
timestamp: the LDAP timestamp
json_safe: If true, return a a human-readable string instead of a datetime
Returns:
A datetime or a human-readable string
enhance_user(user, json_safe=False)
Adds computed attributes to AD user results
Args:
user: A dictionary of user attributes
json_safe: If true, converts binary data into base64,
And datetimes into human-readable strings
Returns:
An enhanced dictionary of user attributes
process_ldap_results(results, json_safe=False)
Converts LDAP search results from bytes to a dictionary of UTF-8 where possible
Args:
results: LDAP search results
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
A list of processed LDAP result dictionaries.
easyad.ADConnection
A LDAP configuration abstraction class
Attributes:
config: The configuration dictionary
ad:The LDAP interface instance
ADConnection.__init__(self, config)
Initializes an ADConnection object
Args:
config: A dictionary of configuration settings
Required:
AD_SERVER: The hostname of the Active Directory Server
Optional:
AD_REQUIRE_TLS: Require a TLS connection. True by default.
AD_CA_CERT_FILE: The path to the root CA certificate file
AD_PAGE_SIZE: Overrides the default page size of 1000
AD_OPTIONS: A dictionary of other python-ldap options
ADConnection.bind(self, credentials=None)
Attempts to bind to the Active Directory server
Args:
credentials: A optional dictionary of the username and password to use.
If credentials are not passed, the credentials from the initial EasyAD configuration are used.
Returns:
True if the bind was successful
Raises:
ldap.LDAP_ERROR
ADConnection.unbind(self)
Unbind from the Active Directory server
easyad.EasyAD
A high-level class for interacting with Active Directory
Attributes:
user_attributes: A default list of attributes to return from a user query
group_attributes: A default list of attributes to return from a user query
EasyAD.__init__(self, config)
Initializes an EasyAD object
Args:
config: A dictionary of configuration settings
Required:
AD_SERVER: the hostname of the Active Directory Server
AD_DOMAIN: The domain to bind to, in TLD format
Optional:
AD_REQUIRE_TLS: Require a TLS connection. True by default.
AD_CA_CERT_FILE: the path to the root CA certificate file
AD_BASE_DN: Overrides the base distinguished name. Derived from AD_DOMAIN by default.
EasyAD.authenticate_user(self, username, password, base=None, attributes=None, json_safe=False)
Test if the given credentials are valid
Args:
username: The username
password: The password
base: Optionally overrides the base object DN
attributes: A list of user attributes to return
json_safe: Convert binary data to base64 and datetimes to human-readable strings
Returns:
A dictionary of user attributes if successful, or False if it failed
Raises:
ldap.LDAP_ERROR
EasyAD.get_all_user_groups(self, user, base=None, credentials=None, json_safe=False)
Returns a list of all group DNs that a user is a member of, including nested groups
Args:
user: A username, distinguishedName, or a dictionary containing a distinguishedName
base: Overrides the configured base object dn
credentials: An optional dictionary of the username and password to use
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
A list of group DNs that the user is a member of, including nested groups
Raises:
ldap.LDAP_ERROR
Notes:
This call can be taxing on an AD server, especially when used frequently.
If you just need to check if a user is a member of a group,
use EasyAD.user_is_member_of_group(). It is *much* faster.
EasyAD.get_all_users_in_group(self, group, base=None, credentials=None, json_safe=False)
Returns a list of all user DNs that are members of a given group, including from nested groups
Args:
group: A group name, cn, or dn
base: Overrides the configured base object dn
credentials: An optional dictionary of the username and password to use
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
A list of all user DNs that are members of a given group, including users from nested groups
Raises:
ldap.LDAP_ERROR
Notes:
This call can be taxing on an AD server, especially when used frequently.
If you just need to check if a user is a member of a group,
use EasyAD.user_is_member_of_group(). It is *much* faster.
EasyAD.get_group(self, group_string, base=None, credentials=None, attributes=None, json_safe=False)
Searches for a unique group object and returns its attributes
Args:
group_string: A group name, cn, or dn
base: Optionally override the base object dn
credentials: A optional dictionary of the username and password to use.
If credentials are not passed, the credentials from the initial EasyAD configuration are used.
attributes: An optional list of attributes to return. Otherwise uses self.group_attributes.
To return all attributes, pass an empty list.
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
A dictionary of group attributes
Raises:
ValueError: Query returned no or multiple results
ldap.LDAP_ERROR: An LDAP error occurred
EasyAD.get_user(self, user_string, json_safe=False, credentials=None, attributes=None)
Searches for a unique user object and returns its attributes
Args:
user_string: A userPrincipalName, sAMAccountName, or distinguishedName
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
credentials: A optional dictionary of the username and password to use.
If credentials are not passed, the credentials from the initial EasyAD configuration are used.
attributes: An optional list of attributes to return. Otherwise uses self.user_attributes.
To return all attributes, pass an empty list.
Returns:
A dictionary of user attributes
Raises:
ValueError: query returned no or multiple results
EasyAD.resolve_group_dn(self, group, base=None, credentials=None, json_safe=False)
Returns a group's DN when given a principalAccountName, sAMAccountName, email, or DN
Args:
group: A group name, CN, or DN, or a dictionary containing a DN
base: Optionally overrides the base object DN
credentials: An optional dictionary of the username and password to use
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
The groups's DN
Raises:
ldap.LDAP_ERROR
EasyAD.resolve_user_dn(self, user, base=None, credentials=None, json_safe=False)
Returns a user's DN when given a principalAccountName, sAMAccountName, email, or DN
Args:
user: A principalAccountName, sAMAccountName, email, DN, or a dictionary containing a DN
base: Optionally overrides the base object DN
credentials: An optional dictionary of the username and password to use
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
The user's DN
Raises:
ldap.LDAP_ERROR
- search(self, base=None, scope=ldap.SCOPE_SUBTREE, filter_string=”(objectClass=*)”, credentials=None,
attributes=None, json_safe=False, page_size=None)
Run a search of the Active Directory server, and get the results
Args:
base: Optionally override the DN of the base object
scope: Optional scope setting, subtree by default.
filter_string: Optional custom filter string
credentials: Optionally override the bind credentials
attributes: A list of attributes to return. If none are specified, all attributes are returned
json_safe: If true, convert binary data to base64, and datetimes to human-readable strings
page_size: Optionally override the number of results to return per LDAP page
Returns:
Results as a list of dictionaries
Raises:
ldap.LDAP_ERROR
Notes:
Setting a small number of search_attributes and return_attributes reduces server load and bandwidth
respectively
- search_for_groups(self, group_string, base=None, search_attributes=None, return_attributes=None,
credentials=None, json_safe=False)
Returns matching group objects as a list of dictionaries
Args:
group_string: The substring to search for
base: Optionally override the base object's DN
search_attributes: The attributes to search through, with binary data removed
easyad.EasyAD.group_attributes by default
return_attributes: A list of attributes to return. easyad.EasyAD.group_attributes by default
credentials: Optionally override the bind credentials
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
Results as a list of dictionaries
Raises:
ldap.LDAP_ERROR
Notes:
Setting a small number of search_attributes and return_attributes reduces server load and bandwidth
respectively
- search_for_users(self, user_string, base=None, search_attributes=None, return_attributes=None, credentials=None,
json_safe=False)
Returns matching user objects as a list of dictionaries
Args:
user_string: The substring to search for
base: Optionally override the base object's DN
search_attributes: The attributes to search through, with binary data removed
easyad.EasyAD.user_attributes by default
return_attributes: A list of attributes to return. easyad.EasyAD.user_attributes by default
credentials: Optionally override the bind credentials
json_safe: If true, convert binary data to base64 and datetimes to human-readable strings
Returns:
Results as a list of dictionaries
Raises:
ldap.LDAP_ERROR
Notes:
Setting a small number of search_attributes and return_attributes reduces server load and bandwidth
respectively
EasyAD.user_is_member_of_group(self, user, group, base=None, credentials=None)
Tests if a given user is a member of the given group
Args:
user: A principalAccountName, sAMAccountName, email, or DN
group: A group name, cn, or dn
base: An optional dictionary of the username and password to use
credentials: An optional dictionary of the username and password to use
Raises:
ldap.LDAP_ERROR
Returns:
A boolean that indicates if the given user is a member of the given group
下载文件
下载适用于您平台的文件。如果您不确定选择哪个,请了解有关安装包的更多信息。
源代码分发
本发布没有提供源代码分发文件。请参阅生成分发存档的教程。
构建的分发
easyad-1.0.9-py2.py3-none-any.whl (16.4 kB 查看哈希值)
关闭
easyad-1.0.9-py2.py3-none-any.whl的哈希值
| 算法 | 哈希摘要 | |
|---|---|---|
| SHA256 | 3ccb28a649d2010cfd9d822a9223b34c90e1c1be496a1158996d5bd6e4308cef |
|
| MD5 | de3412c643b906e10708f6bb25ab31de |
|
| BLAKE2b-256 | 47bbe2d215ec5e822d38290543a7d6e78b0be6ad004a592c47cead39e39d1a80 |