2021-07-12 12:43:11 +02:00
|
|
|
#!/usr/bin/python
|
2022-12-17 00:33:34 +01:00
|
|
|
"""
|
|
|
|
|
Tool to force update memberOf attributes of users on OpenLDAP directory using
|
|
|
|
|
memberOf overlay
|
|
|
|
|
"""
|
2021-07-12 13:45:25 +02:00
|
|
|
|
2021-07-12 12:43:11 +02:00
|
|
|
import getpass
|
|
|
|
|
import logging
|
|
|
|
|
|
2021-07-12 13:45:25 +02:00
|
|
|
from mylib.ldap import LdapClient
|
|
|
|
|
from mylib.ldap import LdapServer
|
|
|
|
|
from mylib.pbar import Pbar
|
|
|
|
|
from mylib.scripts.helpers import get_opts_parser
|
|
|
|
|
from mylib.scripts.helpers import init_logging
|
2021-07-12 12:43:11 +02:00
|
|
|
|
|
|
|
|
default_host = 'ldapi:///'
|
|
|
|
|
default_filter = '(objectClass=posixGroup)'
|
|
|
|
|
default_attr = 'uniqueMember'
|
|
|
|
|
|
2022-12-17 00:33:34 +01:00
|
|
|
parser = get_opts_parser(
|
|
|
|
|
desc="Update memberOf attributes", just_try=True, progress=True)
|
2021-07-12 12:43:11 +02:00
|
|
|
|
|
|
|
|
# options
|
2021-07-12 13:45:25 +02:00
|
|
|
ldap_opts = parser.add_argument_group('LDAP options')
|
|
|
|
|
|
|
|
|
|
ldap_opts.add_argument(
|
2021-07-12 12:43:11 +02:00
|
|
|
'-H', '--host',
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
dest="host",
|
|
|
|
|
help="LDAP server URI (default: %s)" % default_host,
|
|
|
|
|
default=default_host
|
|
|
|
|
)
|
2021-07-12 13:45:25 +02:00
|
|
|
ldap_opts.add_argument(
|
2021-07-12 12:43:11 +02:00
|
|
|
'-D', '--dn',
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
dest="dn",
|
|
|
|
|
help="LDAP bind DN",
|
|
|
|
|
default=None
|
|
|
|
|
)
|
2021-07-12 13:45:25 +02:00
|
|
|
ldap_opts.add_argument(
|
2021-07-12 12:43:11 +02:00
|
|
|
'-P', '--password',
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
dest="pwd",
|
|
|
|
|
help="LDAP bind password",
|
|
|
|
|
default=None
|
|
|
|
|
)
|
2021-07-12 13:45:25 +02:00
|
|
|
ldap_opts.add_argument(
|
2021-07-12 12:43:11 +02:00
|
|
|
'-f', '--filter',
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
dest="filter",
|
|
|
|
|
help="LDAP groups filter (default: %s)" % default_filter,
|
|
|
|
|
default=default_filter
|
|
|
|
|
)
|
2021-07-12 13:45:25 +02:00
|
|
|
ldap_opts.add_argument(
|
2021-07-12 12:43:11 +02:00
|
|
|
'-b', '--base',
|
|
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
dest="base",
|
|
|
|
|
help="LDAP group base DN",
|
|
|
|
|
default=None
|
|
|
|
|
)
|
2021-07-12 13:45:25 +02:00
|
|
|
ldap_opts.add_argument(
|
2021-07-12 12:43:11 +02:00
|
|
|
'--v2',
|
|
|
|
|
action="store_true",
|
|
|
|
|
dest="ldapv2",
|
|
|
|
|
help="Utiliser le protocole LDAP v2.",
|
|
|
|
|
default=None
|
|
|
|
|
)
|
2021-07-12 13:45:25 +02:00
|
|
|
ldap_opts.add_argument(
|
2021-07-12 12:43:11 +02:00
|
|
|
'-a', '--attr',
|
2022-12-17 00:33:34 +01:00
|
|
|
action="store",
|
|
|
|
|
type=str,
|
|
|
|
|
dest="attr",
|
|
|
|
|
help="Group members attribute (default: %s)" % default_attr,
|
|
|
|
|
default=default_attr
|
2021-07-12 12:43:11 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
options = parser.parse_args()
|
|
|
|
|
|
|
|
|
|
if options.base is None:
|
2021-07-12 13:45:25 +02:00
|
|
|
parser.error('You must specify base DN using --base parameter')
|
|
|
|
|
|
|
|
|
|
init_logging(options, "Update memberOf")
|
2021-07-12 12:43:11 +02:00
|
|
|
|
|
|
|
|
if options.dn and not options.pwd:
|
2021-07-12 13:45:25 +02:00
|
|
|
options.pwd = getpass.getpass()
|
|
|
|
|
|
2022-12-17 00:33:34 +01:00
|
|
|
|
2021-07-12 13:45:25 +02:00
|
|
|
class MyLdapClient(LdapClient):
|
|
|
|
|
""" Implement a custom LdapClient to handle group objects """
|
|
|
|
|
|
2022-12-17 00:33:34 +01:00
|
|
|
# pylint: disable=super-init-not-called
|
|
|
|
|
def __init__(self, scripts_options):
|
2021-07-12 13:45:25 +02:00
|
|
|
self.options = scripts_options
|
2022-12-17 00:48:55 +01:00
|
|
|
logging.info("Connect to LDAP server %s", self.options.host)
|
2022-12-17 00:33:34 +01:00
|
|
|
self.cnx = LdapServer(
|
|
|
|
|
self.options.host, dn=self.options.dn, pwd=self.options.pwd,
|
|
|
|
|
v2=self.options.ldapv2)
|
2021-07-12 13:45:25 +02:00
|
|
|
self.cnx.connect()
|
|
|
|
|
|
|
|
|
|
def get_groups(self):
|
|
|
|
|
""" Retreive groups form LDAP server """
|
|
|
|
|
return self.get_objects(
|
|
|
|
|
'group',
|
|
|
|
|
self.options.filter,
|
|
|
|
|
self.options.base,
|
2022-12-17 00:33:34 +01:00
|
|
|
[self.options.attr]
|
2021-07-12 13:45:25 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def touch_group_members(self, obj):
|
|
|
|
|
""" Touch group members attribute """
|
|
|
|
|
current = self.get_attr(obj, self.options.attr, all_values=True)
|
|
|
|
|
if not current:
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
logging.debug('Update - remove values of %s', obj['dn'])
|
|
|
|
|
changes = self.get_changes(obj, {options.attr: []})
|
|
|
|
|
logging.debug('Changes:\n%s', self.format_changes(changes))
|
|
|
|
|
if self.update_object(obj, changes):
|
|
|
|
|
obj[options.attr] = []
|
|
|
|
|
logging.debug('Update - restore values of %s', obj['dn'])
|
|
|
|
|
changes = self.get_changes(obj, {options.attr: current})
|
|
|
|
|
logging.debug('Changes:\n%s', self.format_changes(changes))
|
|
|
|
|
return myldap.update_object(obj, changes)
|
|
|
|
|
return False
|
2021-07-12 12:43:11 +02:00
|
|
|
|
2022-12-17 00:33:34 +01:00
|
|
|
|
2021-07-12 12:43:11 +02:00
|
|
|
# Start LDAP connection
|
2021-07-12 13:45:25 +02:00
|
|
|
myldap = MyLdapClient(options)
|
|
|
|
|
groups = myldap.get_groups()
|
2021-07-12 12:43:11 +02:00
|
|
|
|
2021-07-12 13:45:25 +02:00
|
|
|
logging.info('%s groups found', len(groups))
|
2021-07-12 12:43:11 +02:00
|
|
|
|
2021-07-12 13:45:25 +02:00
|
|
|
pbar = Pbar('Update memberOf', len(groups), enabled=options.progress)
|
|
|
|
|
for dn, group in groups.items():
|
|
|
|
|
myldap.touch_group_members(group)
|
|
|
|
|
pbar.increment()
|
2021-07-12 12:43:11 +02:00
|
|
|
|
|
|
|
|
pbar.finish()
|
