├── multildap
    ├── __init__.py
    ├── satosa
    │   ├── multiple_ldap_attribute_store.yaml.example
    │   └── multiple_ldap_attribute_store.py
    ├── decorators.py
    ├── attr_rewrite.py
    ├── commands.py
    ├── client.py
    └── multildapd.py
├── requirements.txt
├── AUTHORS
├── .gitignore
├── examples
    ├── ldaptor
    │   ├── requirements
    │   └── ldap-merger.py
    ├── README.asyncio.md
    ├── ldap_gevent.py
    ├── ldap_gevent_server_echo.py
    ├── paged_resultset_example.py
    ├── ldap_aio.py
    └── settings.py.example
├── LICENSE
├── setup.py
├── tests
    └── run_test.py
└── README.md


/multildap/__init__.py:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | ldap3>=2.9
2 | gevent>=21.1.2
3 | 


--------------------------------------------------------------------------------
/AUTHORS:
--------------------------------------------------------------------------------
1 | Giuseppe De Marco <giuseppe.demarco@unical.it>
2 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | settings.py
2 | *__pycache__/*
3 | *.pyc
4 | build/*
5 | dist/*
6 | *egg-info/*
7 | 


--------------------------------------------------------------------------------
/examples/ldaptor/requirements:
--------------------------------------------------------------------------------
1 | ldaptor
2 | passlib
3 | pyparsing
4 | twisted[tls]
5 | zope.interface
6 | 


--------------------------------------------------------------------------------
/examples/README.asyncio.md:
--------------------------------------------------------------------------------
1 | - https://github.com/hughrobb/aioldap3
2 | - https://github.com/cannatag/ldap3/issues/182
3 | 


--------------------------------------------------------------------------------
/multildap/satosa/multiple_ldap_attribute_store.yaml.example:
--------------------------------------------------------------------------------
1 | module: multildap.satosa.multiple_ldap_attribute_store.MultiLdapAttributeStore
2 | name: MultipleLdapAttributeStore
3 | config:
4 |   settings_path: /opt/multildap/settings.py
5 |   unique_attribute_to_match: schacpersonaluniqueid
6 |   ldap_filter_operator: ':caseIgnoreMatch:='
7 | 


--------------------------------------------------------------------------------
/examples/ldap_gevent.py:
--------------------------------------------------------------------------------
 1 | import gevent
 2 | from gevent import monkey; monkey.patch_all()
 3 | 
 4 | from client import LdapClient
 5 | from settings import LDAP_CONNECTIONS
 6 | 
 7 | result_set = []
 8 | LDAP_SERVERS = [LdapClient(conf) for conf in LDAP_CONNECTIONS.values()]
 9 | 
10 | jobs = [gevent.spawn(conn.get) for conn in LDAP_SERVERS]
11 | gevent.joinall(jobs, timeout=2)
12 | for job in jobs:
13 |     print(job.value)
14 | 


--------------------------------------------------------------------------------
/examples/ldaptor/ldap-merger.py:
--------------------------------------------------------------------------------
 1 | #! /usr/bin/env python
 2 | 
 3 | from twisted.application import service, internet
 4 | from twisted.internet import protocol
 5 | from ldaptor.config import LDAPConfig
 6 | from ldaptor.protocols.ldap.merger import MergedLDAPServer
 7 | 
 8 | application = service.Application("LDAP Merger")
 9 | 
10 | configs = [LDAPConfig(serviceLocationOverrides={"": ('host1.unical.it', 389)}),
11 |            LDAPConfig(serviceLocationOverrides={"": ('host2.unical.it', 636)})
12 |            ]
13 | use_tls = [True, True]
14 | factory = protocol.ServerFactory()
15 | factory.protocol = lambda: MergedLDAPServer(configs, use_tls)
16 | mergeService = internet.TCPServer(3899, factory)
17 | mergeService.setServiceParent(application)
18 | 


--------------------------------------------------------------------------------
/multildap/decorators.py:
--------------------------------------------------------------------------------
 1 | from functools import wraps
 2 | import errno
 3 | import os
 4 | import signal
 5 | 
 6 | 
 7 | class TimeoutError(Exception):
 8 |     pass
 9 | 
10 | def timeout(seconds=5, error_message=os.strerror(errno.ETIME)):
11 |     def decorator(func):
12 |         def _handle_timeout(signum, frame):
13 |             raise TimeoutError(error_message)
14 | 
15 |         def wrapper(*args, **kwargs):
16 |             signal.signal(signal.SIGALRM, _handle_timeout)
17 |             signal.alarm(seconds)
18 |             try:
19 |                 result = func(*args, **kwargs)
20 |             finally:
21 |                 signal.alarm(0)
22 |             return result
23 | 
24 |         return wraps(func)(wrapper)
25 | 
26 |     return decorator
27 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 |                     GNU AFFERO GENERAL PUBLIC LICENSE
 2 |                        Version 3, 19 November 2007
 3 | 
 4 | <pyMultiLDAP data connector and aggregator>
 5 |            Copyright (C) 2019  Giuseppe De Marco
 6 | 
 7 | This program is free software: you can redistribute it and/or modify
 8 | it under the terms of the GNU Affero General Public License as
 9 | published by the Free Software Foundation, either version 3 of the
10 | License, or (at your option) any later version.
11 | 
12 | This program is distributed in the hope that it will be useful,
13 | but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 | GNU Affero General Public License for more details.
16 | 
17 | You should have received a copy of the GNU Affero General Public License
18 | along with this program.  If not, see <https://www.gnu.org/licenses/>.
19 | 


--------------------------------------------------------------------------------
/examples/ldap_gevent_server_echo.py:
--------------------------------------------------------------------------------
 1 | #import gevent
 2 | 
 3 | #from gevent import monkey; monkey.patch_all()
 4 | from gevent.server import StreamServer
 5 | 
 6 | from client import LdapClient
 7 | from settings import LDAP_CONNECTIONS
 8 | 
 9 | 
10 | def handle(socket, address):
11 |     print('new connection from {}'.format(address))
12 |     rfileobj = socket.makefile(mode='rb')
13 |     while True:
14 |         line = rfileobj.readline()
15 |         if not line:
16 |             print("client {} disconnected".format(address))
17 |             break
18 |         elif line.strip().lower() == b'quit':
19 |             print("client {} quit".format(address))
20 |             break
21 |         elif line == b'\n': continue
22 |         else:
23 |             socket.sendall(b'recv: '+line)
24 |         print("< {}".format(line))
25 |     rfileobj.close()
26 | 
27 | server = StreamServer(('127.0.0.1', 1234), handle) # creates a new server
28 | server.serve_forever() # start accepting new connections
29 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | from setuptools import setup
 2 | 
 3 | _name = 'multildap'
 4 | 
 5 | def readme():
 6 |     with open('README.md') as f:
 7 |         return f.read()
 8 | 
 9 | setup(name=_name,
10 |       version='0.3.3',
11 |       zip_safe = False,
12 |       description="LDAP client or proxy to multiple LDAP server",
13 |       long_description=readme(),
14 |       long_description_content_type="text/markdown",
15 |       classifiers=['Development Status :: 5 - Production/Stable',
16 |                    'License :: OSI Approved :: BSD License',
17 |                    'Programming Language :: Python :: 2',
18 |                    'Programming Language :: Python :: 3'],
19 |       url='https://github.com/peppelinux/pyMultiLDAP',
20 |       author='Giuseppe De Marco',
21 |       author_email='giuseppe.demarco@unical.it',
22 |       license='BSD',
23 |       scripts=['{}/multildapd.py'.format(_name)],
24 |       packages=[_name, 'multildap/satosa'],
25 |       install_requires=['ldap3', 'gevent'],
26 |      )
27 | 


--------------------------------------------------------------------------------
/examples/paged_resultset_example.py:
--------------------------------------------------------------------------------
 1 | from ldap3 import Server, Connection, SUBTREE
 2 | from settings import SAMVICE
 3 | 
 4 | total_entries = 0
 5 | server = ldap3.Server(SAMVICE['url'])
 6 | c = ldap3.Connection(server, **SAMVICE['connection'])
 7 | 
 8 | c.search(search_base = 'o=test',
 9 |          search_filter = '(objectClass=inetOrgPerson)',
10 |          search_scope = SUBTREE,
11 |          attributes = ['cn', 'givenName'],
12 |          paged_size = 5)
13 | total_entries += len(c.response)
14 | for entry in c.response:
15 |     print(entry['dn'], entry['attributes'])
16 | cookie = c.result['controls']['1.2.840.113556.1.4.319']['value']['cookie']
17 | while cookie:
18 |     c.search(search_base = 'o=test',
19 |              search_filter = '(object_class=inetOrgPerson)',
20 |              search_scope = SUBTREE,
21 |              attributes = ['cn', 'givenName'],
22 |              paged_size = 5,
23 |              paged_cookie = cookie)
24 |     total_entries += len(c.response)
25 |     cookie = c.result['controls']['1.2.840.113556.1.4.319']['value']['cookie']
26 |     for entry in c.response:
27 |         print(entry['dn'], entry['attributes'])
28 | print('Total entries retrieved:', total_entries)
29 | 


--------------------------------------------------------------------------------
/examples/ldap_aio.py:
--------------------------------------------------------------------------------
 1 | # https://www.pythonsheets.com/notes/python-asyncio.html
 2 | import asyncio
 3 | 
 4 | from client import LdapClient
 5 | from settings import LDAP_CONNECTIONS
 6 | 
 7 | result_set = []
 8 | LDAP_SERVERS = []
 9 | 
10 | async def get_result(lc):
11 |     await asyncio.sleep(0.001)
12 |     return lc.get(format='dict')
13 | 
14 | async def get_server(CONF):
15 |     return LdapClient(CONF)
16 | 
17 | async def ensure_connection(lc):
18 |     await asyncio.sleep(0.001)
19 |     lc.ensure_connection()
20 | 
21 | async def connect(lc_id: int):
22 |     CONF = list(LDAP_CONNECTIONS.keys())[lc_id]
23 |     lc = await get_server(LDAP_CONNECTIONS[CONF])
24 |     # LDAP_SERVERS.append(lc)
25 |     print('Connectign and gathering {} [{}]'.format(lc, CONF))
26 |     # await ensure_connection(lc)
27 |     try:
28 |         result = await get_result(lc)
29 |         result_set.extend(result)
30 |         print('Get {} results from {}'.format(len(result), lc))
31 |     except Exception as e:
32 |         print('-- Fail to connect to {} [{}]'.format(lc, CONF))
33 |         print(e)
34 | 
35 | async def main():
36 |     await asyncio.gather(*(connect(n) for n in range(len(LDAP_CONNECTIONS.keys()))))
37 |     print('Done')
38 | 
39 | if __name__ == '__main__':
40 |     asyncio.run(main())
41 |     print(len(result_set))
42 | 


--------------------------------------------------------------------------------
/tests/run_test.py:
--------------------------------------------------------------------------------
 1 | import copy
 2 | import logging
 3 | import sys
 4 | 
 5 | from importlib import util as importlib_util
 6 | from multildap.client import LdapClient
 7 | 
 8 | spec = importlib_util.spec_from_file_location("settings", "settings.py")
 9 | settings = importlib_util.module_from_spec(spec)
10 | spec.loader.exec_module(settings)
11 | 
12 | 
13 | for i in settings.LDAP_CONNECTIONS.values():
14 |     lc = LdapClient(i)
15 |     # print('# Results from: {} ...'.format(lc))
16 |     # kwargs = copy.copy(lc.conf)
17 |     # r = lc.get(search="(&(sn=aie*)(givenName=isa*))")
18 |     # print(r)
19 | 
20 |     # like wildcard
21 |     # r = lc.get(search="(&(sn=de marco)(schacPersonalUniqueId=*DMRGPP83*))")
22 |     # print(r)
23 | 
24 |     # using search method with overload of configuration
25 |     #kwargs['search']['search_filter'] = "(&(sn=de marco))"
26 |     #r = lc.search(**kwargs['search'])
27 | 
28 |     lc.set_strategy('RESTARTABLE')
29 |     print('# ', lc.strategy)
30 |     print('# as DICT')
31 |     r = lc.get(format='dict')
32 |     print(r) if r else ''
33 |     print()
34 | 
35 |     r = lc.get(format='json')
36 |     print('# as JSON')
37 |     print(r) if r else ''
38 |     print()
39 | 
40 |     lc.set_strategy('REUSABLE')
41 |     print('# ', lc.strategy)
42 |     print('# as DICT')
43 |     r = lc.get(format='dict')
44 |     print(r) if r else ''
45 |     print()
46 | 
47 |     r = lc.get(format='json')
48 |     print('# as JSON')
49 |     print(r) if r else ''
50 |     print()
51 | 
52 |     # get result in original format
53 |     # this won't apply rewrite rules
54 |     print('# as ORIGNAL')
55 |     r = lc.get()
56 |     print(r) if r else ''
57 |     print()
58 | 
59 |     print('# as LDIF')
60 |     r = lc.get(format='ldif')
61 |     print(r) if r else ''
62 |     print()
63 | 
64 |     print('# End')
65 | 


--------------------------------------------------------------------------------
/multildap/attr_rewrite.py:
--------------------------------------------------------------------------------
 1 | import copy
 2 | import re
 3 | 
 4 | 
 5 | def decode_iterables(ite, encoding='utf-8'):
 6 |     return [e.decode(encoding) if isinstance(e, bytes) else e for e in ite]
 7 | 
 8 | 
 9 | def regexp_replace(attrs, regexp='', sub='', encoding='utf-8'):
10 |     d = dict()
11 |     for k,v in attrs.items():
12 |         items = decode_iterables(v, encoding)
13 |         d[k] = [re.sub(regexp, sub, e, re.I) for e in items]
14 |     return d
15 | 
16 | 
17 | def lowercase(attrs, fields=[], encoding='utf-8'):
18 |     """
19 |     fields -> limits only to specified attributes
20 | 
21 |     rewrite_rules =
22 |     [
23 | 
24 |          {'package': 'multildap.attr_rewrite',
25 |           'name': 'lowercase',
26 |           'kwargs': {'fields': ['email', 'mail']}
27 |          },
28 | 
29 |     ...
30 |     """
31 |     d = attrs.copy()
32 |     for k,v in attrs.items():
33 |         if k in fields:
34 |             items = decode_iterables(v, encoding)
35 |             d[k] = [e.lower() for e in items]
36 |     return d
37 | 
38 | 
39 | def replace(attrs, from_str='', to_str='', to_attrs=[], encoding='utf-8'):
40 |     """
41 |     to_attrs -> limits only to specified attributes
42 |     """
43 |     d = dict()
44 |     for k,v in attrs.items():
45 |         items = decode_iterables(v, encoding)
46 |         d[k] = [e.replace(from_str, to_str) for e in items]
47 |     return d
48 | 
49 | def append(attrs, value='', to_attrs=[], encoding='utf-8'):
50 |     """
51 |     to_attrs -> limits only to specified attributes
52 |     """
53 |     d = dict()
54 |     for k,v in attrs.items():
55 |         items = decode_iterables(v, encoding)
56 |         if value not in d[k]:
57 |             d[k] = v + value
58 |     return d
59 | 
60 | 
61 | def add_static_attribute(attrs, name='email', value='', **kwargs):
62 |     if name in attrs and isinstance(attrs[name], list):
63 |         attrs[name].append(value)
64 |     else:
65 |         attrs[name] = [value]
66 |     return attrs
67 | 
68 | 
69 | def copy_attribute_value(attrs, from_attr='email', to_attr='',
70 |                          suffix='', prefix='', **kwargs):
71 |     if not from_attr in attrs: return attrs
72 |     v = attrs[from_attr][0] if isinstance(attrs[from_attr], list) else attrs[from_attr]
73 |     value = '{}{}{}'.format(prefix, v, suffix)
74 |     if to_attr in attrs and isinstance(attrs[from_attr], list):
75 |         attrs[to_attr].append(value)
76 |     else:
77 |         attrs[to_attr] = [value]
78 |     return attrs
79 | 
80 | 
81 | def map_from_dict(attrs, from_attr='email', to_attr='',
82 |                   suffix='', prefix='', dict_map={}, **kwargs):
83 |     """map from_attr to an external dict_map, if match
84 |        create a new attr or add to an existent one (to_attr).
85 |     """
86 |     # TODO
87 |     pass
88 | 


--------------------------------------------------------------------------------
/multildap/satosa/multiple_ldap_attribute_store.py:
--------------------------------------------------------------------------------
 1 | """
 2 | SATOSA microservice that uses an identifier asserted by
 3 | the home organization SAML IdP as a key to search an LDAP
 4 | directory for a record and then consume attributes from
 5 | the record and assert them to the receiving SP.
 6 | """
 7 | 
 8 | from ldap3.core.exceptions import LDAPException
 9 | from multildap.client import LdapClient
10 | 
11 | from satosa.micro_services.base import ResponseMicroService
12 | from satosa.response import Redirect
13 | from satosa.exception import SATOSAError
14 | 
15 | import copy
16 | import importlib.util as importlib_util
17 | import logging
18 | 
19 | 
20 | logger = logging.getLogger(__name__)
21 | 
22 | 
23 | class MultiLdapAttributeStore(ResponseMicroService):
24 | 
25 |     def __init__(self, config, *args, **kwargs):
26 |         super().__init__(*args, **kwargs)
27 |         self.config = config
28 | 
29 |         # cache
30 |         # use mongodb, using sp+user id as key
31 |         #self.attributes = {}
32 | 
33 |         # import settings and loads connections
34 |         spec = importlib_util.spec_from_file_location("settings",
35 |                                                       config['settings_path'])
36 |         settings = importlib_util.module_from_spec(spec)
37 |         spec.loader.exec_module(settings)
38 | 
39 |         self.config['connections'] = settings.LDAP_CONNECTIONS
40 |         self.connections = {name: LdapClient(conf)
41 |                             for name,conf in
42 |                             settings.LDAP_CONNECTIONS.items()}
43 | 
44 |         msg = "MultiLDAP Attribute Store microservice initialized"
45 |         logger.info(msg)
46 |         for conn in self.connections:
47 |             msg = "MultiLDAP connection to: {}".format(conn)
48 |             logger.info(msg)
49 | 
50 | 
51 |     def process(self, context, data):
52 | 
53 |         # Use cache in mongoDB with cache duration of 5min
54 |         #if self.attributes and self.config.get('attributes_cache', None):
55 |             #logger.debug('Attr processor id: {}'.format(id(self)))
56 |             #msg = "MultiLdapAttributeStore found previously fetched attributes"
57 |             #logger.info(msg)
58 |             #return ResponseMicroService.process(self, context, data)
59 | 
60 |         for name,lc in self.connections.items():
61 |             search_attr = self.config['unique_attribute_to_match']
62 | 
63 |             # prevent exception on missing attr
64 |             attr_value = data.attributes.get(search_attr, False)
65 |             if not attr_value:
66 |                 msg = '{} not found in {}'.format(search_attr, lc)
67 |                 logger.debug(msg)
68 |                 continue
69 |             if isinstance(attr_value, str):
70 |                 attr_value = [attr_value]
71 | 
72 |             msg = ("MultiLdapAttributeStore searches for {} in {}".format(search_attr, lc))
73 |             logger.info(msg)
74 | 
75 |             ldapfilter = '({}{}{})'.format(search_attr,
76 |                                            self.config['ldap_filter_operator'],
77 |                                            attr_value[0])
78 |             identity = lc.get(search=ldapfilter, format='dict')
79 |             if not identity: continue
80 | 
81 |             msg = "MultiLdapAttributeStore matches on {}".format(search_attr)
82 |             logger.info(msg)
83 | 
84 |             attributes = {}
85 |             for k,v in identity.items():
86 |                 k = k.lower()
87 |                 if k not in attributes:
88 |                     attributes[k] = v
89 |                     msg = "MultiLdapAttributeStore created: {}".format([e for e in v.keys()])
90 |                     logger.debug(msg)
91 |                 # TODO: check this update
92 |                 elif k in attributes:
93 |                     attributes[k].update(v)
94 | 
95 |                 data.attributes.update(copy.copy(attributes[k]))
96 |                 logger.debug( ''.format(data.attributes))
97 | 
98 |         return ResponseMicroService.process(self, context, data)
99 | 


--------------------------------------------------------------------------------
/examples/settings.py.example:
--------------------------------------------------------------------------------
  1 | import ldap3
  2 | 
  3 | # GLOBALS
  4 | 
  5 | # encoding
  6 | ldap3.set_config_parameter('DEFAULT_SERVER_ENCODING',
  7 |                            'UTF-8')
  8 | # some broken LDAP implementation may have different encoding
  9 | # than those expected by RFCs
 10 | # ldap3.set_config_paramenter('ADDITIONAL_ENCODINGS', ...)
 11 | 
 12 | # timeouts
 13 | ldap3.set_config_parameter('RESTARTABLE_TRIES', 1)
 14 | ldap3.set_config_parameter('POOLING_LOOP_TIMEOUT', 1)
 15 | ldap3.set_config_parameter('RESET_AVAILABILITY_TIMEOUT', 1)
 16 | ldap3.set_config_parameter('RESTARTABLE_SLEEPTIME', 1)
 17 | 
 18 | 
 19 | _REWRITE_DN_TO = 'dc=proxy,dc=testunical,dc=it'
 20 | 
 21 | DEFAULT = dict(server =
 22 |                    dict(host = 'ldaps://thathost.unical.it',
 23 |                         connect_timeout = 5,
 24 |                         # TLS...
 25 |                         ),
 26 |                connection =
 27 |                    dict(user = 'cn=thatusername,dc=unical,dc=it',
 28 |                         password = 'thatpassword',
 29 |                         read_only = True,
 30 |                         version = 3,
 31 |                         # see ldap3 client_strategies
 32 |                         client_strategy = ldap3.RESTARTABLE,
 33 |                         auto_bind = True,
 34 |                         pool_size = 10,
 35 |                         pool_keepalive = 10),
 36 |                 search =
 37 |                     dict(search_base = 'ou=people,dc=unical,dc=it',
 38 |                          search_filter = '(objectclass=person)',
 39 |                          search_scope = ldap3.SUBTREE,
 40 | 
 41 |                          # general purpose for huge resultsets
 42 |                          # TODO: implement paged resultset, see: examples/paged_resultset.py
 43 |                          # size_limit = 500,
 44 |                          # paged_size = 1000, # up to 500000 results
 45 |                          # paged_criticality = True, # check if the server supports paged results
 46 |                          # paged_cookie = True, # must be sent back while requesting subsequent entries
 47 | 
 48 |                          # to get all = # '*'
 49 |                          attributes = ['eduPersonPrincipalName',
 50 |                                        'schacHomeOrganization',
 51 |                                        'mail',
 52 |                                        'uid',
 53 |                                        'givenName',
 54 |                                        'sn',
 55 |                                        'eduPersonScopedAffiliation',
 56 |                                        'schacPersonalUniqueId',
 57 |                                        'schacPersonalUniqueCode'
 58 |                                        ]
 59 | 
 60 |                         ),
 61 |                     encoding = 'utf-8',
 62 |                   rewrite_rules =
 63 |                         [{'package': 'multildap.attr_rewrite',
 64 |                          'name': 'replace',
 65 |                          'kwargs': {'from_str': 'unical', 'to_str': 'lacinu',}},
 66 | 
 67 |                           {'package': 'multildap.attr_rewrite',
 68 |                           'name': 'regexp_replace',
 69 |                           'kwargs': {'regexp': 'unical', 'sub': 'gnocc',}},
 70 | 
 71 |                           {'package': 'multildap.attr_rewrite',
 72 |                           'name': 'add_static_attribute',
 73 |                           'kwargs': {'name': 'eduPersonOrcid', 'value': 'ingoalla',}},
 74 | 
 75 |                           {'package': 'multildap.attr_rewrite',
 76 |                           'name': 'copy_attribute_value',
 77 |                           'kwargs': {'from_attr': 'uid',
 78 |                                      'to_attr': 'schacPersonalUniqueID',
 79 |                                      'suffix': '',
 80 |                                      'prefix': 'urn:schac:personalUniqueID:IT:CF:',
 81 |                                      }},
 82 |                         ],
 83 |                   
 84 |                   # Authentication settings
 85 |                   rewrite_dn_to = _REWRITE_DN_TO,
 86 |                   allow_authentication = True,
 87 |             )
 88 | 
 89 | LDAPTEST = dict(server =
 90 |                    dict(host = 'ldap://ldap.testunical.it:389',
 91 |                         connect_timeout = 5,
 92 |                         # TLS...
 93 |                         ),
 94 |                connection =
 95 |                    dict(user = 'cn=idp1,ou=idp,dc=testunical,dc=it',
 96 |                         password = 'idp1',
 97 |                         read_only = True,
 98 |                         version = 3,
 99 |                         # see ldap3 client_strategies
100 |                         client_strategy = ldap3.RESTARTABLE,
101 |                         auto_bind = True,
102 |                         pool_size = 10,
103 |                         pool_keepalive = 10),
104 |                 search =
105 |                     dict(search_base = 'ou=people,dc=testunical,dc=it',
106 |                          search_filter = '(objectclass=person)',
107 |                          search_scope = ldap3.SUBTREE,
108 | 
109 |                          # general purpose for huge resultsets
110 |                          # TODO: implement paged resultset, see: examples/paged_resultset.py
111 |                          # size_limit = 500,
112 |                          # paged_size = 1000, # up to 500000 results
113 |                          # paged_criticality = True, # check if the server supports paged results
114 |                          # paged_cookie = True, # must be sent back while requesting subsequent entries
115 | 
116 |                          # to get all = # '*'
117 |                          attributes = ['eduPersonPrincipalName',
118 |                                        'schacHomeOrganization',
119 |                                        'mail',
120 |                                        'uid',
121 |                                        'givenName',
122 |                                        'sn',
123 |                                        'eduPersonScopedAffiliation',
124 |                                        'schacPersonalUniqueId',
125 |                                        'schacPersonalUniqueCode'
126 |                                        ]
127 | 
128 |                         ),
129 |                   encoding = 'utf-8',
130 |                   rewrite_rules =
131 |                         [{'package': 'multildap.attr_rewrite',
132 |                          'name': 'replace',
133 |                          'kwargs': {'from_str': 'testunical', 'to_str': 'unical',}},
134 | 
135 |                          {'package': 'multildap.attr_rewrite',
136 |                           'name': 'regexp_replace',
137 |                           'kwargs': {'regexp': '', 'sub': '',}},
138 | 
139 |                         ],
140 |                   rewrite_dn_to = _REWRITE_DN_TO,
141 |             )
142 | 
143 | # put multiple connections here
144 | LDAP_CONNECTIONS = {'DEFAULT' : DEFAULT,
145 |                     'LDAPTEST' : LDAPTEST}
146 | 


--------------------------------------------------------------------------------
/multildap/commands.py:
--------------------------------------------------------------------------------
  1 | import copy
  2 | import logging
  3 | 
  4 | from multildap.client import LdapClient
  5 | 
  6 | 
  7 | logger = logging.getLogger(__name__)
  8 | 
  9 | 
 10 | # https://docs.oracle.com/javase/jndi/tutorial/ldap/models/exceptions.html
 11 | _CODE_NOSUCHOBJECTEXISTS = 32
 12 | _CODE_NOTIMPLEMENTED = 53
 13 | _CODE_TIMEOUT = 3
 14 | _CODE_OPERATIONERROR = 1
 15 | _CODE_INVALIDCREDENTIAL = 49
 16 | 
 17 | # RESPONSE TEMPLATES
 18 | _ENTRY_TMPL = """{ldifs}"""
 19 | _RESULT_TMPL = """
 20 | 
 21 | RESULT
 22 | code: {code}
 23 | info: {text}
 24 | """
 25 | 
 26 | 
 27 | class LDAPUnrecognizesCommandAttributes(Exception):
 28 |     pass
 29 | 
 30 | 
 31 | class LdapCommand(object):
 32 | 
 33 |     def __init__(self, ldap_command):
 34 |         """
 35 |         ldap_command = ['SEARCH', {**attr_kwargs}]
 36 |         """
 37 |         self.type = ldap_command[0].lower()
 38 |         for k,v in ldap_command[1].items():
 39 |             setattr(self, k, int(v) if v.isdigit() else v)
 40 |         self.command = 'process_{}'.format(self.type)
 41 |         logging.debug('LDAPCommand: {}'.format(ldap_command))
 42 | 
 43 |     def process(self, ldapclients=[]):
 44 |         """
 45 |         The commands - except unbind - should output:
 46 |               RESULT
 47 |               code: <integer>
 48 |               matched: <matched DN>
 49 |               info: <text>
 50 |         where  only RESULT is mandatory, and then close the socket.  The search
 51 |         RESULT should be preceded by the entries in  LDIF  format,  each  entry
 52 |         followed  by  a  blank  line.   Lines starting with `#' or `DEBUG:' are
 53 |         ignored.
 54 |         """
 55 |         response = ''
 56 |         if self.type == 'unbind':
 57 |                 return ''
 58 |         if hasattr(self, self.command):
 59 |             try:
 60 |                 response = getattr(self, self.command.lower())(ldapclients)
 61 |             except Exception as excp:
 62 |                 return _RESULT_TMPL.format(**{'code':_CODE_OPERATIONERROR,
 63 |                                               'text': excp})
 64 |         else:
 65 |             code = _CODE_NOTIMPLEMENTED
 66 |             text = 'LDAP command [{}] non implemented yet'.format(self.command,
 67 |                                                                   self.type)
 68 |         return response
 69 | 
 70 | 
 71 |     def process_search(self, ldapclients):
 72 |         """
 73 |         SEARCH
 74 |         msgid: <message id>
 75 |         <repeat { "suffix:" <database suffix DN> }>
 76 |         base: <base DN>
 77 |         scope: <0-2, see ldap.h>
 78 |         deref: <0-3, see ldap.h>
 79 |         sizelimit: <size limit>
 80 |         timelimit: <time limit>
 81 |         filter: <filter>
 82 |         attrsonly: <0 or 1>
 83 |         attrs: <"all" or space-separated attribute list>
 84 |         <blank line>
 85 |         """
 86 |         ldifs = []
 87 |         for ldapclient in ldapclients:
 88 |             attributes = self.attrs if self.attrsonly else ldapclient.conf['search']['attributes']
 89 | 
 90 |             if self.filter == '(objectClass=*)':
 91 |                 self.filter = ldapclient.conf['search']['search_filter']
 92 |                 logger.info('FILTER rewritten from {} to {}'.format('(objectClass=*)',
 93 |                                                                     self.filter))
 94 | 
 95 |             # detect if this search came from a BIND, restrict search to useronly changing the filter
 96 |             if self.suffix != ldapclient.conf['search']['search_base']:
 97 |                 new_filter = '({})'.format(self.binddn.split(',')[0])
 98 |                 logger.debug('FILTER rewritten from {} to {}'.format(self.filter,
 99 |                                                                      new_filter))
100 |                 self.filter = new_filter
101 |                 # ldapclient.ensure_connection()
102 | 
103 |             result = ldapclient.get(search = self.filter,
104 |                                     size_limit = self.sizelimit,
105 |                                     attributes = attributes,
106 |                                     format='ldif')
107 |             if result:
108 |                 ldifs.append(result)
109 |                 logger.debug('SEARCH {} found in {}'.format(self.filter,
110 |                                                             ldapclient))
111 |             else:
112 |                 ldifs.append('')
113 |                 logger.debug('SEARCH {} not found in {}'.format(self.filter,
114 |                                                                 ldapclient))
115 | 
116 |         ldif = ''.join(ldifs)
117 |         entry_dict = {'ldifs': ldif,
118 |                       #'msgid': self.msgid
119 |                       }
120 | 
121 |         # produce RESULT data
122 |         result_dict = {
123 |                         #'msgid': self.msgid,
124 |                        'code': 0 if ldifs else _CODE_NOSUCHOBJECTEXISTS,
125 |                        'text': '{} bytes fetched'.format(len(ldif))}
126 | 
127 |         # TODO: wait for a coherent slapd-sock documentation
128 |         response = ''.join((_ENTRY_TMPL.format(**entry_dict),
129 |                             _RESULT_TMPL.format(**result_dict)))
130 |         return response
131 | 
132 | 
133 |     def process_bind(self, ldapclients):
134 |         """
135 |         BIND
136 |         msgid: <message id>
137 |         <repeat { "suffix:" <database suffix DN> }>
138 |         dn: <DN>
139 |         method: <method number>
140 |         credlen: <length of <credentials>>
141 |         cred: <credentials>
142 |         <blank line>
143 |         """
144 |         result = 0
145 |         for ldapclient in ldapclients:
146 |             try:
147 |                 username = getattr(self, 'dn')
148 |                 from_dn = ldapclient.extract_dn_suffix(username)
149 |                 target_username = username.replace(from_dn,
150 |                                                    ldapclient.conf['search']['search_base'])
151 |                 logger.info('Authentication: rewrite {} to {} on {}'.format(username,
152 |                                                                             target_username,
153 |                                                                             ldapclient))
154 |                 result = ldapclient.authenticate(target_username,
155 |                                                  getattr(self, 'cred'))
156 |                 if result:
157 |                     code = 0
158 |                     text = 'Authentication successfull on {}'.format(ldapclient.conf['server']['host'])
159 |                     break
160 |                 else:
161 |                     code = _CODE_INVALIDCREDENTIAL
162 |                     text = 'Invalid credentials [allow_create: {}]'.format(ldapclient.conf.get('allow_autentication'))
163 |             except Exception as excp:
164 |                 text = '{}'.format(excp)
165 |                 code = _CODE_OPERATIONERROR
166 | 
167 |         result_dict = {'code': code,
168 |                        'text': text
169 |                        #'msgid': self.msgid,
170 |                        }
171 |         response = _RESULT_TMPL.format(**result_dict)
172 |         return response
173 | 
174 |     def process_unbind(self, ldapclient):
175 |         """
176 |         UNBIND
177 |         msgid: <message id>
178 |         <repeat { "suffix:" <database suffix DN> }>
179 |         <blank line>
180 |         """
181 |         return '\n'
182 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | pyMultiLDAP
  2 | -----
  3 | 
  4 | pyMultiLDAP can gather data from multiple LDAP servers, can do data aggregation and manipulation with rewrite rules.
  5 | pyMultiLDAP can act also as a proxy server, behind openldap's slapd-sock backend or any custom implementation.
  6 | 
  7 | ### Features
  8 | 
  9 | - LDAP client to many servers as a single one;
 10 | - Custom functions to manipulate returning data (rewrite rules);
 11 | - Export data in python dictionary, json or ldiff format;
 12 | - Proxy Server, exposing a server daemon usable with [slapd-sock backend](https://www.openldap.org/software/man.cgi?query=slapd-sock).
 13 | 
 14 | pyMultiLDAP doesn't write to LDAP servers, it just handle readonly data.
 15 | It's also used to automate smart data processing on-the-fly.
 16 | 
 17 | See `example/settings.py.example` and `multildap/attr_rewrite.py` to understand how to configure and extend it.
 18 | 
 19 | ### Tested on
 20 | 
 21 | - Debian9;
 22 | - Debian10.
 23 | 
 24 | ### Setup
 25 | Configure multiple connections and search paramenters in `settings.py`.
 26 | 
 27 | Install
 28 | ````
 29 | git clone https://github.com/peppelinux/pyMultiLDAP.git
 30 | cd pyMultiLDAP
 31 | pip install -r requirements
 32 | python3 setup.py install
 33 | ````
 34 | 
 35 | or use pipy [WIP]
 36 | 
 37 | ````
 38 | pip install pyMultiLDAP
 39 | ````
 40 | 
 41 | #### LdapClient Class usage
 42 | ````
 43 | from multildap.client import LdapClient
 44 | from settings import LDAP_CONNECTIONS
 45 | 
 46 | lc = LdapClient(LDAP_CONNECTIONS['SAMVICE'])
 47 | 
 48 | # get all the results
 49 | lc.get()
 50 | 
 51 | # apply a filter
 52 | lc.get(search="(&(sn=de marco)(schacPersonalUniqueId=*DMRGPP83*))")
 53 | ````
 54 | 
 55 | ##### Search and get
 56 | 
 57 | See `examples/run_test.py`.
 58 | 
 59 | Difference between `.search` and `.get`:
 60 | - *search* relyies on connection configuration and returns result as it come (raw);
 61 | - *get* handles custom search filter and retrieve result as dictionary, json, ldif or python object format. It also apply rewrite rules.
 62 | 
 63 | ````
 64 | import copy
 65 | 
 66 | from multildap.client import LdapClient
 67 | from settings import LDAP_CONNECTIONS
 68 | 
 69 | lc = LdapClient(LDAP_CONNECTIONS['DEFAULT'])
 70 | 
 71 | kwargs = copy.copy(lc.conf)
 72 | kwargs['search']['search_filter'] = "(&(sn=de medici)(givenName=aurora))"
 73 | r = lc.search(**kwargs['search'])
 74 | ````
 75 | 
 76 | #### Results in json format
 77 | ````
 78 | from multildap.client import LdapClient
 79 | from . settings import LDAP_CONNECTIONS
 80 | 
 81 | 
 82 | for i in LDAP_CONNECTIONS:
 83 |     lc = LdapClient(LDAP_CONNECTIONS[i])
 84 |     print('# Results from: {} ...'.format(lc))
 85 | 
 86 |     # get all as defined search_filter configured in settings connection
 87 |     # but in json format
 88 |     r = lc.get(format='json')
 89 |     print(r)
 90 | 
 91 |     # set a custom search as method argument
 92 |     r = lc.get(search="(&(sn=de marco)(schacPersonalUniqueId=*DMRGPP345tg86H))", format='json')
 93 |     print(r)
 94 | 
 95 |     print('# End {}'.format(i))
 96 | ````
 97 | 
 98 | #### Run the server
 99 | 
100 | Network address
101 | ````
102 | multildapd.py -conf settings.py -port 1234
103 | ````
104 | 
105 | Unix domain socket (for slapd-sock backend)
106 | ````
107 | multildapd.py -conf ./settings.py -loglevel "DEBUG" -socket /var/run/multildap.sock -pid /var/run/multildap.pid -uid openldap
108 | ````
109 | 
110 | Dummy test without any ldap client connection configured, just to test slapd-sock:
111 | ````
112 | multildapd.py -conf ./settings.py -dummy -loglevel "DEBUG" -socket /var/run/multildap.sock -pid /var/run/multildap.pid
113 | ````
114 | 
115 | Test Unix domain socket from cli
116 | ````
117 | nc -U /tmp/multildap.sock
118 | ````
119 | 
120 | #### Interfacing it with OpenLDAP slapd-sock
121 | 
122 | The  [Slapd-sock](https://www.openldap.org/software/man.cgi?query=slapd-sock)
123 |  backend  to  slapd  uses  an external program to handle
124 |  queries. This makes it
125 |  possible to have a pool of processes, which persist  between  requests.
126 |  This  allows  multithreaded operation and a higher level of efficiency.
127 |  Multildapd  listens  on  a  Unix  domain  socket and it must have  been  started  independently;
128 | 
129 | This  module  may  also  be  used  as  an  overlay on top of some other
130 |  database.  Use as an overlay allows external actions to be triggered in
131 |  response to operations on the main database.
132 | 
133 | #### Configure slapd-sock as database
134 | 
135 | Add the module.
136 | ````
137 | ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
138 | dn: cn=module,cn=config
139 | objectClass: olcModuleList
140 | cn: module
141 | olcModuleLoad: back_sock.la
142 | EOF
143 | ````
144 | 
145 | Create the database.
146 | ````
147 | ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
148 | dn: olcDatabase={4}sock,cn=config
149 | objectClass: olcDbSocketConfig
150 | olcDatabase: {4}sock
151 | olcDbSocketPath: /var/run/multildap.sock
152 | olcSuffix: dc=proxy,dc=testunical,dc=it
153 | olcDbSocketExtensions: binddn peername ssf
154 | EOF
155 | ````
156 | 
157 | Add an Overlay if you want to wrap an existing backend
158 | ````
159 | ldapmodify -H ldapi:// -Y EXTERNAL <<EOF
160 | dn: olcOverlay=sock,olcDatabase={1}mdb,cn=config
161 | changetype: add
162 | objectClass: olcConfig
163 | objectClass: olcOverlayConfig
164 | objectClass: olcOvSocketConfig
165 | olcOverlay: sock
166 | olcDbSocketPath: /var/run/multildap/multildap.sock
167 | olcOvSocketOps: bind unbind search
168 | olcOvSocketResps: search
169 | EOF
170 | ````
171 | 
172 | Remember to configure an ACL otherwise only `ldapsearch -H ldapi:// -Y EXTERNAL` as root would fetch ldif.
173 | Remember to add a space char `' '` after every olaAccess line, otherwise you'll get `Implementation specific error(80)`.
174 | 
175 | ````
176 | export BASEDC="dc=testunical,dc=it"
177 | 
178 | ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
179 | dn: olcDatabase={4}sock,cn=config
180 | changeType: modify
181 | replace: olcAccess
182 | olcAccess: to *
183 |  by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
184 |  by * break
185 | # the following permits self BIND by users
186 | olcAccess: to dn.subtree="dc=proxy,$BASEDC"
187 |  by self read
188 |  by * break
189 | # the following two permits SEARCH by idp and foreign auth system
190 | olcAccess: to dn.subtree="ou=people,$BASEDC"
191 |  by dn.children="ou=auth,$BASEDC" read
192 |  by self read
193 |  by * break
194 | olcAccess: to dn.subtree="ou=people,$BASEDC"
195 |  by dn.children="ou=idp,$BASEDC" read
196 |  by self read
197 |  by * break
198 | olcAccess: to *
199 |  by anonymous auth
200 |  by * break
201 | EOF
202 | ````
203 | 
204 | Authentication  (BIND) on top of the multildapd must be configured with attribute
205 | `rewrite_dn_to` regarding every connections in the settings.py. If abstent the specified connection will be excluded from authentication.
206 | TODO: _adopt openldap proxy authz statements_.
207 | 
208 | ````
209 | ldapsearch -H ldap://localhost:389 -D "uid=peppe,dc=proxy,dc=testunical,dc=it" -w thatsecret -b 'uid=peppe,dc=proxy,dc=unical,dc=it'
210 | ````
211 | 
212 | #### Hints
213 | 
214 | See databases currently installed:
215 | - `ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' -LLL  "olcDatabase=*"`;
216 | - Use `client_strategy = RESTARTABLE` instead of `REUSABLE` in your settings.py for better performances;
217 | - A Backend can not be deleted via ldapdelete/modify until OpenLDAP 2.5 will be released;
218 | - Changing the socket path
219 | ````
220 | ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
221 | dn: olcDatabase={4}sock,cn=config
222 | changetype: modify
223 | replace: olcDbSocketPath
224 | olcDbSocketPath: /var/run/multildap.sock
225 | EOF
226 | ````
227 | - Deploy a dummy socket listener with socat, just to debug incoming connection from slapd-sock.
228 | 
229 | ````
230 | socat -s UNIX-LISTEN:/tmp/slapd-sock,umask=000,fork EXEC:"$your_command"
231 | ````
232 | 
233 | #### Other slapd-sock resources:
234 | 
235 | - [slapsock](https://build.opensuse.org/package/show/home:stroeder:AE-DIR/python-slapdsock)
236 | - [slapd-trigger](https://github.com/jclain/slapd-trigger)
237 | - [ldap.h search scopes](https://github.com/openldap/openldap/blob/master/include/ldap.h#L581)
238 | - [slapd-sock in OpenLDAP ML](https://www.openldap.org/cgi-bin/wilma_glimpse/openldap-technical?query=slapd-sock&Search=Search&errors=0&maxfiles=50&maxlines=10&.cgifields=lineonly&.cgifields=restricttofiles&.cgifields=filelist&.cgifields=partial&.cgifields=case)
239 | 
240 | 
241 | #### Todo
242 | 
243 | - Example configuration with slapd's Proxy Authorization Rules (authzTo: dn.regex:^uid=[^,]*,dc=example,dc=com$);
244 | - Only SEARCH, BIND and UNBIND is usable, other LDAP methods should be implemented;
245 | 


--------------------------------------------------------------------------------
/multildap/client.py:
--------------------------------------------------------------------------------
  1 | import copy
  2 | import importlib
  3 | import ldap3
  4 | import logging
  5 | import json
  6 | import re
  7 | 
  8 | from . decorators import timeout
  9 | from ldap3.core.exceptions import LDAPMaximumRetriesError
 10 | 
 11 | 
 12 | logger = logging.getLogger(__name__)
 13 | 
 14 | 
 15 | class LdapClient(object):
 16 | 
 17 |     def __init__(self, LDAP_SRV_CONF):
 18 |         self.conf = LDAP_SRV_CONF
 19 |         self.conn = None
 20 |         self.server = None
 21 |         self.strategy = LDAP_SRV_CONF['connection']['client_strategy']
 22 | 
 23 |     def get_response(self, message_id=None, timeout=10):
 24 |         if self.strategy in (ldap3.REUSABLE,
 25 |                              ldap3.ASYNC):
 26 |             # message_id for async strategy
 27 |             results = self.conn.get_response(message_id, timeout=timeout)
 28 |         else:
 29 |             results = self.conn.entries
 30 |         return results
 31 | 
 32 |     def set_search_filter(self, search_filter):
 33 |         self.conf['search']['search_filter'] = search_filter
 34 | 
 35 |     def connect(self):
 36 |         logger.info('Connecting to {}...'.format(self.conf['server']['host']))
 37 |         try:
 38 |             self.server = ldap3.Server(**self.conf['server'])
 39 |             self.conn = ldap3.Connection(self.server, **self.conf['connection'])
 40 |         except LDAPMaximumRetriesError as excp:
 41 |             logger.error("Error: {}".format(excp))
 42 | 
 43 |     def set_strategy(self, strategy_type):
 44 |         if self.conn and strategy_type == self.conn.strategy_type:
 45 |             return
 46 |         self.conf['connection']['client_strategy'] = strategy_type
 47 |         self.connect()
 48 |         self.strategy = strategy_type
 49 | 
 50 |     def ensure_connection(self):
 51 |         search_kwargs = copy.deepcopy(self.conf['search'])
 52 |         search_kwargs['size_limit'] = 1
 53 |         if self.conn and not self.conn.closed:
 54 |             try:
 55 |                 self.conn.search(**search_kwargs)
 56 |             except Exception as excp:
 57 |                 logger.debug('Connection error: {}...'.format(excp))
 58 |                 self.connect()
 59 |         else:
 60 |             self.connect()
 61 | 
 62 |     # @timeout(3)
 63 |     def search(self, **kwargs):
 64 |         self.ensure_connection()
 65 |         _kwargs = kwargs if kwargs else self.conf['search']
 66 |         timeout = kwargs.get('timeout')
 67 |         result = self.conn.search(**_kwargs)
 68 |         logger.debug('result [{}]: {}'.format(self.conf['connection']['client_strategy'],
 69 |                                               result))
 70 |         if timeout:
 71 |             return self.get_response(result, timeout=timeout)
 72 |         else:
 73 |             return self.get_response(result)
 74 | 
 75 |     def _decode_elements(self, attr_dict):
 76 |         return {k:[e.decode(self.conf['encoding']) if isinstance(e, bytes) else e for e in v]
 77 |                 for k,v in attr_dict.items() }
 78 | 
 79 |     def _as_object(self, res):
 80 |         return type('', (object,), list(res.values())[0])()
 81 | 
 82 |     def _as_json(self, res):
 83 |         return json.dumps(res, indent=2)
 84 | 
 85 |     def _as_ldif(self, res):
 86 |         ldifs = []
 87 |         # import pdb; pdb.set_trace()
 88 |         for dn in res:
 89 |             ldif = ['dn: {}'.format(dn)]
 90 |             for attr in res[dn]:
 91 |                 if isinstance(res[dn][attr], list):
 92 |                     for value in res[dn][attr]:
 93 |                         ldif.append('{}: {}'.format(attr, value))
 94 |                 else:
 95 |                     ldif.append('{}: {}'.format(attr, res[dn][attr]))
 96 |             ldifs.append('\n'.join(ldif))
 97 |         return '\n\n'.join(ldifs)
 98 | 
 99 |     def _as_dict(self, res):
100 |         if isinstance(res, dict): return res
101 |         result = dict()
102 |         if not res: return result
103 |         if self.strategy in (ldap3.SYNC, ldap3.RESTARTABLE):
104 |             for entry in res:
105 |                 result[entry.entry_dn] = entry.entry_attributes_as_dict
106 |         else:
107 |             # E.g.
108 |             # r[0] = entries,
109 |             # r[1] = {'type': 'searchResDone', 'message': '', 'referrals': None, 'result': 0, 'dn': '', 'description': 'success'}
110 |             for entry in res[0]:
111 |                 if not result.get(entry['dn']):
112 |                     result[entry['dn']] = dict()
113 |                 result[entry['dn']] = self._decode_elements(entry['raw_attributes'])
114 |         return result
115 | 
116 |     @staticmethod
117 |     def extract_dn_suffix(from_dn):
118 |         from_dn = re.split("uid=[a-zA-Z0-9\.\-\:\@]*,", from_dn)[1]
119 |         return from_dn
120 | 
121 |     def _apply_rewrites(self, entries):
122 |         rewritten_entries = {}
123 |         for dn in entries:
124 |             for rule_index in range(len(self.conf['rewrite_rules'])):
125 |                 # this, otherwise multiple rules on
126 |                 # the same dn will not be overwrited...
127 |                 if rewritten_entries.get(dn):
128 |                     entry = rewritten_entries[dn]
129 |                 else:
130 |                     entry = entries[dn]
131 |                 rewritten_entries[dn] = self.apply_attr_rewrite(entry,
132 |                                                                 rule_index)
133 | 
134 |         if self.conf.get('rewrite_dn_to') and rewritten_entries:
135 |             repl = self.conf['rewrite_dn_to']
136 |             from_dn = self.extract_dn_suffix(dn)
137 |             return { k.replace(from_dn, repl): v for k,v in entries.items()}
138 | 
139 |         return rewritten_entries
140 | 
141 |     def get(self, search=None, size_limit=0, format=None, attributes=None):
142 |         _kwargs = copy.copy(self.conf['search'])
143 |         _kwargs['size_limit'] = size_limit
144 |         _kwargs['search_filter'] = search if search else self.conf['search']['search_filter']
145 |         _kwargs['attributes'] = attributes if attributes else self.conf['search']['attributes']
146 |         res = self.search(**_kwargs)
147 |         if not res: return
148 |         entries = self._as_dict(res)
149 | 
150 |         # Rewrite rules detection
151 |         # TODO: Specialize a private method here :)
152 |         if self.conf.get('rewrite_rules'):
153 |             entries = self._apply_rewrites(entries)
154 |         # END Rewrite rules detection
155 | 
156 |         # format
157 |         if format:
158 |             if format == 'dict': return entries
159 |             method = '_as_{}'.format(format)
160 |             if hasattr(self, method):
161 |                 entries = getattr(self, method)(entries)
162 |         else:
163 |             logger.debug(("[Warning] rewrite rules can only "
164 |                           "be applied with a defined format"))
165 |         return entries
166 | 
167 |     def apply_attr_rewrite(self, attributes, package_index):
168 |         rule = self.conf['rewrite_rules'][package_index]
169 |         package = importlib.import_module(rule['package'])
170 |         logger.debug('[Rewrite Rule] Apply {}'.format(rule))
171 |         func = getattr(package, rule['name'])
172 |         new_attrs = func(attributes, encoding=self.conf['encoding'],
173 |                          **rule['kwargs'])
174 |         return new_attrs
175 | 
176 |     # @timeout(3)
177 |     def authenticate(self, user, password, new_connection=False):
178 |         if not self.conf.get('allow_authentication'):
179 |             msg = 'Authentication disabled for [{}]'
180 |             logger.debug(msg.format(self.conf['server']['host']))
181 |             return
182 |         if not self.conn:
183 |             self.ensure_connection()
184 |         _kwargs = copy.copy(self.conf['connection'])
185 |         _kwargs['user'] = user
186 |         _kwargs['password'] = password
187 |         status = False
188 |         try:
189 |             if new_connection:
190 |                 server = ldap3.Server(**self.conf['server'])
191 |                 status = ldap3.Connection(server, **_kwargs)
192 |             else:
193 |                 status = self.conn.rebind(user, password)
194 |             return status
195 |         except Exception as excp:
196 |             msg = 'Authentication error: {}'.format(excp)
197 |             logger.error(msg)
198 |             return status
199 | 
200 |     def __str__(self):
201 |         return '{} - {} - {}'.format(self.conf['server']['host'],
202 |                                      self.conf['search']['search_base'],
203 |                                      self.conf['search']['search_filter'])
204 | 
205 |     def __repr__(self):
206 |         return self.__str__()
207 | 


--------------------------------------------------------------------------------
/multildap/multildapd.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | 
  3 | import gevent
  4 | #from gevent import monkey; monkey.patch_all()
  5 | import getpass
  6 | import logging
  7 | import logging.handlers
  8 | import os
  9 | import pwd
 10 | import signal
 11 | import sys
 12 | 
 13 | from gevent import socket as gsocket
 14 | from gevent.server import StreamServer
 15 | from ldap3.core.exceptions import (LDAPInvalidFilterError,
 16 |                                    LDAPMaximumRetriesError,
 17 |                                    LDAPSocketOpenError)
 18 | from multildap.client import LdapClient, logger as logger_client
 19 | from multildap.commands import (LdapCommand,
 20 |                                 LDAPUnrecognizesCommandAttributes,
 21 |                                 logger as logger_commands)
 22 | from time import time, sleep
 23 | 
 24 | 
 25 | logger = logging.getLogger('multildapd')
 26 | 
 27 | 
 28 | _CONN = []
 29 | _LOG_LDAP_REQUEST = 0
 30 | # a LDAP command cannot be more then ... lines
 31 | _LDAP_MAX_COMMAND_LINES = 13
 32 | 
 33 | 
 34 | def ldap_result(ldap_command):
 35 |     result = ''
 36 |     lc = LdapCommand(ldap_command)
 37 |     # how many seconds a request should takes?
 38 |     try:
 39 |         start = time()
 40 |         result = lc.process(ldapclients=_CONN)
 41 |         end = time()
 42 |         msg = '[{} {} -> {}bytes] elapsed in: {:.2f}'
 43 |         elapsed = msg.format(ldap_command[0],
 44 |                              lc.filter if hasattr(lc, 'filter') else lc.type,
 45 |                              len(result),
 46 |                              (end - start))
 47 |         logger.info(elapsed)
 48 |     except LDAPInvalidFilterError as exp:
 49 |         logger.error('Invalid filter: {}'.format(dec_line))
 50 |     except LDAPMaximumRetriesError as exp:
 51 |         end = time()
 52 |         msg = 'LDAP endpoint connection error [{0:.2f}s]: {1}'
 53 |         logger.critical(msg.format((end - start), exp))
 54 |     except LDAPSocketOpenError as exp:
 55 |         end = time()
 56 |         msg = 'LDAP endpoint connection error [{0:.2f}s]: {1}'
 57 |         logger.critical(msg.format((end - start), exp))
 58 |     except Exception as exp:
 59 |         logger.info('Error on handling connection: {}'.format(exp))
 60 |         # TODO: write error code to clients to interrupt wait
 61 |         # socket.sendall('{}\n'.format(exp).encode())
 62 | 
 63 |     #result = result.replace('ou=people,dc=testunical,dc=it', 'dc=proxy,dc=unical,dc=it')
 64 |     logger.debug('RESPONSE \n{}'.format(result))
 65 |     return result
 66 | 
 67 | def create_socket(args):
 68 |     # clean up previous socket
 69 |     if os.path.exists(args.socket):
 70 |         msg = 'Unlink and remove previous socket: {}'
 71 |         logger.info(msg.format(args.socket))
 72 |         os.unlink(args.socket)
 73 | 
 74 |     # logger.info('Create a socket {}'.format(args.socket))
 75 |     # creates a new server on a unix domain socket
 76 |     sock = gsocket.socket(gsocket.AF_UNIX,
 77 |                           gsocket.SOCK_STREAM)
 78 |     sock.setblocking(0)
 79 |     sock.bind(args.socket)
 80 | 
 81 |     # todo arg to change users
 82 |     user = pwd.getpwnam(getpass.getuser())
 83 | 
 84 |     # We would like to also set the user to "cmsuser" but only root
 85 |     # can do that. Therefore we limit ourselves to the group.
 86 |     os.chown(args.socket, os.getuid(), user.pw_gid)
 87 | 
 88 |     uid = pwd.getpwnam(args.uid).pw_uid
 89 |     os.chmod(args.socket, 0o660)
 90 |     os.chown(args.socket, uid, 0)
 91 | 
 92 |     backlog=33
 93 |     sock.listen(backlog)
 94 |     return sock
 95 | 
 96 | 
 97 | def reset_ldap_command():
 98 |     return [None, {}]
 99 | 
100 | 
101 | def handle_debug1(socket, address):
102 |     rfileobj = socket.makefile(mode='rb')
103 |     while 1:
104 |         line = rfileobj.readline()
105 |         if line == b'\n':
106 |             result = """dn: uid=mario,dc=proxy,dc=unical,dc=it
107 | uid: mario
108 | mail: mario.rossi@unical.it
109 | sn: rossi
110 | cn: mario
111 | 
112 | dn: uid=peppe,dc=proxy,dc=unical,dc=it
113 | uid: peppe
114 | mail: peppe.grossi@unical.it
115 | sn: rossi
116 | cn: peppe
117 | 
118 | RESULT
119 | code: 0
120 | """
121 |             socket.sendall(result.encode())
122 |             break
123 |     rfileobj.close()
124 | 
125 | 
126 | def handle(socket, address):
127 |     if address:
128 |         logger.info('new connection from {}'.format(address))
129 |     else:
130 |         logger.info('new local connection on unix domain socket')
131 | 
132 |     ldap_command = reset_ldap_command()
133 |     result = None
134 |     rfileobj = socket.makefile(mode='rb')
135 |     while True:
136 |         line = rfileobj.readline()
137 |         if line == b'\n':
138 |             logger.debug("END command submission".format(address))
139 |             result = ldap_result(ldap_command)
140 |             ldap_command = reset_ldap_command()
141 |             socket.sendall(result.encode())
142 |             result = None
143 |             break
144 |         elif not line:
145 |             logger.info("client {} disconnected".format(address))
146 |             break
147 |         else:
148 |             if _LOG_LDAP_REQUEST:
149 |                 logger.debug("Received: {}".format(line))
150 | 
151 |             dec_line = line.decode().replace('\n', '')
152 | 
153 |             # filter, security check
154 |             if len(ldap_command[1].keys()) > _LDAP_MAX_COMMAND_LINES:
155 |                 raise LDAPUnrecognizesCommandAttributes(ldap_command)
156 | 
157 |             # store command type
158 |             if not ldap_command[0]:
159 |                 ldap_command[0] = dec_line
160 |                 #continue
161 | 
162 |             # extract and store attribute one by one
163 |             extr_attr = dec_line.split(': ')
164 |             if len(extr_attr) == 2:
165 |                 cmd_key, cmd_value = extr_attr
166 |                 ldap_command[1][cmd_key] = cmd_value
167 |                 continue
168 | 
169 |     logger.debug('Disconnect')
170 |     rfileobj.close()
171 | 
172 | 
173 | def stop_app(pidfile, socket=None):
174 |     # STOP PROCESS TASKS
175 |     os.unlink(pidfile)
176 |     if socket:
177 |         os.unlink(args.socket)
178 |     logger.info('Stopped')
179 |     sys.exit(0)
180 | 
181 | 
182 | if __name__ == '__main__':
183 |     import argparse
184 |     from importlib import util as importlib_util
185 | 
186 |     parser = argparse.ArgumentParser()
187 |     parser.add_argument('-conf', required=True,
188 |                         help="settings file where connection are configured")
189 |     parser.add_argument('-bind', required=False, default="127.0.0.1",
190 |                         help="127.0.0.1")
191 |     parser.add_argument('-port', required=False, type=int,
192 |                         help="settings file where connection are configured")
193 |     parser.add_argument('-socket', required=False, default="/tmp/multildap.sock",
194 |                         help="socket to listen to, default: /tmp/multildap.sock"),
195 |     parser.add_argument('-pid', required=False, default="/tmp/multildap.pid",
196 |                         help="socket to listen to, default: /tmp/multildap.pid"),
197 |     parser.add_argument('-uid', required=False, default="openldap",
198 |                         help="socket owner. E.g.: openldap or slapd uid"),
199 |     parser.add_argument('-loglevel', required=False, choices=('INFO',
200 |                                                               'DEBUG',
201 |                                                               'ERROR',
202 |                                                               'WARNING'),
203 |                         default='DEBUG',
204 |                         help="debug"),
205 |     parser.add_argument('-logfile', required=False, #type=argparse.FileType('w'),
206 |                         help="debug")
207 |     parser.add_argument('-dummy', required=False, action="store_true",
208 |                         help="debug")
209 |     args = parser.parse_args()
210 | 
211 |     # import settings
212 |     spec = importlib_util.spec_from_file_location("settings", args.conf)
213 |     settings = importlib_util.module_from_spec(spec)
214 |     spec.loader.exec_module(settings)
215 | 
216 |     # logging
217 |     formatter = logging.Formatter('[%(asctime)s] [%(levelname)s] %(name)s: %(message)s')
218 |     if args.logfile:
219 |         logfile = logging.handlers.RotatingFileHandler(filename=args.logfile, maxBytes=2000000, backupCount=100)
220 |         logfile.setFormatter(formatter)
221 |         logger.addHandler(logfile)
222 |         logger_commands.addHandler(logfile)
223 |         logger_client.addHandler(logfile)
224 | 
225 |     stdout = logging.StreamHandler()
226 |     stdout.setFormatter(formatter)
227 |     logger.setLevel(getattr(logging, args.loglevel))
228 |     logger.addHandler(stdout)
229 | 
230 |     logger_commands.setLevel(getattr(logging, args.loglevel))
231 |     logger_commands.addHandler(stdout)
232 |     logger_commands.propagate = False
233 | 
234 |     logger_client.setLevel(getattr(logging, args.loglevel))
235 |     logger_client.addHandler(stdout)
236 |     logger_client.propagate = False
237 | 
238 |     # prevents double messages printing cause of propagation from handlers to ancestors
239 |     logger.propagate = False
240 | 
241 |     if args.loglevel == 'DEBUG':
242 |         _LOG_LDAP_REQUEST = 1
243 | 
244 |     # init ldap client objects globally
245 |     _CONN = [LdapClient(conf) for conf in settings.LDAP_CONNECTIONS.values()]
246 | 
247 |     # create pid file
248 |     pid = str(os.getpid())
249 |     pidfile = args.pid
250 |     if os.path.isfile(pidfile):
251 |         logger.debug("{} already exists, exiting".format(pidfile))
252 |         sys.exit()
253 |     open(pidfile, 'w').write(pid)
254 |     logger.info("Process run on pid: {}".format(pid))
255 |     # end pidfile
256 | 
257 |     # register a signal
258 |     sock = None
259 |     gevent.signal_handler(signal.SIGTERM, stop_app, **{'pidfile': pidfile,
260 |                                                'socket': sock})
261 |     gevent.signal_handler(signal.SIGINT, stop_app, **{'pidfile': pidfile,
262 |                                               'socket': sock})
263 | 
264 |     if args.port:
265 |         # creates a new server on ip:port
266 |         logger.info('Running server on {}:{}'.format(args.bind,
267 |                                                      args.port))
268 |         server = StreamServer((args.bind, args.port), handle)
269 |     else:
270 |         sock = create_socket(args)
271 |         if args.dummy:
272 |             server = StreamServer(sock, handle_debug1)
273 |         else:
274 |             server = StreamServer(sock, handle)
275 | 
276 | 
277 |     # start accepting new connections
278 |     server.serve_forever()
279 | 


--------------------------------------------------------------------------------