Compare commits

..

No commits in common. "ca0aa23c276fe199376c90faa8010ead7db531fb" and "18a27b195e060fb98f026f880dbdac3c2c5f179b" have entirely different histories.

9 changed files with 56 additions and 223 deletions

View File

@ -18,34 +18,6 @@ CLI tool to query LDAP/AD servers
* By default the first 1000 entries are shown, and it errors if there are more results * By default the first 1000 entries are shown, and it errors if there are more results
* Use `--all` to show all results * Use `--all` to show all results
## Virtual attributes
`ldaptool` supports constructing new values from existing attributes by adding a `:<postprocess>` suffix (which can be chained apart from the length limit).
* Some suffixes support an argument as `:<postprocess>[<arg>]`.
* A single integer as postprocess suffix limits the length of the value; it replaces the last character of the output with `…` if it cut something off.
* Multi-valued attributes generate multiple virtual attrites; each value is processed individually. (The values are joined afterwards for table output if needed.)
### DN handling
DNs are decoded into lists of lists of `(name, value)` pairs (the inner list usually contains exactly one entry).
Attributes with a `DC` name are considered part of the "domain", everything else belongs to the "path".
(Usually a DN will start with path segments and end with domain segments.)
The path is read from back to front.
The following postprocess hooks are available:
* `domain`: extracts the domain as DNS FQDN (`CN=Someone,OU=Dep1,DC=example,DC=com` becomes `example.com`)
* `path`: extracts the non-domain parts without names and separates them by `/` (`CN=Someone,OU=Dep1,DC=example,DC=com` becomes `Dep1/Someone`)
* `fullpath`: uses the `domain` as first segment in a path (`CN=Someone,OU=Dep1,DC=example,DC=com` becomes `example.com/Dep1/Someone`)
* `dnslice`: extracts a "slice" from a DN (outer list only); the result is still in DN format.
`path`, `fullpath` and `dnslice` take an optional index/slice as argument, written in python syntax.
For `path` and `fullpath` this extracts only the given index/slice from the path (`fullpath` always includes the full FQDN as first segment), `dnslice` operates on the outer list of decoded (lists of) pairs:
* `dn:dnslice[1:]` on `dn: CN=Someone,OU=Dep1,DC=example,DC=com` returns `OU=Dep1,DC=example,DC=com`
* `dn:fullpath[:-1]` on `dn: CN=Someone,OU=Dep1,DC=example,DC=com` returns `example.com/Dep1`
* `dn:path[-1]` on `dn: CN=Someone,OU=Dep1,DC=example,DC=com` returns `Someone`
## Authentication, Protocol, Ports ## Authentication, Protocol, Ports
`ldaptool` always uses TLS for password based authentication, and SASL GSS-API over non-TLS for Kerberos ones. `ldaptool` always uses TLS for password based authentication, and SASL GSS-API over non-TLS for Kerberos ones.

20
debian/changelog vendored
View File

@ -1,23 +1,3 @@
ldaptool (0.5-1) unstable; urgency=medium
[ Daniel Dizdarevic ]
* :Fix version requirement for python3.10
[ Stefan Bühler ]
* handle missing KeePass entry
[ Daniel Dizdarevic ]
* Catch invalid passwords in keepass
* Catch CTRL+C and CTRL+D in password prompts
[ Stefan Bühler ]
* improve some error messages
* improve config loading: don't modify dicts to allow yaml repeated nodes
* add argument to postprocess steps and support index/slicing in DN-related hooks; document them
* decode securityIdentifier attribute as SID
-- Stefan Bühler <stefan.buehler@tik.uni-stuttgart.de> Wed, 10 May 2023 19:53:51 +0200
ldaptool (0.4-1) unstable; urgency=medium ldaptool (0.4-1) unstable; urgency=medium
* move argument/column handling to decoder (prepare for more post-processing in decoder) * move argument/column handling to decoder (prepare for more post-processing in decoder)

View File

@ -16,7 +16,7 @@ classifiers = [
] ]
dynamic = ["version", "description"] dynamic = ["version", "description"]
requires-python = "~=3.10" requires-python = "~=3.11"
dependencies = [ dependencies = [
"python-ldap", "python-ldap",
"PyYAML", "PyYAML",

View File

@ -105,7 +105,7 @@ class _Context:
try: try:
self.config = search.Config.load() self.config = search.Config.load()
except Exception as e: except Exception as e:
raise SystemExit(f"config error: {e!r}") raise SystemExit(f"config error: {e}")
try: try:
self.arguments = arguments_p.from_args(args) self.arguments = arguments_p.from_args(args)
except decode.InvalidStep as e: except decode.InvalidStep as e:

View File

@ -33,26 +33,19 @@ class DNInfo:
def domain(self) -> str: def domain(self) -> str:
return ".".join(ava[1] for rdn in self.parts for ava in rdn if ava[0].lower() == "dc") return ".".join(ava[1] for rdn in self.parts for ava in rdn if ava[0].lower() == "dc")
def _path(self, *, escape: typing.Callable[[str], str], sep: str, selection: slice = slice(None)) -> str: def _path(self, *, escape: typing.Callable[[str], str], sep: str) -> str:
rev_flattened = [ava[1] for rdn in reversed(self.parts) for ava in rdn if ava[0].lower() != "dc"] return sep.join(escape(ava[1]) for rdn in reversed(self.parts) for ava in rdn if ava[0].lower() != "dc")
return sep.join(value for value in rev_flattened[selection])
def sliced_path(self, selection: slice, /) -> str:
return self._path(escape=lambda value: _escape_backslash(value, special="/"), sep="/", selection=selection)
@functools.cached_property @functools.cached_property
def path(self) -> str: def path(self) -> str:
return self.sliced_path(slice(None)) return self._path(escape=lambda value: _escape_backslash(value, special="/"), sep="/")
def sliced_full_path(self, selection: slice, /) -> str: @property
def full_path(self) -> str:
domain = self.domain domain = self.domain
path = self.sliced_path(selection) path = self.path
if not path: if not path:
return self.domain return self.domain
if not domain: if not domain:
return self.path return self.path
return f"{domain}/{path}" return f"{domain}/{path}"
@property
def full_path(self) -> str:
return self.sliced_full_path(slice(None))

View File

@ -101,7 +101,7 @@ class Attribute:
return return
def _try_decode(self, args: Arguments) -> None: def _try_decode(self, args: Arguments) -> None:
if self.name in ("objectSid","securityIdentifier"): if self.name in ("objectSid",):
self._try_decode_sid() self._try_decode_sid()
elif self.name in ("msExchMailboxGuid", "objectGUID"): elif self.name in ("msExchMailboxGuid", "objectGUID"):
self._try_decode_uuid() self._try_decode_uuid()

View File

@ -2,9 +2,6 @@ from __future__ import annotations
import abc import abc
import dataclasses import dataclasses
import typing
import ldap.dn
from ldaptool._utils.dninfo import DNInfo from ldaptool._utils.dninfo import DNInfo
@ -17,27 +14,6 @@ class Step(abc.ABC):
... ...
def _args_to_slice(args: str) -> slice:
args = args.strip()
if not args:
return slice(None)
params: list[typing.Optional[int]] = []
for arg in args.split(":"):
arg = arg.strip()
if arg:
params.append(int(arg))
else:
params.append(None)
if len(params) == 1:
assert isinstance(params[0], int)
ndx = params[0]
if ndx == -1:
return slice(ndx, None) # from last element to end - still exactly one element
# this doesn't work for ndx == -1: slice(-1, 0) is always empty. otherwise it should return [ndx:][:1].
return slice(ndx, ndx + 1)
return slice(*params)
@dataclasses.dataclass(slots=True) @dataclasses.dataclass(slots=True)
class MaxLength(Step): class MaxLength(Step):
limit: int limit: int
@ -50,10 +26,6 @@ class MaxLength(Step):
@dataclasses.dataclass(slots=True) @dataclasses.dataclass(slots=True)
class DNDomain(Step): class DNDomain(Step):
def __init__(self, args: str) -> None:
if args:
raise ValueError(":domain doesn't support an argument")
def step(self, value: str) -> str: def step(self, value: str) -> str:
try: try:
dninfo = DNInfo(dn=value) dninfo = DNInfo(dn=value)
@ -65,57 +37,30 @@ class DNDomain(Step):
@dataclasses.dataclass(slots=True) @dataclasses.dataclass(slots=True)
class DNPath(Step): class DNPath(Step):
path_slice: slice
def __init__(self, args: str) -> None:
self.path_slice = _args_to_slice(args)
def step(self, value: str) -> str: def step(self, value: str) -> str:
try: try:
dninfo = DNInfo(dn=value) dninfo = DNInfo(dn=value)
except Exception: except Exception:
# not a valid DN -> no processing # not a valid DN -> no processing
return value return value
return dninfo.sliced_path(self.path_slice) return dninfo.path
@dataclasses.dataclass(slots=True) @dataclasses.dataclass(slots=True)
class DNFullPath(Step): class DNFullPath(Step):
path_slice: slice
def __init__(self, args: str) -> None:
self.path_slice = _args_to_slice(args)
def step(self, value: str) -> str: def step(self, value: str) -> str:
try: try:
dninfo = DNInfo(dn=value) dninfo = DNInfo(dn=value)
except Exception: except Exception:
# not a valid DN -> no processing # not a valid DN -> no processing
return value return value
return dninfo.sliced_full_path(self.path_slice) return dninfo.full_path
@dataclasses.dataclass(slots=True) _STEPS = {
class DNSlice(Step): "domain": DNDomain(),
slice: slice "path": DNPath(),
"fullpath": DNFullPath(),
def __init__(self, args: str) -> None:
self.slice = _args_to_slice(args)
def step(self, value: str) -> str:
try:
dninfo = DNInfo(dn=value)
except Exception:
# not a valid DN -> no processing
return value
return ldap.dn.dn2str(dninfo.parts[self.slice]) # type: ignore
_STEPS: dict[str, typing.Callable[[str], Step]] = {
"domain": DNDomain,
"path": DNPath,
"fullpath": DNFullPath,
"dnslice": DNSlice,
} }
@ -133,63 +78,19 @@ class PostProcess:
return value return value
def parse_steps(steps: str) -> PostProcess: def parse_steps(steps: list[str]) -> PostProcess:
result: list[Step] = [] max_len = 0
try:
cur_id_start = 0 max_len = int(steps[-1])
cur_args_start = -1 steps.pop()
current_id = "" except ValueError:
current_args = "" pass
count_brackets = 0 result = []
step_done = False for step in steps:
step_i = _STEPS.get(step, None)
def handle_step() -> None:
nonlocal cur_id_start, cur_args_start, current_id, current_args, step_done
assert step_done
step_i = _STEPS.get(current_id, None)
if step_i is None: if step_i is None:
try: raise InvalidStep(f"Unknown post-processing step {step!r}")
max_len = int(current_id) result.append(step_i)
result.append(MaxLength(max_len)) if max_len:
except ValueError: result.append(MaxLength(max_len))
raise InvalidStep(f"Unknown post-processing step {current_id!r}")
else:
result.append(step_i(current_args))
cur_id_start = pos + 1
cur_args_start = -1
current_id = ""
current_args = ""
step_done = False
for pos, char in enumerate(steps):
if step_done:
if char != ":":
raise InvalidStep(f"Require : after step, found {char!r} at pos {pos}")
handle_step()
elif char == "[":
if count_brackets == 0:
# end of identifier
current_id = steps[cur_id_start:pos]
cur_args_start = pos + 1
count_brackets += 1
elif char == "]":
count_brackets -= 1
if count_brackets == 0:
current_args = steps[cur_args_start:pos]
step_done = True
elif count_brackets:
continue
elif not char.isalnum():
raise InvalidStep(f"Expecting either alphanumeric, ':' or '[', got {char!r} at {pos}")
if not step_done:
current_id = steps[cur_id_start:]
if current_id:
step_done = True
if step_done:
handle_step()
return PostProcess(result) return PostProcess(result)

View File

@ -57,20 +57,20 @@ class Arguments(argclasses.BaseArguments):
self.columns_keys.append(column) self.columns_keys.append(column)
if column == "dndomain": if column == "dndomain":
self.post_process.setdefault("dn", {})[column] = _postprocess.parse_steps("domain") self.post_process.setdefault("dn", {})[column] = _postprocess.parse_steps(["domain"])
attributes_set.add("dn") attributes_set.add("dn")
elif column == "dnpath": elif column == "dnpath":
self.post_process.setdefault("dn", {})[column] = _postprocess.parse_steps("path") self.post_process.setdefault("dn", {})[column] = _postprocess.parse_steps(["path"])
attributes_set.add("dn") attributes_set.add("dn")
elif column == "dnfullpath": elif column == "dnfullpath":
self.post_process.setdefault("dn", {})[column] = _postprocess.parse_steps("fullpath") self.post_process.setdefault("dn", {})[column] = _postprocess.parse_steps(["fullpath"])
attributes_set.add("dn") attributes_set.add("dn")
else: else:
col_parts = column.split(":", maxsplit=1) step_names = column.split(":")
attributes_set.add(col_parts[0]) attributes_set.add(step_names[0])
if len(col_parts) == 2: if len(step_names) > 1:
source, steps = col_parts source = step_names.pop(0)
self.post_process.setdefault(source, {})[column] = _postprocess.parse_steps(steps) self.post_process.setdefault(source, {})[column] = _postprocess.parse_steps(step_names)
if all_attributes: if all_attributes:
self.attributes = [] self.attributes = []

View File

@ -7,7 +7,6 @@ import os
import os.path import os.path
import shlex import shlex
import subprocess import subprocess
import sys
import typing import typing
import yaml import yaml
@ -29,13 +28,13 @@ class Realm:
@staticmethod @staticmethod
def load(name: str, data: typing.Any) -> Realm: def load(name: str, data: typing.Any) -> Realm:
assert isinstance(data, dict), f"Realm section isn't a dictionary: {data!r}" assert isinstance(data, dict)
domain = data["domain"] domain = data.pop("domain")
servers = data["servers"].split() servers = data.pop("servers").split()
forest_root_domain = data.get("forest_root_domain", domain) forest_root_domain = data.pop("forest_root_domain", domain)
account = data.get("account", None) account = data.pop("account", None)
password_file = data.get("password_file", None) password_file = data.pop("password_file", None)
password_folder = data.get("password_folder", None) password_folder = data.pop("password_folder", None)
return Realm( return Realm(
name=name, name=name,
domain=domain, domain=domain,
@ -102,8 +101,8 @@ class Keyringer(PasswordManager):
@staticmethod @staticmethod
def load(data: typing.Any) -> Keyringer: def load(data: typing.Any) -> Keyringer:
assert isinstance(data, dict) assert isinstance(data, dict)
keyring = data["keyring"] keyring = data.pop("keyring")
folder = data.get("folder", "") folder = data.pop("folder")
return Keyringer(keyring=keyring, folder=folder) return Keyringer(keyring=keyring, folder=folder)
def get_password(self, password_name: str) -> str: def get_password(self, password_name: str) -> str:
@ -146,17 +145,9 @@ class Keepass(PasswordManager):
def get_password(self, password_name: str) -> str: def get_password(self, password_name: str) -> str:
import pykeepass # already made sure it is avaiable above import pykeepass # already made sure it is avaiable above
while True: password = getpass.getpass(f"KeePass password for database {self.database}: ")
try: kp = pykeepass.PyKeePass(self.database, password=password)
password = getpass.getpass(f"KeePass password for database {self.database}: ")
kp = pykeepass.PyKeePass(self.database, password=password)
break
except pykeepass.exceptions.CredentialsError:
print("Invalid password", file=sys.stderr)
entry = kp.find_entries(username=password_name, first=True) entry = kp.find_entries(username=password_name, first=True)
if not entry:
raise SystemExit(f"no KeePass entry for {password_name!r} found")
return entry.password # type: ignore return entry.password # type: ignore
@ -199,8 +190,8 @@ class Config:
with open(conf_path) as f: with open(conf_path) as f:
data = yaml.safe_load(f) data = yaml.safe_load(f)
assert isinstance(data, dict) assert isinstance(data, dict)
assert "realms" in data, "Missing realms section in config" assert "realms" in data
realms_data = data["realms"] realms_data = data.pop("realms")
assert isinstance(realms_data, dict) assert isinstance(realms_data, dict)
realms = {} realms = {}
for name, realm_data in realms_data.items(): for name, realm_data in realms_data.items():
@ -210,15 +201,15 @@ class Config:
if "keyringer" in data: if "keyringer" in data:
if password_manager: if password_manager:
raise ValueError("Can only set a single password manager") raise ValueError("Can only set a single password manager")
password_manager = Keyringer.load(data["keyringer"]) password_manager = Keyringer.load(data.pop("keyringer"))
if "keepass" in data: if "keepass" in data:
if password_manager: if password_manager:
raise ValueError("Can only set a single password manager") raise ValueError("Can only set a single password manager")
password_manager = Keepass.load(data["keepass"]) password_manager = Keepass.load(data.pop("keepass"))
if "password-script" in data: if "password-script" in data:
if password_manager: if password_manager:
raise ValueError("Can only set a single password manager") raise ValueError("Can only set a single password manager")
password_manager = PasswordScript.load(data["password-script"]) password_manager = PasswordScript.load(data.pop("password-script"))
return Config(realms=realms, password_manager=password_manager) return Config(realms=realms, password_manager=password_manager)
@ -229,11 +220,7 @@ class Config:
""" """
if realm.account is None: if realm.account is None:
raise RuntimeError("Can't get password without acccount - should use kerberos instead") raise RuntimeError("Can't get password without acccount - should use kerberos instead")
if self.password_manager:
return self.password_manager.get_password(realm.password_name)
try: return getpass.getpass(f"Enter password for {realm.password_name}: ")
if self.password_manager:
return self.password_manager.get_password(realm.password_name)
return getpass.getpass(f"Enter password for {realm.password_name}: ")
except (KeyboardInterrupt, EOFError):
raise SystemExit("Password prompt / retrieval aborted")