net/ldaptool

Fork 0

Go to file

Stefan Bühler 18a27b195e ldaptool 0.4-1

2023-05-02 16:54:12 +02:00

debian

ldaptool 0.4-1

2023-05-02 16:54:12 +02:00

src/ldaptool

use Enum instead of StrEnum for python3.10

2023-05-02 16:32:02 +02:00

.gitignore

Initial

2023-04-28 14:14:03 +02:00

.pycodestyle

Initial

2023-04-28 14:14:03 +02:00

fmt.sh

Initial

2023-04-28 14:14:03 +02:00

LICENSE

Initial

2023-04-28 14:14:03 +02:00

lints.sh

Initial

2023-04-28 14:14:03 +02:00

pyproject.toml

KeePass support

2023-04-28 14:37:24 +02:00

README.md

README.md: document csvkit dependency

2023-04-28 19:29:59 +02:00

README.md

ldaptool

CLI tool to query LDAP/AD servers

Configuration file to configure "realms"
- DNS domain (mapping to ldap search base as DC labels)
- LDAP servers in that domain
- Bind account
- Integration with password managers
Various output formats
- Classic LDIF
- JSON stream (with detailed or simplified attribute values)
- CSV
- Markdown table with stretched columns (for viewing in CLI/for monospaces fonts); requires csvlook from csvkit
- HTML
Decodes certain well-known attributes (UUIDs, Timestamps, SID, userAccountControl)
Requires server to support RFC 2696: Simple Paged Results for proper pagination
- By default the first 1000 entries are shown, and it errors if there are more results
- Use --all to show all results

Authentication, Protocol, Ports

ldaptool always uses TLS for password based authentication, and SASL GSS-API over non-TLS for Kerberos ones.

Config file

Location: ~/.config/ldaptool.yaml

Realms

realms:
  EXAMPLE:
    domain: "example.com"
    servers: server1 server2
    account: "bind@example.com"
    password_folder: mainaccounts
  EXAMPLE.admin:
    domain: "example.com"
    servers: server1 server2
    account: "CN=admin,OU=Admins,DC=example,DC=com"
    password_folder: adminaccounts
  EXAMPLE.admin2:
    domain: "example.com"
    servers: server1 server2
    account: "CN=admin,OU=Admins,DC=example,DC=com"
    password_file: localadmin2
    password_folder: adminaccounts
  SUB:
    domain: "sub.example.com"
    servers: subserver1 subserver2
    forest_root_domain: "example.com"

The servers field is a whitespace separates list of hostnames in the domain.

If a password manager is used, the password_file (defaults to names derived from account) and password_folder fields determine the name of the file ("secret") queried from the password manager. Here the following file names would be used:

EXAMPLE: mainaccounts/bind
EXAMPLE.admin: adminaccounts/example.com/Admins/admin
EXAMPLE.admin2: adminaccounts/localadmin2

If the account field isn't present ldaptool always uses kerberos; if --krb is used, account is ignored.

Windows AD has a concept of a "global catalog" across all domains in a AD Forest; it uses separate ports (3268 without TLS and 3269 with TLS). The forest_root_domain field can be used to set a search base for global catalog (--gc) queries (usually the forest root should be parent domain).

Unless specified with --base the search base is derived from domain (or forest_root_domain with --gc) as DC=... for each DNS label.

Script as password manager

password-script: keyring local decrypt

This configures a script as password manager.

Either takes a string (split by shlex.split) or a list of strings. The password name is appended as last argument.

keyringer

keyringer:
  keyring: yourkeyringname
  folder: ldapquery

This configures keyringer (based on GPG) as password manager.

keyringer need a "keyring" to search in, and you can (optionally) specify a folder to be prefixed to the password names created from the realm.

keepass

keepass: /home/me/mypasswords.kdbx

This configures KeePass as password manager; it will prompt for your master password every time.