Heute mal in Englisch, da das Thema schon recht fachspezifisch ist. Falls jemand eine Übersetzungen wünscht, bitte einfach einen Kommentar hinterlassen.

I’m using an LDAP server to authenticate several services such as SVN, Apache, Git, Samba, etc.. In order to be able to define user accounts that have access for just a limited time period I considered the shadowExpire attribute quite useful. Sadly, not all services take into account this attribute. As I don’t want to configure all services to use filters, I wrote a little Python script, that disables all expired accounts by setting the password to an invalid value.Following the script can be found. Be sure to adapt it to your LDAP installation by exchanging the relevant information such as DN, username, secret…

#!/usr/bin/python
###################################################################################
#                                                                                 #
# Script to disable expired accounts. Locks Unix passwords as well as Samba LM &  #
# NT passwords by setting them to an invalid value.                               #
#                                                                                 #
###################################################################################
import ldap
import ldap.modlist as modlist
import datetime

try:
  # connect and bind to server
  l = ldap.initialize("ldap://localhost/")

  dnbase = ",dc=mydomain,dc=com"
  username = "cn=admin"+dnbase
  password  = "adminsecret"

  l.bind_s(username,password,ldap.AUTH_SIMPLE)

  # define search criteria
  baseDN = "ou=Users"+dnbase
  searchScope = ldap.SCOPE_ONELEVEL
  retrieveAttributes = None
  # shadowExpire is stored as days since epoche, so compute today in days since then
  today = (datetime.datetime.today()-datetime.datetime.utcfromtimestamp(0)).days
  searchFilter = "shadowExpire=*"

  # perform search an process results
  for dn, attributes in   l.search_s(baseDN, searchScope, searchFilter, retrieveAttributes):
    shadowExpire = int(attributes['shadowExpire'][0])
    count = 0
    # accounts that have expired and are not locked yet
    if shadowExpire < today and attributes['userPassword'][0] != "{CRYPT}INVALID":       print "Found expired account: "+attributes['uid'][0]       print "  -> locking account..."
      oldpasswd = {'userPassword': attributes['userPassword'][0]}
      lockpasswd = {'userPassword': '{CRYPT}INVALID'}
      # lock Samba LM and NT passwords if they exist
      if 'sambaLMPassword' in attributes.keys():
        oldpasswd['sambaLMPassword'] = attributes['sambaLMPassword'][0]
        lockpasswd['sambaLMPassword'] = '*INVALID*'
      if 'sambaNTPassword' in attributes.keys():
        oldpasswd['sambaNTPassword'] = attributes['sambaNTPassword'][0]
        lockpasswd['sambaLMPassword'] = '*INVALID*'
      modifications = modlist.modifyModlist(oldpasswd,lockpasswd)
      # perform modifications
      l.modify_s(dn,modifications)

    if count:
      print "Locked "+str(count)+" accounts."

except ldap.LDAPError, e:
  print e

# finally unbind
l.unbind()

P.S.: I’m sorry for the large try-block. I’m going to adapt this soon 😉

Abgelaufene LDAP Accounts deaktivieren
Markiert in:             

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

19 − 9 =