A python/django Active Directory group management abstraction that uses ldap3 as a backend for cross-platform compatibility.
A python/django Active Directory group management abstraction that uses ldap3 as a backend for cross-platform compatibility.
.. image:: https://img.shields.io/travis/kavdev/ldap-groups/master.svg?style=flat-square :target: https://travis-ci.org/kavdev/ldap-groups .. image:: https://img.shields.io/codecov/c/github/kavdev/ldap-groups/master.svg?style=flat-square :target: http://codecov.io/github/kavdev/ldap-groups?branch=master .. image:: https://img.shields.io/requires/github/kavdev/ldap-groups.svg?style=flat-square :target: https://requires.io/github/kavdev/ldap-groups/requirements/?branch=master .. image:: https://img.shields.io/codacy/f8b8c71b805e4585b8c34ba7c02fbd0c.svg?style=flat-square :target: https://www.codacy.com/app/kavdev/ldap-groups/dashboard
.. image:: https://img.shields.io/pypi/v/ldap-groups.svg?style=flat-square :target: https://pypi.python.org/pypi/ldap-groups .. image:: https://img.shields.io/pypi/dw/ldap-groups.svg?style=flat-square :target: https://pypi.python.org/pypi/ldap-groups
.. image:: https://img.shields.io/github/issues/kavdev/ldap-groups.svg?style=flat-square :target: https://github.com/kavdev/ldap-groups/issues .. image:: https://img.shields.io/github/license/kavdev/ldap-groups.svg?style=flat-square :target: https://github.com/kavdev/ldap-groups/blob/master/LICENSE
Install ldap-groups with pip:
.. code-block:: bash
pip install ldap-groups
Add ldap-groups to INSTALLED_APPS (if you're using Django)
.. code:: python
INSTALLED_APPS = (
...
'ldap_groups',
...
)
There are a few settings that must be configured before ldap-groups will run.
Mandatory
LDAP_GROUPS_SERVER_URI - The ldap server's uri, e.g. 'ldap://example.com'LDAP_GROUPS_BASE_DN - The base search dn, e.g. 'DC=example,DC=com'Optional
LDAP_GROUPS_BIND_DN - The bind user's DNLDAP_GROUPS_BIND_PASSWORD - The bind user's passwordNOTE: while a bind user is optional, many servers' security settings will deny anonymous access.
LDAP_GROUPS_USER_LOOKUP_ATTRIBUTE - The attribute by which to search when looking up users (should be unique). Defaults to 'sAMAccountName'.LDAP_GROUPS_USER_SEARCH_BASE_DN - The base dn to use when looking up users. Defaults to LDAP_GROUPS_BASE_DN.LDAP_GROUPS_GROUP_LOOKUP_ATTRIBUTE - The attribute by which to search when looking up groups (should be unique). Defaults to 'name'.LDAP_GROUPS_GROUP_SEARCH_BASE_DN - The base dn to use when looking up groups. Defaults to LDAP_GROUPS_BASE_DN.LDAP_GROUPS_ATTRIBUTE_LIST - A list of attributes returned for each member while pulling group members. An empty list should return all attributes. Defaults to ['displayName', 'sAMAccountName', 'distinguishedName'].In its current state, ldap-groups can perform the following functions:
An ADGroup instance only requires one argument to function: a group's distinguished name. Once the ADGroup is instantiated, the rest is fairly simple:
.. code:: python
from ldap_groups import ADGroup
GROUP_DN = "ou=users,dc=example,dc=com"
ACCOUNT_NAME = "jdoe"
NAME_ATTRIBUTE = "name"
TYPE_ATTRIBUTE = "objectClass"
class ADGroupModifier(object):
def __init__(self):
self.ad_group_instance = ADGroup(GROUP_DN)
def add_member(self):
self.ad_group_instance.add_member(ACCOUNT_NAME)
def remove_member(self):
self.ad_group_instance.remove_member(ACCOUNT_NAME)
def get_group_member_info(self):
return self.ad_group_instance.get_member_info()
class ADGroupInfo(object):
def __init__(self):
self.ad_group_instance = ADGroup(GROUP_DN)
def get_attributes(self):
return self.ad_group_instance.get_attributes()
def get_name(self):
return self.ad_group_instance.get_attribute(NAME_ATTRIBUTE)
def get_type(self):
return self.ad_group_instance.get_attribute(TYPE_ATTRIBUTE)
.. code:: python
def get_attribute(attribute_name, no_cache=False):
""" Gets the passed attribute of this group.
:param attribute_name: The name of the attribute to get.
:type attribute_name: str
:param no_cache (optional): Set to True to pull the attribute directly from an LDAP search instead of from the cache. Default False.
:type no_cache: boolean
:returns: The attribute requested or None if the attribute is not set.
"""
def get_attributes(no_cache=False):
""" Returns a dictionary of this group's attributes. This method caches the attributes after the first search unless no_cache is specified.
:param no_cache (optional): Set to True to pull attributes directly from an LDAP search instead of from the cache. Default False
:type no_cache: boolean
"""
def _get_group_members(page_size=500):
""" Searches for a group and retrieve its members.
:param page_size (optional): Many servers have a limit on the number of results that can be returned. Paged searches circumvent that limit. Adjust the page_size to be below the server's size limit. (default: 500)
:type page_size: int
"""
def get_member_info(page_size=500):
""" Retrieves member information from the AD group object.
:param page_size (optional): Many servers have a limit on the number of results that can be returned. Paged searches circumvent that limit. Adjust the page_size to be below the server's size limit. (default: 500)
:type page_size: int
:returns: A dictionary of information on members of the AD group based on the LDAP_GROUPS_ATTRIBUTE_LIST setting or attr_list argument.
"""
def get_tree_members():
""" Retrieves all members from this node of the tree down."""
def add_member(user_lookup_attribute_value):
""" Attempts to add a member to the AD group.
:param user_lookup_attribute_value: The value for the LDAP_GROUPS_USER_LOOKUP_ATTRIBUTE.
:type user_lookup_attribute_value: str
:raises: **AccountDoesNotExist** if the provided account doesn't exist in the active directory. (inherited from _get_user_dn)
:raises: **EntryAlreadyExists** if the account already exists in this group. (subclass of ModificationFailed)
:raises: **InsufficientPermissions** if the bind user does not have permission to modify this group. (subclass of ModificationFailed)
:raises: **ModificationFailed** if the modification could not be performed for an unforseen reason.
"""
def remove_member(user_lookup_attribute_value):
""" Attempts to remove a member from the AD group.
:param user_lookup_attribute_value: The value for the LDAP_GROUPS_USER_LOOKUP_ATTRIBUTE.
:type user_lookup_attribute_value: str
:raises: **AccountDoesNotExist** if the provided account doesn't exist in the active directory. (inherited from _get_user_dn)
:raises: **InsufficientPermissions** if the bind user does not have permission to modify this group. (subclass of ModificationFailed)
:raises: **ModificationFailed** if the modification could not be performed for an unforseen reason.
"""
def add_child(group_lookup_attribute_value):
""" Attempts to add a child to the AD group.
:param group_lookup_attribute_value: The value for the LDAP_GROUPS_GROUP_LOOKUP_ATTRIBUTE.
:type group_lookup_attribute_value: str
:raises: **GroupDoesNotExist** if the provided group doesn't exist in the active directory. (inherited from _get_group_dn)
:raises: **EntryAlreadyExists** if the child already exists in this group. (subclass of ModificationFailed)
:raises: **InsufficientPermissions** if the bind user does not have permission to modify this group. (subclass of ModificationFailed)
:raises: **ModificationFailed** if the modification could not be performed for an unforseen reason.
"""
def remove_child(group_lookup_attribute_value):
""" Attempts to remove a child from the AD group.
:param group_lookup_attribute_value: The value for the LDAP_GROUPS_GROUP_LOOKUP_ATTRIBUTE.
:type group_lookup_attribute_value: str
:raises: **GroupDoesNotExist** if the provided group doesn't exist in the active directory. (inherited from _get_group_dn)
:raises: **EntryAlreadyExists** if the child already exists in this group. (subclass of ModificationFailed)
:raises: **InsufficientPermissions** if the bind user does not have permission to modify this group. (subclass of ModificationFailed)
:raises: **ModificationFailed** if the modification could not be performed for an unforseen reason.
"""
def get_descendants(page_size=500):
""" Returns a list of all descendants of this group.
:param page_size (optional): Many servers have a limit on the number of results that can be returned. Paged searches circumvent that limit. Adjust the page_size to be below the server's size limit. (default: 500)
:type page_size: int
"""
def get_children(page_size=500):
""" Returns a list of this group's children.
:param page_size (optional): Many servers have a limit on the number of results that can be returned. Paged searches circumvent that limit. Adjust the page_size to be below the server's size limit. (default: 500)
:type page_size: int
"""
def child(group_name, page_size=500):
""" Returns the child ad group that matches the provided group_name or none if the child does not exist.
:param group_name: The name of the child group. NOTE: A name does not contain 'CN=' or 'OU='
:type group_name: str
:param page_size (optional): Many servers have a limit on the number of results that can be returned. Paged searches circumvent that limit. Adjust the page_size to be below the server's size limit. (default: 500)
:type page_size: int
"""
def parent():
""" Returns this group's parent (up to the DC)"""
def ancestor(generation):
""" Returns an ancestor of this group given a generation (up to the DC).
:param generation: Determines how far up the path to go. Example: 0 = self, 1 = parent, 2 = grandparent ...
:type generation: int
"""
If ldap-groups is not used in a django project, the ADGroup object can be initialized with the following parameters:
.. code:: python
ADGroup(group_dn, server_uri, base_dn[, user_lookup_attr[, group_lookup_attr[, attr_list[, bind_dn, bind_password[, user_search_base_dn[, group_search_base_dn]]]]]])
group_dn - The distinguished name of the group to manage.server_uri - The ldap server's uri, e.g. 'ldap://example.com'base_dn - The base search dn, e.g. 'DC=example,DC=com'user_lookup_attr - The attribute by which to search when looking up users (should be unique). Defaults to 'sAMAccountName'.group_lookup_attr - The attribute by which to search when looking up groups (should be unique). Defaults to 'name'.attr_list - A list of attributes returned for each member while pulling group members. An empty list should return all attributes. Defaults to ['displayName', 'sAMAccountName', 'distinguishedName'].bind_dn - The bind user's DNbind_password - The bind user's passworduser_search_base_dn - The base dn to use when looking up users. Defaults to LDAP_GROUPS_BASE_DN.group_search_base_dn - The base dn to use when looking up groups. Defaults to LDAP_GROUPS_BASE_DN... code-block:: bash
pip install -r requirements/test.txt
./runtests.py
FAQs
A python/django Active Directory group management abstraction that uses ldap3 as a backend for cross-platform compatibility.
We found that ldap-groups demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.