moving to its own repo

2019-06-05 21:47:31 -04:00 · 2019-06-05 21:47:31 -04:00 · 08fc183956
commit 08fc183956
9 changed files with 1732 additions and 0 deletions
--- a/plugins/ldap.py
+++ b/plugins/ldap.py
@ -0,0 +1,97 @@
+import os
+# TODO: virtual env?
+import ldap
+import ldif
+
+
+# Designed for use with OpenLDAP in an OLC configuration.
+
+
+class Backup(object):
+    def __init__(self,
+                 server = 'ldap://sub.domain.tld',
+                 port = 389,
+                 basedn = 'dc=domain,dc=tld',
+                 sasl = False,
+                 starttls = True,
+                 binddn = 'cn=Manager,dc=domain,dc=tld',
+                 password_file = '~/.ldap.pass',
+                 password = None,
+                 outdir = '~/.cache/backup/ldap',
+                 splitldifs = True):
+        self.server = server
+        self.port = port
+        self.basedn = basedn
+        self.sasl = sasl
+        self.binddn = binddn
+        self.outdir = os.path.abspath(os.path.expanduser(outdir))
+        os.makedirs(self.outdir, exist_ok = True)
+        os.chmod(self.outdir, mode = 0o0700)
+        self.splitldifs = splitldifs
+        self.starttls = starttls
+        if password_file and not password:
+            with open(os.path.abspath(os.path.expanduser(password_file)), 'r') as f:
+                self.password = f.read().strip()
+        else:
+            self.password = password
+        # Human readability, yay.
+        # A note, SSLv3 is 0x300. But StartTLS can only be done with TLS, not SSL, I *think*?
+        # PRESUMABLY, now that it's finalized, TLS 1.3 will be 0x304.
+        # See https://tools.ietf.org/html/rfc5246#appendix-E
+        self._tlsmap = {'1.0': int(0x301),  # 769
+                        '1.1': int(0x302),  # 770
+                        '1.2': int(0x303)}  # 771
+        self._minimum_tls_ver = '1.2'
+        if self.sasl:
+            self.server = 'ldapi:///'
+        self.cxn = None
+        self.connect()
+        self.dump()
+        self.close()
+
+    def connect(self):
+        self.cxn = ldap.initialize(self.server)
+        self.cxn.set_option(ldap.OPT_REFERRALS, 0)
+        self.cxn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
+        if not self.sasl:
+            if self.starttls:
+                self.cxn.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+                self.cxn.set_option(ldap.OPT_X_TLS, ldap.OPT_X_TLS_DEMAND)
+                self.cxn.set_option(ldap.OPT_X_TLS_DEMAND, True)
+                self.cxn.set_option(ldap.OPT_X_TLS_PROTOCOL_MIN, self._tlsmap[self._minimum_tls_ver])
+        if self.sasl:
+            self.cxn.sasl_external_bind_s()
+        else:
+            if self.starttls:
+                self.cxn.start_tls_s()
+            self.cxn.bind_s(self.binddn, self.password)
+        return()
+
+    def dump(self):
+        dumps = {'schema': 'cn=config',
+                 'data': self.basedn}
+        with open(os.path.join(self.outdir, ('ldap-config.ldif' if self.splitldifs else 'ldap.ldif')), 'w') as f:
+            l = ldif.LDIFWriter(f)
+            rslts = self.cxn.search_s(dumps['schema'],
+                                      ldap.SCOPE_SUBTREE,
+                                      filterstr = '(objectClass=*)',
+                                      attrlist = ['*', '+'])
+            for r in rslts:
+                l.unparse(r[0], r[1])
+        if self.splitldifs:
+            f = open(os.path.join(self.outdir, 'ldap-data.ldif'), 'w')
+        else:
+            f = open(os.path.join(self.outdir, 'ldap.ldif'), 'a')
+        rslts = self.cxn.search_s(dumps['data'],
+                                  ldap.SCOPE_SUBTREE,
+                                  filterstr = '(objectClass=*)',
+                                  attrlist = ['*', '+'])
+        l = ldif.LDIFWriter(f)
+        for r in rslts:
+            l.unparse(r[0], r[1])
+        f.close()
+
+    def close(self):
+        if self.cxn:
+            self.cxn.unbind_s()
+        return()