From 9a4fe6a0c9138daa2075313719e9e052d7e8eee0 Mon Sep 17 00:00:00 2001 From: Jared Murrell Date: Thu, 20 Feb 2020 12:43:04 -0500 Subject: [PATCH 1/6] updated sample settings file --- settings.yml.sample | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/settings.yml.sample b/settings.yml.sample index ee044ae..ce60c28 100644 --- a/settings.yml.sample +++ b/settings.yml.sample @@ -14,7 +14,7 @@ github: # GitHub. To use on github.com, simply use https://api.github.com #server_url: https://api.github.com server_url: https://github.example.com/api/v3 - token: e92ff0813a76da15f32a675dcd54ea1a97339e82 + token: ldap: # A list of server hostnames or IP addresses to try connecting to @@ -45,3 +45,5 @@ ldap: bind_user: bind_user@example.com # The password to use for binding bind_password: asqw!234 + # Page size for paginating LDAP query (default is 1000 for Active Directory) + page_size: 1000 From d8f288775b3b6f31a26bdff8f6805929ec6df97a Mon Sep 17 00:00:00 2001 From: Jared Murrell Date: Thu, 20 Feb 2020 12:51:39 -0500 Subject: [PATCH 2/6] Update SAMLTeamSyncAD.py --- SAMLTeamSyncAD.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/SAMLTeamSyncAD.py b/SAMLTeamSyncAD.py index e200ff8..4f6737c 100644 --- a/SAMLTeamSyncAD.py +++ b/SAMLTeamSyncAD.py @@ -1,18 +1,16 @@ +#!/usr/bin/env python3 import sys import yaml import argparse from ldap3 import Server, Connection, ALL from github import Github, GithubException -if (sys.version_info > (3, 0)): - from urllib.parse import urlparse -else: - from urlparse import urlparse +from urllib.parse import urlparse class ADSync: def __init__(self, settings_file): - with open(settings_file, 'r') as stream: + with open(settings_file, 'rb') as stream: # Read settings from the config file and store them as constants - settings = yaml.load(stream) + settings = yaml.load(stream, Loader=yaml.FullLoader) self.GITHUB_SERVER = settings['github']['server_url'] self.GITHUB_TOKEN = settings['github']['token'] self.AD_SERVERS = settings['ldap']['servers'] From 1fc77a109f5b05b5f71cc02e05ae62cb65d2f377 Mon Sep 17 00:00:00 2001 From: Jared Murrell Date: Thu, 20 Feb 2020 12:53:28 -0500 Subject: [PATCH 3/6] Update README.md --- README.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 8cd5697..3b56c7e 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ This utility provides the following functionality: | Slack Messaging | No | Send a notification to Slack. This is a WIP | ## Getting Started -To get started, ensure that you are using **Python 2.7** or **Python 3.4+**. The following additional libraries are required: +To get started, ensure that you are using **Python 3.4+**. The following additional libraries are required: - [ ] PyGithub - [ ] python-ldap3 @@ -25,7 +25,7 @@ To get started, ensure that you are using **Python 2.7** or **Python 3.4+**. The Install the required libraries. ```bash -pip install -r requirements.txt +pip3 install -r requirements.txt ``` Once you have all of the requirements installed, be sure to edit the `settings.yml` to match your environment. @@ -49,7 +49,7 @@ github: # GitHub. To use on github.com, simply use https://api.github.com #server_url: https://api.github.com server_url: https://github.example.com/api/v3 - token: e92ff0813a76da15f32a675dcd54ea1a97339e82 + token: ldap: # A list of server hostnames or IP addresses to try connecting to @@ -80,14 +80,16 @@ ldap: bind_user: bind_user@example.com # The password to use for binding bind_password: asqw!234 + # Set the page size (default is 1000) + page_size: 1000 ``` ## Usage Examples #### Using the Help ```bash -$ python ADTeamSyncGHE.py --help -usage: ADTeamSyncGHE2.py [-h] [-r] [-a] [-g AD_GROUP] [-s] [-t TEAM] [-o ORG] +$ python3 ADTeamSyncGHE.py --help +usage: ADTeamSyncGHE.py [-h] [-r] [-a] [-g AD_GROUP] [-s] [-t TEAM] [-o ORG] [-l] optional arguments: @@ -115,7 +117,7 @@ optional arguments: #### Listing Active Directory Group Members This option will list members in Active Directory groups ```bash -$ python SAMLTeamSyncAD.py --list --group ADGroupA +$ python3 SAMLTeamSyncAD.py --list --group ADGroupA Succesfully authenticated AD Group: ADGroupA --------------- @@ -125,7 +127,7 @@ ghusera #### Listing GitHub Team Members This option will list members in GitHub teams ```bash -$ python SAMLTeamSyncAD.py --list --team GHETeamA +$ python3 SAMLTeamSyncAD.py --list --team GHETeamA GitHub Team: GHETeamA --------------- primetheus @@ -134,16 +136,16 @@ primetheus #### Add Users to GitHub Teams from AD This option will only add users to GitHub teams when they are found in Active Directory. It will not remove users from teams ```bash -$ python SAMLTeamSyncAD.py --add --team GHETeamA --group ADGroupA +$ python3 SAMLTeamSyncAD.py --add --team GHETeamA --group ADGroupA -- OR -- -$ python SAMLTeamSyncAD.py -a -t GHETeamA -g ADGroupA +$ python3 SAMLTeamSyncAD.py -a -t GHETeamA -g ADGroupA ``` #### Full User Sync from Active Directory Group to GitHub Team This option will add users to GitHub teams when found in Active Directory, as well as remove users from GitHub teams when they don't exist in the AD group. ```bash -$ python SAMLTeamSyncAD.py --sync --team GHETeamA --group ADGroupA +$ python3 SAMLTeamSyncAD.py --sync --team GHETeamA --group ADGroupA $ python3 SAMLTeamSyncAD.py -s -t GHETeamA -g "AD Group A" ``` From 75ed802c23e6d2c86fc116db725991832fdb48f8 Mon Sep 17 00:00:00 2001 From: Jared Murrell Date: Thu, 20 Feb 2020 17:40:19 -0500 Subject: [PATCH 4/6] fixed LDAP search --- SAMLTeamSyncAD.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/SAMLTeamSyncAD.py b/SAMLTeamSyncAD.py index 4f6737c..3997e5a 100644 --- a/SAMLTeamSyncAD.py +++ b/SAMLTeamSyncAD.py @@ -19,7 +19,6 @@ def __init__(self, settings_file): self.AD_USER_BASEDN = settings['ldap']['user_base_dn'] self.AD_GROUP_BASEDN = settings['ldap']['group_base_dn'] self.AD_USER_FILTER = settings['ldap']['user_filter'] - self.AD_USER_FILTER2 = settings['ldap']['user_filter2'] self.AD_GROUP_FILTER = settings['ldap']['group_filter'] self.AD_BIND_USER = settings['ldap']['bind_user'] self.AD_BIND_PWD = settings['ldap']['bind_password'] @@ -52,17 +51,18 @@ def get_group_members(self, group_name): member_list.append(self.get_attr_by_dn(member)) return member_list - def get_attr_by_dn(self, dn): + def get_attr_by_dn(self, userdn): """ Get an attribute for a given object. Right now we only care about the sAMAccountName, so it's hard-coded... we can adjust this if we see a need later down the line - :param dn: Object's full DN to lookup + :param userdn: Object's full DN to lookup :return: username """ - self.conn.search(search_base=self.AD_USER_BASEDN, - search_filter=self.AD_USER_FILTER2.replace('{userdn}', dn), + self.conn.search(search_base=userdn, + search_filter=self.AD_USER_FILTER, attributes=['sAMAccountName']) username = self.conn.entries[0]['sAMAccountName'] + print(username) return str(username) From 611c75cd5abcf8d1e807b9e2e62dac292d89ff0d Mon Sep 17 00:00:00 2001 From: Jared Murrell Date: Thu, 20 Feb 2020 17:41:00 -0500 Subject: [PATCH 5/6] updated sample config file to match filters --- settings.yml.sample | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/settings.yml.sample b/settings.yml.sample index ce60c28..1da167c 100644 --- a/settings.yml.sample +++ b/settings.yml.sample @@ -36,11 +36,9 @@ ldap: # The Base DN for groups group_base_dn: OU=Groups,DC=example,DC=com # User Filter - user_filter: (&(objectClass=USER)(sAMAccountName={username})) - # Optional second User Filter - user_filter2: (&(objectClass=USER)(dn={userdn})) + user_filter: (objectClass=person) # Group Filter - group_filter: (&(objectClass=GROUP)(cn={group_name})) + group_filter: (&(objectClass=group)(cn={group_name})) # Active Directory bind user. This must be in @ format bind_user: bind_user@example.com # The password to use for binding From 7e11e7c1d1e31af6f7bdc876891a4da2daa59a57 Mon Sep 17 00:00:00 2001 From: Jared Murrell Date: Fri, 21 Feb 2020 09:49:06 -0500 Subject: [PATCH 6/6] removed unnecessary print statement --- SAMLTeamSyncAD.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/SAMLTeamSyncAD.py b/SAMLTeamSyncAD.py index 3997e5a..187bce6 100644 --- a/SAMLTeamSyncAD.py +++ b/SAMLTeamSyncAD.py @@ -62,7 +62,6 @@ def get_attr_by_dn(self, userdn): search_filter=self.AD_USER_FILTER, attributes=['sAMAccountName']) username = self.conn.entries[0]['sAMAccountName'] - print(username) return str(username) @@ -91,6 +90,8 @@ def main(): default=False, const=True, action="store_const") parser.add_argument("-i", "--init", dest="initfile", help="Full path to settings.yml file. Default is " "settings.yml in your current directory", default=None) + parser.add_argument("-n", "--skip-null", dest="skip_null", const=True, default=False, + help="Skip empty groups in Active Directory, to avoid emptying the GitHub group") args = parser.parse_args() # Location of the settings file. Default is the current working path