ldap3-ad-leavers

A helper library for offboarding user from AD.


License
GPL-3.0
Install
pip install ldap3-ad-leavers==0.1.0

Documentation

ldap3-ad-leavers

This is an extension to the orginal project ldap3 python library.

This library provides facilities to access the ldap3 library and functions that will be helpful when offboarding users from an AD.

Getting Started

Assuming that you have Python and virtualenv installed, set up your environment and install the required dependencies using pip:

pip install ldap3-ad-leavers

Using the module

After installing the module, you need to import the main class operations object and instantiate it to create a connection to AWS:

Currently, the followign class operations available are:

  • UserOps: To manipulate user objects in AD

Classes and methods

<a id="__init__"></a>

__init__

<a id="user_operations"></a>

user_operations

<a id="user_operations.UserOps"></a>

UserOps Objects

class UserOps(AdOperations)

<a id="user_operations.UserOps.__init__"></a>

__init__

def __init__(hosts, username, password) -> None

This class will model a User/Person in an AD It inherits the AdOperations abstract class Authentication is done in constructor It users the filter (|(objectclass=user)(objectclass=person)) from ldap3

Arguments:

  • hosts list[str] - This is a list of AD hosts that will be added to the Server Pool
  • username str - This is the username that ldap3 will assume to connect to the AD sosts
  • password str - This is the password for the account

<a id="user_operations.UserOps.get_all"></a>

get_all

def get_all(search_base: str) -> list[User]

This function will get all User/Person from the given search base

Arguments:

  • search_base str - The AD search base that will be looked up from

Raises:

  • AdSearchException - If the search is not successful, this exception will be raised

Returns:

  • list[User] - The AD list of users obtained

<a id="user_operations.UserOps.deep_single_search"></a>

deep_single_search

def deep_single_search(search_base: str, unique_identifier: str) -> User

This function will search for a single User that matches the unique_identifier criteria. If multiple is obtained, it will return the first one obtained.

Arguments:

  • search_base str - The AD search base that will be looked up from
  • unique_identifier str - A unique identifier that will be used to identify the user

Returns:

  • User - returns a User object

<a id="user_operations.UserOps.delete"></a>

delete

def delete(distinguished_name: str) -> None

This function will delete a User from AD

Arguments:

  • distinguished_name str - The dn of the User

Raises:

  • AdModifyException - If an error occurs while deleting the User, it will raise this exception

<a id="user_operations.UserOps.move"></a>

move

def move(distinguished_name: str, cn: str, new_ou: dict) -> None

This function will move one User from an OU to another

Arguments:

  • distinguished_name str - The dn of the User
  • cn str - The cn of the User
  • new_ou dict - The OU where to move the User

Raises:

  • AdModifyException - If an error occurs while moving the User, it will raise this exception

<a id="user_operations.UserOps.set_expiration"></a>

set_expiration

def set_expiration(distinguished_name: str, expiration_date: datetime)

This function will set an expiration on the User's account in AD

Arguments:

  • distinguished_name str - The dn of the user account
  • expiration_date datetime - The datetime to expire the account

Raises:

  • AdModifyException - If an error occurs while setting an expiration on the account, it will raise this exception

<a id="user_operations.UserOps.disable"></a>

disable

def disable(distinguished_name: str)

This function will disable a User account in AD

Arguments:

  • distinguished_name str - The dn of the user account

Raises:

  • AdModifyException - If an error occurs while disabling the User, it will raise this exception

<a id="models"></a>

models

<a id="models.core.object_class"></a>

models.core.object_class

<a id="models.core.object_class.ObjectClass"></a>

ObjectClass Objects

class ObjectClass()

<a id="models.core.object_class.ObjectClass.__init__"></a>

__init__

def __init__(name: str, distinguished_name: str, when_created: datetime)

This is the ObjectClass model This is the Parent class for all AD objects

Arguments:

  • name str - The name of the AD object
  • distinguished_name str - The dn of the AD object
  • when_created datetime - The datetime when the AD object was created

<a id="models.core"></a>

models.core

<a id="models.core.ad_ops"></a>

models.core.ad_ops

<a id="models.core.ad_ops.AdOperations"></a>

AdOperations Objects

class AdOperations(ABC)

<a id="models.core.ad_ops.AdOperations.__init__"></a>

__init__

def __init__(hosts, username: str, password: str) -> None

This is an abstract class that will model all AD objects of this project All AD object class operations will inherit from this class Authentication is done in constructor

Arguments:

  • hosts list[str] - This is a list of AD hosts that will be added to the Server Pool
  • username str - This is the username that ldap3 will assume to connect to the AD sosts
  • password str - This is the password for the account

<a id="models.core.ad_ops.AdOperations.get_all"></a>

get_all

@abstractmethod
def get_all(search_base: str) -> list[ObjectClass]

This function will get all objects from the given search base

Arguments:

  • search_base str - The AD search base that will be looked up from

Returns:

  • list[ObjectClass] - The AD list of objects obtained

<a id="models.core.ad_ops.AdOperations.deep_single_search"></a>

deep_single_search

@abstractmethod
def deep_single_search(search_base: str,
                       unique_identifier: str) -> ObjectClass

This function will search for single object that matches the unique_identifier criteria. If multiple is obtained, it will return the first one obtained.

Arguments:

  • search_base str - The AD search base that will be looked up from
  • unique_identifier str - A unique identifier that will be used to identify the object

Returns:

  • ObjectClass - An AD object class

<a id="models.core.ad_ops.AdOperations.move"></a>

move

@abstractmethod
def move(distinguished_name: str, cn: str, new_ou: dict) -> None

This function will move one AD object from an OU to another

Arguments:

  • distinguished_name str - The dn of the AD object
  • cn str - The cn of the AD object
  • new_ou dict - The OU where to move the AD object

<a id="models.core.ad_ops.AdOperations.delete"></a>

delete

@abstractmethod
def delete(distinguished_name: str) -> None

This function will delete an AD object

Arguments:

  • distinguished_name str - The dn of the AD object

<a id="models.core.exceptions"></a>

models.core.exceptions

<a id="models.core.exceptions.AdSearchException"></a>

AdSearchException Objects

class AdSearchException(Exception)

Will raise all exceptions that are related to an AD search operation

Arguments:

  • Exception Exception - Inherits the Exception class

<a id="models.core.exceptions.AdModifyException"></a>

AdModifyException Objects

class AdModifyException(Exception)

Will raise all exceptions that are related to an AD Modify operation

Arguments:

  • Exception Exception - Inherits the Exception class

<a id="models.data_classes.user"></a>

models.data_classes.user

<a id="models.data_classes.user.User"></a>

User Objects

@dataclass
class User(ObjectClass)

<a id="models.data_classes.user.User.__init__"></a>

__init__

def __init__(schema: dict)

This is the User data class model It inherits from the ObjectClass model This class will model a user object in an AD

Arguments:

  • schema dict - The schema of an AD object that represent a User/Person from ldap3

<a id="models.data_classes.user.User.is_eligible_to_disable"></a>

is_eligible_to_disable

def is_eligible_to_disable()

This function will verify if the user is eligible to have its account disabled Eligibility will be calculated whether the account has already expired or not

Returns:

  • bool - Returns True or False

<a id="models.data_classes.user.User.is_eligible_for_deletion"></a>

is_eligible_for_deletion

def is_eligible_for_deletion(days_limit: int)

This function will verify if the user is eligible to have its account deleted Eligibility will be calculated whether the days_limit argument has already exceeded the date that the account has been expired

Arguments:

  • days_limit int - The days after which an account is considered eligible to be deleted after it has been expired

Returns:

  • bool - Returns True or False

<a id="models.data_classes"></a>

models.data_classe

<a id="__init__"></a>

__init__

<a id="user_operations"></a>

user_operations

<a id="user_operations.UserOps"></a>

UserOps Objects

class UserOps(AdOperations)

<a id="user_operations.UserOps.__init__"></a>

__init__

def __init__(hosts, username, password) -> None

This class will model a User/Person in an AD It inherits the AdOperations abstract class Authentication is done in constructor

Arguments:

  • hosts list[str] - This is a list of AD hosts that will be added to the Server Pool
  • username str - This is the username that ldap3 will assume to connect to the AD sosts
  • password str - This is the password for the account

<a id="user_operations.UserOps.get_all"></a>

get_all

def get_all(search_base: str) -> list[User]

This function will get all User/Person from the given search base

Arguments:

  • search_base str - The AD search base that will be looked up from

Raises:

  • AdSearchException - If the search is not successful, this exception will be raised

Returns:

  • list[User] - The AD list of users obtained

<a id="models"></a>

models

<a id="models.core.object_class"></a>

models.core.object_class

<a id="models.core.object_class.ObjectClass"></a>

ObjectClass Objects

class ObjectClass()

<a id="models.core.object_class.ObjectClass.__init__"></a>

__init__

def __init__(name: str, distinguished_name: str, when_created: datetime)

This is the ObjectClass model This is the Parent class for all AD objects

Arguments:

  • name str - The name of the AD object
  • distinguished_name str - The dn of the AD object
  • when_created datetime - The datetime when the AD object was created

<a id="models.core"></a>

models.core

<a id="models.core.ad_ops"></a>

models.core.ad_ops

<a id="models.core.ad_ops.AdOperations"></a>

AdOperations Objects

class AdOperations(ABC)

<a id="models.core.ad_ops.AdOperations.__init__"></a>

__init__

def __init__(hosts, username: str, password: str) -> None

This is an abstract class that will model all AD objects of this project All AD object class operations will inherit from this class Authentication is done in constructor

Arguments:

  • hosts list[str] - This is a list of AD hosts that will be added to the Server Pool
  • username str - This is the username that ldap3 will assume to connect to the AD sosts
  • password str - This is the password for the account

<a id="models.core.ad_ops.AdOperations.get_all"></a>

get_all

@abstractmethod
def get_all(search_base: str) -> list[ObjectClass]

This function will get all objects from the given search base

Arguments:

  • search_base str - The AD search base that will be looked up from

Returns:

  • list[ObjectClass] - The AD list of objects obtained

<a id="models.core.ad_ops.AdOperations.deep_single_search"></a>

deep_single_search

@abstractmethod
def deep_single_search(search_base: str,
                       unique_identifier: str) -> ObjectClass

This function will search for single object that matches the unique_identifier criteria. If multiple is obtained, it will return the first one obtained.

Arguments:

  • search_base str - The AD search base that will be looked up from
  • unique_identifier str - A unique identifier that will be used to identify the object

Returns:

  • ObjectClass - An AD object class

<a id="models.core.ad_ops.AdOperations.move"></a>

move

@abstractmethod
def move(distinguished_name: str, cn: str, new_ou: dict) -> None

This function will move one AD object from an OU to another

Arguments:

  • distinguished_name str - The dn of the AD object
  • cn str - The cn of the AD object
  • new_ou dict - The OU where to move the AD object

<a id="models.core.ad_ops.AdOperations.delete"></a>

delete

@abstractmethod
def delete(distinguished_name: str) -> None

This function will delete an AD object

Arguments:

  • distinguished_name str - The dn of the AD object

<a id="models.core.exceptions"></a>

models.core.exceptions

<a id="models.core.exceptions.AdSearchException"></a>

AdSearchException Objects

class AdSearchException(Exception)

Will raise all exceptions that are related to an AD search operation

Arguments:

  • Exception Exception - Inherits the Exception class

<a id="models.core.exceptions.AdModifyException"></a>

AdModifyException Objects

class AdModifyException(Exception)

Will raise all exceptions that are related to an AD Modify operation

Arguments:

  • Exception Exception - Inherits the Exception class

<a id="models.data_classes.user"></a>

models.data_classes.user

<a id="models.data_classes.user.User"></a>

User Objects

@dataclass
class User(ObjectClass)

<a id="models.data_classes.user.User.__init__"></a>

__init__

def __init__(schema: dict)

This is the User data class model It inherits from the ObjectClass model This class will model a user object in an AD

Arguments:

  • schema dict - The schema of an AD object that represent a User/Person from ldap3

<a id="models.data_classes.user.User.is_eligible_to_disable"></a>

is_eligible_to_disable

def is_eligible_to_disable()

This function will verify if the user is eligible to have its account disabled Eligibility will be calculated whether the account has already expired or not

Returns:

  • bool - Returns True or False

<a id="models.data_classes.user.User.is_eligible_for_deletion"></a>

is_eligible_for_deletion

def is_eligible_for_deletion(days_limit: int)

This function will verify if the user is eligible to have its account deleted Eligibility will be calculated whether the days_limit argument has already exceeded the date that the account has been expired

Arguments:

  • days_limit int - The days after which an account is considered eligible to be deleted after it has been expired

Returns:

  • bool - Returns True or False

<a id="models.data_classes"></a>

Running Tests

You can run the tests by following the steps below:

  1. Clone or download the project to a folder on your computer.
  2. Run the tests using the command ./run_test.sh

License

Copyright Mervin Hemaraju