vmam module¶
VLAN Mac-address Authentication Manager
vmam is a command line tool which allows the management and maintenance of the mac-addresses that access the network under a specific domain and a specific VLAN, through LDAP authentication. This is based on RFC-3579(https://tools.ietf.org/html/rfc3579#section-2.1).
Usage for command line:
SYNOPSYS
vmam [action] [parameter] [options]
config {action}: Configuration command for vmam environment
--new/-n {parameter}: Instruction to create a new configuration file. By specifying a path, it creates the
file in the indicated path. The default path is /etc/vmam/vmam.cfg
$> vmam config --new
Create a new configuration in a standard path: /etc/vmam/vmam.cfg
--get-cmd/-g {parameter}: Instruction to obtain the appropriate commands to configure your network
infrastructure and radius server around the created configuration file. By specifying a path, get
the file in the indicated path. The default path is /etc/vmam/vmam.cfg
$> vmam config --get-cmd
It takes instructions to configure its own network and radius server structure,
from standard path: /etc/vmam/vmam.cfg
start {action}: Automatic action for vmam environment
--config-file/-c {parameter}: Specify a configuration file in a custom path (optional)
$> vmam start --config-file /home/arthur/vmam.cfg
Start automatic process based on custom path configuration file: /home/arthur/vmam.cfg
--daemon/-d {parameter}: If specified, the automatic process run in background
$> vmam start --daemon
Start automatic process in background based on standard path: /etc/vmam/vmam.cfg
mac {action}: Manual action for adding, modifying, deleting and disabling of the mac-address users
--add/-a {parameter}: Add a specific mac-address on LDAP with specific VLAN. See also --vlan-id/-i
$> vmam mac --add 000018ff12dd --vlan-id 110
Add new mac-address user with VLAN 110, based on standard configuration file: /etc/vmam/vmam.cfg
$> vmam mac --add 000018ff12dd --vlan-id 111
Modify new or existing mac-address user with VLAN 111, based on standard configuration
file: /etc/vmam/vmam.cfg
--description/-D {parameter}: Add description on created mac-address
$> vmam mac --add 000018ff12dd --vlan-id 110 --description "My personal linux"
Add new mac-address user with VLAN 110, based on standard configuration file: /etc/vmam/vmam.cfg
--remove/-r {parameter}: Remove a mac-address user on LDAP
$> vmam mac --remove 000018ff12dd
Remove mac-address user 000018ff12dd, based on standard configuration file: /etc/vmam/vmam.cfg
--disable/-d {parameter}: Disable a mac-address user on LDAP, without removing
$> vmam mac --disable 000018ff12dd
Disable mac-address user 000018ff12dd, based on standard configuration file: /etc/vmam/vmam.cfg
--force/-f {parameter}: Force remove/disable action
$> vmam mac --remove 000018ff12dd --force
Force remove mac-address user 000018ff12dd, based on standard configuration file: /etc/vmam/vmam.cfg
--vlan-id/-i {parameter}: Specify a specific VLAN-id
$> vmam mac --add 000018ff12dd --vlan-id 100
Add new mac-address user with VLAN 100, based on standard configuration file: /etc/vmam/vmam.cfg
--config-file/-c {parameter}: Specify a configuration file in a custom path (optional)
$> vmam mac --remove 000018ff12dd --config-file /opt/vlan-office/office.cfg
Remove mac-address user 000018ff12dd, based on custom configuration file: /opt/vlan-office/office.cfg
--version/-V {option}: Print version and exit
--verbose/-v {option}: Print and log verbose information, for debugging
Usage like a module:
#!/usr/bin/env python3
from vmam import *
# activate debug
debug = True
# define log writer
wt = logwriter('/tmp/log.log')
# start script
debugger(debug, wt, 'Start...')
# connect to LDAP server
conn = connect_ldap(['dc1.foo.bar'])
bind = bind_ldap(conn, r'domain\admin', 'password', tls=True)
ldap_version = check_ldap_version(bind, 'dc=foo,dc=bar')
for mac in get_mac_from_file('/tmp/mac_list.txt'):
debugger(debug, wt, 'create mac address {}'.format(mac))
# create mac address
dn = 'cn={},ou=mac,dc=foo,dc=bar'.format(mac)
attrs = {'givenname': 'mac-address',
'sn': mac,
'samaccountname': mac
}
# create mac-address user
new_user(bind, dn, **attrs)
# add mac user to vlan group
add_to_group(bind, 'cn=vlan_group100,ou=groups,dc=foo,dc=bar', dn)
# set password and password never expires
set_user(bind, dn, pwdlastset=-1, useraccountcontrol=66048)
set_user_password(bind, dn, mac, ldap_version=ldap_version)
AUTHOR
Matteo Guadrini <matteo.guadrini@hotmail.it>
COPYRIGHT
- Matteo Guadrini. All rights reserved.
-
vmam.
logwriter
(logfile)¶ Logger object than write line in a log file
Parameters: logfile – Path of logfile(.log) Returns: Logger object >>> wl = logwriter('test.log') >>> wl.info('This is a test')
-
vmam.
debugger
(verbose, writer, message)¶ Debugger: write debug and print verbose message
Parameters: - verbose – verbose status; boolean
- writer – Log writer object
- message – String message
Returns: String on stdout
>>> wl = logwriter('test.log') >>> debugger(True, wl, 'Test debug')
-
vmam.
confirm
(message)¶ Confirm action
Parameters: message – Question that expects a ‘yes’ or ‘no’ answer Returns: Boolean >>> if confirm('Please, respond'): ... print('yep!')
-
vmam.
read_config
(path)¶ Open YAML configuration file
Parameters: path – Path of configuration file Returns: Python object >>> cfg = read_config('/tmp/vmam.yml') >>> print(cfg)
-
vmam.
get_platform
()¶ Get a platform (OS info)
Returns: Platform info dictionary >>> p = get_platform() >>> print(p)
-
vmam.
new_config
(path='/etc/vmam/vmam.yml')¶ Create a new vmam config file (YAML)
Parameters: path – Path of config file Returns: None >>> new_config('/tmp/vmam.yml')
-
vmam.
bind_ldap
(server, user, password, *, tls=False)¶ Bind with user a LDAP connection
Parameters: - server – LDAP connection object
- user – user used for bind
- password – password of user
- tls – if True, start tls connection
Returns: LDAP bind object
>>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> print(bind)
-
vmam.
check_connection
(ip, port, timeout=3)¶ Test connection of remote (ip) machine on (port)
Parameters: - ip – ip address or hostname of machine
- port – tcp port
- timeout – set timeout of connection
Returns: Boolean
>>> check_connection('localhost', 80)
-
vmam.
check_config
(path)¶ Check YAML configuration file
Parameters: path – Path of configuration file Returns: Boolean >>> cfg = check_config('/tmp/vmam.yml')
-
vmam.
connect_ldap
(servers, *, ssl=False)¶ Connect to LDAP server (SYNC mode)
Parameters: - servers – LDAP servers list
- ssl – If True, set port to 636 else 389
Returns: LDAP connection object
>>> conn = connect_ldap(['dc1.foo.bar'], ssl=True) >>> print(conn)
-
vmam.
unbind_ldap
(bind_object)¶ Unbind LDAP connection
Parameters: bind_object – LDAP bind object Returns: None >>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> bind.unbind()
-
vmam.
query_ldap
(bind_object, base_search, attributes, comp='=', **filters)¶ Query LDAP
Parameters: - bind_object – LDAP bind object
- base_search – distinguishedName of LDAP base search
- attributes – list of returning LDAP attributes
- comp –
comparison operator. Default is ‘=’. Accepted:
Equality (attribute=abc) =
Negation (!attribute=abc) !
Presence (attribute=*) =*
Greater than (attribute>=abc) >=
Less than (attribute<=abc) <=
Proximity (attribute~=abc) ~=
- filters – dictionary of ldap query
Returns: query result list
>>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> ret = query_ldap(bind, 'dc=foo,dc=bar', ['sn', 'givenName'], objectClass='person', samAccountName='person1') >>> print(ret)
-
vmam.
check_ldap_version
(bind_object)¶ Determines the LDAP version
Parameters: bind_object – LDAP bind object Returns: LDAP version code: MS-LDAP or N-LDAP or LDAP >>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> ret = check_ldap_version(bind) >>> print(ret)
-
vmam.
new_user
(bind_object, username, **attributes)¶ Create a new LDAP user
Parameters: - bind_object – LDAP bind object
- username – distinguishedName of user
- attributes – Dictionary attributes
Returns: LDAP operation result
>>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> new_user(bind, 'CN=ex_user1,OU=User_ex,DC=foo,DC=bar', objectClass='user', givenName='User 1', sn='Example')
-
vmam.
set_user
(bind_object, username, **attributes)¶ Modify an exists LDAP user
Parameters: - bind_object – LDAP bind object
- username – distinguishedName of user
- attributes – Dictionary attributes
Returns: LDAP operation result
>>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> set_user(bind, 'CN=ex_user1,OU=User_ex,DC=foo,DC=bar', givenName='User 1', sn='Example')
-
vmam.
delete_user
(bind_object, username)¶ Modify an exists LDAP user
Parameters: - bind_object – LDAP bind object
- username – distinguishedName of user
Returns: LDAP operation result
>>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> delete_user(bind, 'CN=ex_user1,OU=User_ex,DC=foo,DC=bar')
-
vmam.
set_user_password
(bind_object, username, password, *, ldap_version='LDAP')¶ Set password to LDAP user
Parameters: - bind_object – LDAP bind object
- username – distinguishedName of user
- password – password to set of user
- ldap_version – LDAP version (LDAP or MS-LDAP)
Returns: None
>>> conn = connect_ldap('dc1.foo.bar') >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> new_user(bind, 'CN=ex_user1,OU=User_ex,DC=foo,DC=bar', givenName='User 1', sn='Example') >>> set_user_password(bind, 'CN=ex_user1,OU=User_ex,DC=foo,DC=bar', 'password', ldap_version='MS-LDAP') >>> set_user(bind, 'CN=ex_user1,CN=Users,DC=office,DC=bol', pwdLastSet=-1, userAccountControl=66048)
-
vmam.
add_to_group
(bind_object, groupname, members)¶ Add a member of exists LDAP group
Parameters: - bind_object – LDAP bind object
- groupname – distinguishedName of group
- members – List of a new members
Returns: LDAP operation result
>>> conn = connect_ldap('dc1.foo.bar') >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> add_to_group(bind, 'CN=ex_group1,OU=Groups,DC=foo,DC=bar', 'CN=ex_user1,CN=Users,DC=office,DC=bol')
-
vmam.
remove_to_group
(bind_object, groupname, members)¶ Remove a member of exists LDAP group
Parameters: - bind_object – LDAP bind object
- groupname – distinguishedName of group
- members – List of a removed members
Returns: LDAP operation result
>>> conn = connect_ldap('dc1.foo.bar') >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> remove_to_group(bind, 'CN=ex_group1,OU=Groups,DC=foo,DC=bar', 'CN=ex_user1,CN=Users,DC=office,DC=bol')
-
vmam.
filetime_to_datetime
(filetime)¶ Convert MS filetime LDAP to datetime
Parameters: filetime – filetime number (nanoseconds) Returns: datetime object >>> dt = filetime_to_datetime(132130209369676516) >>> print(dt)
-
vmam.
datetime_to_filetime
(date_time)¶ Convert datetime to LDAP MS filetime
Parameters: date_time – datetime object Returns: filetime number >>> ft = datetime_to_filetime(datetime.datetime(2001, 1, 1)) >>> print(ft)
-
vmam.
get_time_sync
(timedelta)¶ It takes the date for synchronization
Parameters: timedelta – Time difference to subtract (string: 1s, 2m, 3h, 4d, 5w) Returns: datetime object >>> td = get_time_sync('1d') >>> print(td)
-
vmam.
string_to_datetime
(string)¶ Convert string date to datetime
Parameters: string – Datetime in string format (‘dd/mm/yyyy’ or ‘mm/dd/yyyy’) Returns: Datetime object >>> dt = string_to_datetime('28/2/2019') >>> print(dt)
-
vmam.
format_mac
(mac_address, mac_format='none')¶ Format mac-address with the specified format
Parameters: - mac_address – mac-address in any format
- mac_format –
mac format are (default=none):
none 112233445566
hypen 11-22-33-44-55-66
colon 11:22:33:44:55:66
dot 1122.3344.5566
Returns: mac-address with the specified format
>>> m = format_mac('1A2b3c4D5E6F', 'dot') >>> print(m)
-
vmam.
connect_client
(client, user, password)¶ Connect to client with WINRM protocol
Parameters: - client – hostname or ip address
- user – username used for connection on client
- password – password of user
Returns: WINRM protocol object
>>> cl = connect_client('host1', r'domain\user', 'password') >>> print(cl)
-
vmam.
run_command
(protocol, command)¶ Run command to a WINRM client
Parameters: - protocol – WINRM protocol object
- command – command to run on client
Returns: Output of command
>>> cl = connect_client('host1', r'domain\user', 'password') >>> cmd = run_command(cl, 'ipconfig /all') >>> print(cmd)
-
vmam.
get_mac_address
(protocol, *exclude)¶ Get mac-addresses to remote client
Parameters: protocol – WINRM protocol object Returns: list mac-address >>> cl = connect_client('host1', r'domain\user', 'password') >>> m = get_mac_address(cl) >>> print(m)
-
vmam.
get_client_user
(protocol)¶ Get the last user who logged in to the machine
Parameters: protocol – WINRM protocol object Returns: user string >>> cl = connect_client('host1', r'domain\user', 'password') >>> u = get_client_user(cl) >>> print(u)
-
vmam.
check_vlan_attributes
(value, method='like', *attributes)¶ Check VLAN attributes with like or match method
Parameters: - value – value to check
- method – ‘like’ or ‘match’
- attributes – list of attributes
Returns: boolean
>>> conn = connect_ldap(['dc1.foo.bar']) >>> bind = bind_ldap(conn, r'domain\user', 'password', tls=True) >>> user = query_ldap(bind, 'dc=foo,dc=bar', ['memberof', 'description', 'department'], objectClass='person', samAccountName='person1') >>> ok = check_vlan_attributes('business', user[0].get('attributes').get('description')) >>> print(ok)
-
vmam.
get_mac_from_file
(path, mac_format='none')¶ Get mac-address from file list
Parameters: - path –
Path of file list. Mac-address can write in any format.
file example (/tmp/list.txt):
112233445566
# mac of my Linux
11-22-33-44-55-66
# this macs is
# other pc of my office
11:22:33:44:55:66
1122.3344.5566
- mac_format –
mac format are (default=none):
none 112233445566
hypen 11-22-33-44-55-66
colon 11:22:33:44:55:66
dot 1122.3344.5566
Returns: list
>>> get_mac_from_file('/tmp/list')
- path –
-
vmam.
timestamp_to_datetime
(timestamp)¶ Convert LDAP Kerberos timestamp LDAP to datetime
Parameters: timestamp – kerberos timestamp string Returns: datetime object >>> dt = timestamp_to_datetime('20200903053604Z') >>> print(dt)
-
vmam.
datetime_to_timestamp
(date_time)¶ Convert datetime to LDAP Kerberos timestamp
Parameters: date_time – datetime object Returns: kerberos timestamp string >>> ft = datetime_to_timestamp(datetime.datetime(1986, 1, 25)) >>> print(ft)