ldap-manager 1.0.12__tar.gz

ldap_manager-1.0.12/LICENSE

@@ -0,0 +1,8 @@
+Copyright 2026 Israel Hen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

ldap_manager-1.0.12/PKG-INFO

@@ -0,0 +1,24 @@
+Metadata-Version: 2.4
+Name: ldap-manager
+Version: 1.0.12
+Summary: CLI power tools for sysadmins who run OpenLDAP and refuse to touch a web UI.
+Author-email: Israel Hen <israelhen153@gmail.com>
+Project-URL: Homepage, https://github.com/israelhen153/ldap-manager
+Project-URL: Repository, https://github.com/israelhen153/ldap-manager
+Project-URL: Issues, https://github.com/israelhen153/ldap-manager/issues
+Project-URL: Documentation, https://github.com/israelhen153/ldap-manager#readme
+Requires-Python: >=3.10
+License-File: LICENSE
+Requires-Dist: python-ldap>=3.4
+Requires-Dist: click>=8.1
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: passlib>=1.7
+Provides-Extra: dev
+Requires-Dist: pytest>=7.0; extra == "dev"
+Requires-Dist: pytest-mock; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: ruff>=0.4; extra == "dev"
+Requires-Dist: mypy>=1.10; extra == "dev"
+Requires-Dist: types-PyYAML; extra == "dev"
+Requires-Dist: bandit>=1.7; extra == "dev"
+Dynamic: license-file

ldap_manager-1.0.12/README.md

@@ -0,0 +1,282 @@
+# ldap-manager
+
+# Tests:
+[![CI](https://github.com/israelhen153/ldap-manager/actions/workflows/makefile.yml/badge.svg)](https://github.com/israelhen153/ldap-manager/actions/workflows/makefile.yml)
+
+
+**CLI power tools for sysadmins who run OpenLDAP and refuse to touch a web UI.**
+
+Manage users, groups, backups, SSH keys, password policies, and server operations — all from one command. Replace your pile of bash scripts and raw `ldapmodify` commands with something that actually has `--dry-run`.
+
+```bash
+pip install ldap-manager
+ldap-manager user list --enabled --json
+```
+
+---
+
+## Why?
+
+If you manage OpenLDAP, your options are:
+
+| Tool | Problem |
+|------|---------|
+| `ldapmodify` / `ldapsearch` | LDIF by hand for every operation |
+| phpLDAPadmin | Abandoned, PHP, browser-only |
+| LDAP Account Manager | Java, $$$, overkill for CLI admins |
+| Your 15 bash scripts | Fragile, no error handling, no dry-run |
+
+**ldap-manager** is the missing CLI. One tool, tab completion, JSON output, dry-run on destructive operations, and actual tests.
+
+---
+
+## Features
+
+| Category | What you get |
+|----------|-------------|
+| **Users** | Create, update, delete, enable/disable, search with filters, dump as JSON |
+| **Groups** | Create, delete, add/remove members, list, supports posixGroup and groupOfNames |
+| **Backup & Restore** | Full `slapcat`/`slapadd` dumps with gzip, metadata, and config backup |
+| **Batch Operations** | Bulk create/update/delete from JSON/CSV/TSV with `--dry-run` |
+| **Password Reset** | Reset all users at once, CSV output with new passwords |
+| **SSH Keys** | Add, remove, list `ldapPublicKey` attributes per user |
+| **Server Ops** | Status, start/stop/restart, reindex with `--auto` |
+| **Password Policy** | View policy config, check user expiry/lockout status |
+| **LDIF Export/Import** | Standards-compliant RFC 2849 export and import with dry-run |
+| **Tree Management** | List/create/delete OUs, visualize your DIT |
+| **Audit Logging** | JSON-lines audit trail of all operations |
+| **JSON Output** | `--json` flag on 12+ commands for scripting and pipelines |
+
+---
+
+## Quickstart
+
+### Install
+
+```bash
+# Rocky/RHEL 8+
+dnf install epel-release -y
+dnf install python3-ldap python3-pyyaml python3-click python3-passlib \
+            openldap-clients openldap-servers -y
+
+pip install ldap-manager
+```
+
+### Configure
+
+```bash
+cp config.example.yaml /etc/ldap-manager/config.yaml
+vim /etc/ldap-manager/config.yaml
+```
+
+Or use environment variables:
+
+```bash
+export LDAP_URI="ldap://localhost:389"
+export LDAP_BIND_DN="cn=admin,dc=example,dc=com"
+export LDAP_BIND_PASSWORD="secret"
+export LDAP_BASE_DN="dc=example,dc=com"
+```
+
+### Go
+
+```bash
+ldap-manager user list
+```
+
+---
+
+## Usage
+
+### Users
+
+```bash
+ldap-manager user list --enabled --json
+ldap-manager user get jdoe
+ldap-manager user create jdoe --cn "John Doe" --mail john@example.com
+ldap-manager user update jdoe --set mail=new@example.com --set loginShell=/bin/zsh
+ldap-manager user delete jdoe --yes
+ldap-manager user disable jdoe
+ldap-manager user enable jdoe
+ldap-manager user passwd jdoe
+
+# Search with filters
+ldap-manager user search --uid "j*"
+ldap-manager user search --mail "*@engineering.com" --enabled
+ldap-manager user search --filter "(description=contractor*)" --json
+```
+
+### Groups
+
+```bash
+ldap-manager group list
+ldap-manager group create devops --gid 5000
+ldap-manager group add-member devops jdoe
+ldap-manager group remove-member devops jdoe
+ldap-manager group members devops --json
+ldap-manager group delete old_team --yes
+```
+
+### Backup & Restore
+
+```bash
+ldap-manager backup dump --tag pre-migration
+ldap-manager backup list
+ldap-manager backup restore /var/backups/ldap/ldap_backup_20240101_120000
+ldap-manager backup restore /path/to/backup --with-config --yes
+```
+
+### Batch Operations
+
+```bash
+# Bulk create from CSV/JSON
+ldap-manager batch create users.csv --dry-run
+ldap-manager batch create users.json --yes
+
+# Bulk delete
+ldap-manager batch delete terminations.csv --dry-run
+```
+
+### Bulk Password Reset
+
+```bash
+ldap-manager passwd-all --dry-run
+ldap-manager passwd-all --output /secure/passwords.csv --length 24
+```
+
+### SSH Keys
+
+```bash
+ldap-manager user ssh-key-list jdoe
+ldap-manager user ssh-key-add jdoe ~/.ssh/id_ed25519.pub
+ldap-manager user ssh-key-remove jdoe 1
+```
+
+### Server Operations
+
+```bash
+ldap-manager server status
+ldap-manager server start
+ldap-manager server stop
+ldap-manager server restart
+ldap-manager server reindex --auto    # stops slapd, reindexes, restarts
+```
+
+### Password Policy
+
+```bash
+ldap-manager ppolicy status jdoe      # expiry, lockout, grace logins
+ldap-manager ppolicy policy           # view current policy config
+ldap-manager ppolicy check-all        # find expired/locked accounts
+```
+
+### LDIF Export & Import
+
+```bash
+ldap-manager user export --format ldif --scope all -o backup.ldif
+ldap-manager user export --format json --enabled -o active_users.json
+ldap-manager import users.ldif --dry-run
+```
+
+### Tree Management
+
+```bash
+ldap-manager tree show                # visualize DIT
+ldap-manager tree list-ous
+ldap-manager tree create-ou "ou=Contractors,dc=example,dc=com"
+ldap-manager tree delete-ou "ou=OldDept,dc=example,dc=com" --recursive
+```
+
+### Audit Log
+
+```bash
+ldap-manager audit log --since 2024-01-01
+ldap-manager audit log --action create --target jdoe
+ldap-manager audit status
+```
+
+### Global Options
+
+```bash
+ldap-manager -c /path/to/config.yaml user list    # custom config
+ldap-manager -v user list                          # verbose logging
+```
+
+---
+
+## Configuration
+
+Config is loaded from (in order, later overrides earlier):
+
+1. `/etc/ldap-manager/config.yaml` (system)
+2. `~/.ldap-manager.yaml` (user)
+3. `--config` flag (explicit)
+4. Environment variables (highest priority)
+
+See `config.example.yaml` for all options.
+
+---
+
+## Development
+
+```bash
+git clone https://github.com/YOURUSERNAME/ldap-manager.git
+cd ldap-manager
+make install    # creates venv, installs deps
+make ci         # lint + typecheck + security + tests
+```
+
+Tests use mocked LDAP connections — no live server needed.
+
+```
+make lint         # ruff check + format
+make typecheck    # mypy
+make security     # bandit
+make test         # pytest with coverage
+make ci           # all of the above
+```
+
+---
+
+## Project Structure
+
+```
+ldap_manager/
+├── __init__.py       # Package metadata
+├── cli.py            # Click CLI — 40+ commands
+├── config.py         # YAML + env config loading
+├── connection.py     # LDAP connection context manager
+├── users.py          # User CRUD, enable/disable, search
+├── groups.py         # Group management (posixGroup + groupOfNames)
+├── passwords.py      # Bulk password generation + reset
+├── backup.py         # slapcat/slapadd dump + restore
+├── batch.py          # Bulk operations from CSV/JSON/TSV
+├── server.py         # Server status, start/stop, reindex
+├── sshkeys.py        # SSH public key management
+├── ppolicy.py        # Password policy status + checks
+├── ldif_ops.py       # RFC 2849 LDIF export/import
+├── tree.py           # OU/DIT management + visualization
+└── audit.py          # JSON-lines audit logging
+```
+
+---
+
+## Design Decisions
+
+- **`slapcat`/`slapadd` for backup** — protocol-level export (`ldapsearch`) is lossy. It misses `cn=config`, overlays, ACLs, and operational attributes. `slapcat` captures everything.
+- **`loginShell` for enable/disable** — simpler and more portable than `shadowExpire` or `nsAccountLock`. No overlay needed.
+- **SSHA passwords** — most universally supported LDAP hash. Change `hash_scheme` in config if your server has `pw-argon2`.
+- **Dry-run on destructive ops** — batch, import, delete, and password reset all support `--dry-run`.
+- **JSON output everywhere** — `--json` on 12+ commands for piping to `jq`, scripts, and monitoring.
+
+---
+
+## Requirements
+
+- Python 3.10+
+- OpenLDAP client libraries (`libldap2-dev` / `openldap-devel`)
+- OpenLDAP server tools on the LDAP host (for backup/restore and server ops)
+
+## License
+
+MIT

ldap_manager-1.0.12/ldap_manager/__init__.py

@@ -0,0 +1,3 @@
+"""ldap-manager: LDAP server management CLI."""
+
+__version__ = "1.0.0"

ldap_manager-1.0.12/ldap_manager/audit.py

@@ -0,0 +1,145 @@
+"""Structured audit logging for LDAP operations.
+
+Writes a JSON-lines audit log of every modification operation.
+Each line is a self-contained JSON object with timestamp, action,
+target, operator, and details.
+"""
+
+from __future__ import annotations
+
+import json
+import logging
+import os
+from datetime import UTC, datetime
+from pathlib import Path
+from typing import Any
+
+log = logging.getLogger(__name__)
+
+# Default audit log location
+DEFAULT_AUDIT_LOG = "/var/log/ldap-manager/audit.jsonl"
+
+
+class AuditLogger:
+    """Append-only JSON-lines audit logger."""
+
+    def __init__(self, log_path: str | Path | None = None) -> None:
+        if log_path is None:
+            log_path = os.environ.get("LDAP_MANAGER_AUDIT_LOG", DEFAULT_AUDIT_LOG)
+        self._path = Path(log_path)
+        self._enabled = True
+
+        # Try to create the log directory and file
+        try:
+            self._path.parent.mkdir(parents=True, exist_ok=True)
+            # Touch the file to verify we can write
+            if not self._path.exists():
+                self._path.touch(mode=0o640)
+        except PermissionError:
+            log.warning(
+                "Cannot write audit log to %s — audit logging disabled. "
+                "Create the directory or set LDAP_MANAGER_AUDIT_LOG env var.",
+                self._path,
+            )
+            self._enabled = False
+
+    @property
+    def enabled(self) -> bool:
+        return self._enabled
+
+    @property
+    def path(self) -> Path:
+        return self._path
+
+    def log(
+        self,
+        action: str,
+        target: str,
+        *,
+        operator: str = "",
+        details: dict[str, Any] | None = None,
+        success: bool = True,
+        error: str = "",
+    ) -> None:
+        """Write an audit log entry.
+
+        Args:
+            action: Operation performed (e.g. "user.create", "group.add_member")
+            target: DN or identifier of the target (e.g. "uid=jdoe,ou=People,...")
+            operator: Who performed the action (bind DN, defaults to config bind_dn)
+            details: Additional structured data about the operation
+            success: Whether the operation succeeded
+            error: Error message if failed
+        """
+        if not self._enabled:
+            return
+
+        entry = {
+            "timestamp": datetime.now(UTC).isoformat(),
+            "action": action,
+            "target": target,
+            "operator": operator,
+            "success": success,
+            "hostname": os.uname().nodename,
+        }
+
+        if details:
+            entry["details"] = details
+        if error:
+            entry["error"] = error
+
+        try:
+            line = json.dumps(entry, ensure_ascii=False, separators=(",", ":"))
+            with open(self._path, "a", encoding="utf-8") as f:
+                f.write(line + "\n")
+        except (OSError, PermissionError) as exc:
+            log.warning("Failed to write audit log: %s", exc)
+
+    def query(
+        self,
+        *,
+        action: str | None = None,
+        target: str | None = None,
+        since: str | None = None,
+        limit: int = 50,
+    ) -> list[dict[str, Any]]:
+        """Query the audit log.
+
+        Args:
+            action: Filter by action prefix (e.g. "user" matches "user.create")
+            target: Filter by target substring
+            since: ISO timestamp — only entries after this time
+            limit: Max entries to return (newest first)
+
+        Returns:
+            List of audit log entries, newest first.
+        """
+        if not self._path.is_file():
+            return []
+
+        entries: list[dict[str, Any]] = []
+        try:
+            with open(self._path, encoding="utf-8") as f:
+                for line in f:
+                    line = line.strip()
+                    if not line:
+                        continue
+                    try:
+                        entry = json.loads(line)
+                    except json.JSONDecodeError:
+                        continue
+
+                    if action and not entry.get("action", "").startswith(action):
+                        continue
+                    if target and target not in entry.get("target", ""):
+                        continue
+                    if since and entry.get("timestamp", "") < since:
+                        continue
+
+                    entries.append(entry)
+        except OSError:
+            return []
+
+        # Newest first, limited
+        entries.reverse()
+        return entries[:limit]