ldap-ui 0.10.3__tar.gz

ldap_ui-0.10.3/LICENSE.txt

@@ -0,0 +1,7 @@
+Copyright (c) 2023
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

ldap_ui-0.10.3/PKG-INFO

@@ -0,0 +1,167 @@
+Metadata-Version: 2.4
+Name: ldap-ui
+Version: 0.10.3
+Summary: A fast and versatile LDAP editor
+Author: dnknth
+License-Expression: MIT
+Project-URL: Repository, https://github.com/dnknth/ldap-ui
+Keywords: ldap,web-ui,python3
+Classifier: Operating System :: OS Independent
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Topic :: Software Development :: Libraries
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE.txt
+Requires-Dist: fastapi>=0.115.12
+Requires-Dist: python-ldap
+Requires-Dist: python-multipart
+Requires-Dist: uvicorn>=0.34.3
+Dynamic: license-file
+
+# Fast and versatile LDAP editor
+
+This is a *minimal* web interface for LDAP directories. Docker images for `linux/amd64` and `linux/arm64/v8` are [available](https://hub.docker.com/r/dnknth/ldap-ui).
+
+![Screenshot](https://github.com/dnknth/ldap-ui/blob/main/screenshot.png?raw=true)
+
+Features:
+
+* Directory tree view
+* Entry creation / modification / deletion
+* LDIF import / export
+* Image support for the `jpegPhoto` and `thumbnailPhoto` attributes
+* Schema aware
+* Simple search (configurable)
+* Asynchronous LDAP backend with decent scalability
+* Available as [Docker image](https://hub.docker.com/r/dnknth/ldap-ui/)
+
+The app always requires authentication, even if the directory permits anonymous access. User credentials are validated through a simple `bind` on the directory (SASL is not supported). What a particular user can see (and edit) is governed entirely by directory access rules. The app shows the directory contents, nothing less and nothing more.
+
+## Usage
+
+### Environment variables
+
+LDAP access is controlled by the following optional environment variables, possibly from a `.env` file:
+
+* `LDAP_URL`: Connection URL, defaults to `ldap:///`.
+* `BASE_DN`: Search base, e.g. `dc=example,dc=org`.
+* `SCHEMA_DN`: # DN to obtain the directory schema, e.g. `cn=subSchema`.
+* `LOGIN_ATTR`: User name attribute, defaults to `uid`.
+
+* `USE_TLS`: Enable TLS, defaults to true for `ldaps` connections. Set it to a non-empty string to force `STARTTLS` on `ldap` connections.
+* `INSECURE_TLS`: Do not require a valid server TLS certificate, defaults to false, implies `USE_TLS`.
+
+if `BASE_DN` or `SCHEMA_DN` are not provided explicitly, auto-detection from the root DSE is attempted.
+For this to work, the root DSE must be readable anonymously, e.g. with the following ACL line for OpenLDAP:
+
+```text
+access to dn.base="" by * read
+```
+
+For finer-grained control, see [settings.py](settings.py).
+
+### Docker
+
+For the impatient: Run it with
+
+```shell
+docker run -p 127.0.0.1:5000:5000 \
+    -e LDAP_URL=ldap://your.openldap.server/ \
+    dnknth/ldap-ui:latest
+```
+
+For the even more impatient: Start a demo with
+
+```shell
+docker compose up -d
+```
+
+and go to <http://localhost:5000/>. You are automatically logged in as `Fred Flintstone`.
+
+### Pip
+
+Install the `python-ldap` dependency with your system's package manager.
+Otherwise, Pip will try to compile it from source and this will likely fail because it lacks a development environment.
+
+Then install `ldap-ui` in a virtual environment:
+
+```shell
+python3 -m venv --system-site-packages venv
+. venv/bin/activate
+pip3 install ldap-ui
+```
+
+Possibly after a shell `rehash`, it is available as `ldap-ui`:
+
+```text
+Usage: ldap-ui [OPTIONS]
+
+Options:
+  -b, --base-dn TEXT              LDAP base DN. Required unless the BASE_DN
+                                  environment variable is set.
+  -h, --host TEXT                 Bind socket to this host.  [default:
+                                  127.0.0.1]
+  -p, --port INTEGER              Bind socket to this port. If 0, an available
+                                  port will be picked.  [default: 5000]
+  -l, --log-level [critical|error|warning|info|debug|trace]
+                                  Log level. [default: info]
+  --version                       Display the current version and exit.
+  --help                          Show this message and exit.
+```
+
+## Development
+
+Prerequisites:
+
+* [GNU make](https://www.gnu.org/software/make/)
+* [node.js](https://nodejs.dev) LTS version with NPM
+* [Python3](https://www.python.org) ≥ 3.7
+* [pip3](https://packaging.python.org/tutorials/installing-packages/)
+* [python-ldap](https://pypi.org/project/python-ldap/); To compile the Python module:
+  * Debian / Ubuntu: `apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev`
+  * RedHat / CentOS: `yum install python-devel openldap-devel`
+
+`ldap-ui` consists of a Vue frontend and a Python backend that roughly translates a subset of the LDAP protocol to a stateless ReST API.
+
+For the frontend, `npm run build` assembles everything in `backend/ldap_ui/statics`.
+
+Review the configuration in [settings.py](settings.py). It is short and mostly self-explaining.
+Most settings can (and should) be overridden by environment variables or settings in a `.env` file; see [env.demo](env.demo) or [env.example](env.example).
+
+The backend can be run locally with `make`, which will also install dependencies and build the frontend if needed.
+
+## Notes
+
+### Authentication methods
+
+The UI always uses a simple `bind` operation to authenticate with the LDAP directory. How the `bind` DN is obtained from a given user name depends on a combination of OS environment variables, possibly from a `.env` file:
+
+1. Search by some attribute. By default, this is the `uid`, which can be overridden by the environment variable `LOGIN_ATTR`, e.g. `LOGIN_ATTR=cn`.
+2. If the environment variable `BIND_PATTERN` is set, then no search is performed. Login with a full DN can be configured with `BIND_PATTERN=%s`, which for example allows to login as user `cn=admin,dc=example,dc=org`. If a partial DN like `BIND_PATTERN=%s,dc=example,dc=org` is configured, the corresponding login would be `cn=admin`. If a specific pattern like `BIND_PATTERN=cn=%s,dc=example,dc=org` is configured, the login name is just `admin`.
+3. If security is no concern, then a fixed `BIND_DN` and `BIND_PASSWORD` can be set in the environment. This is for demo purposes only, and probably a very bad idea if access to the UI is not restricted by any other means.
+
+### Searching
+
+Search uses a (configurable) set of criteria (`cn`, `gn`, `sn`, and `uid`) if the query does not contain `=`.
+Wildcards are supported, e.g. `f*` will match all `cn`, `gn`, `sn`, and `uid` starting with `f`.
+Additionally, arbitrary attributes can be searched with an LDAP filter specification, for example `sn=F*`.
+
+### Caveats
+
+* The software works with [OpenLdap](http://www.openldap.org) using simple bind. Other directories have not been tested much, although [389 DS](https://www.port389.org) works to some extent.
+* SASL authentication schemes are presently not supported.
+* Passwords are transmitted as plain text. The LDAP server is expected to hash them (OpenLdap 2.4 does). I strongly recommend to expose the app through a TLS-enabled web server.
+* HTTP *Basic Authentication* is triggered unless the `AUTHORIZATION` request variable is already set by some upstream HTTP server.
+
+## Q&A
+
+* Q: Why are some fields not editable?
+  * A: The RDN of an entry is read-only. To change it, rename the entry with a different RDN, then change the old RDN and rename back. To change passwords, click on the question mark icon on the right side. Binary fields (as per schema) are read-only. You do not want to modify them accidentally.
+* Q: Why did you write this?
+  * A: [PHPLdapAdmin](http://phpldapadmin.sf.net/) has not seen updates for ages. I needed a replacement, and wanted to try Vue.
+
+## Acknowledgements
+
+The Python backend uses [FastAPI](https://fastapi.tiangolo.com). The UI is built with [Vue.js](https://vuejs.org) and [Tailwind CSS](https://tailwindcss.com/). Kudos to the authors of these elegant frameworks!

ldap_ui-0.10.3/README.md

@@ -0,0 +1,145 @@
+# Fast and versatile LDAP editor
+
+This is a *minimal* web interface for LDAP directories. Docker images for `linux/amd64` and `linux/arm64/v8` are [available](https://hub.docker.com/r/dnknth/ldap-ui).
+
+![Screenshot](https://github.com/dnknth/ldap-ui/blob/main/screenshot.png?raw=true)
+
+Features:
+
+* Directory tree view
+* Entry creation / modification / deletion
+* LDIF import / export
+* Image support for the `jpegPhoto` and `thumbnailPhoto` attributes
+* Schema aware
+* Simple search (configurable)
+* Asynchronous LDAP backend with decent scalability
+* Available as [Docker image](https://hub.docker.com/r/dnknth/ldap-ui/)
+
+The app always requires authentication, even if the directory permits anonymous access. User credentials are validated through a simple `bind` on the directory (SASL is not supported). What a particular user can see (and edit) is governed entirely by directory access rules. The app shows the directory contents, nothing less and nothing more.
+
+## Usage
+
+### Environment variables
+
+LDAP access is controlled by the following optional environment variables, possibly from a `.env` file:
+
+* `LDAP_URL`: Connection URL, defaults to `ldap:///`.
+* `BASE_DN`: Search base, e.g. `dc=example,dc=org`.
+* `SCHEMA_DN`: # DN to obtain the directory schema, e.g. `cn=subSchema`.
+* `LOGIN_ATTR`: User name attribute, defaults to `uid`.
+
+* `USE_TLS`: Enable TLS, defaults to true for `ldaps` connections. Set it to a non-empty string to force `STARTTLS` on `ldap` connections.
+* `INSECURE_TLS`: Do not require a valid server TLS certificate, defaults to false, implies `USE_TLS`.
+
+if `BASE_DN` or `SCHEMA_DN` are not provided explicitly, auto-detection from the root DSE is attempted.
+For this to work, the root DSE must be readable anonymously, e.g. with the following ACL line for OpenLDAP:
+
+```text
+access to dn.base="" by * read
+```
+
+For finer-grained control, see [settings.py](settings.py).
+
+### Docker
+
+For the impatient: Run it with
+
+```shell
+docker run -p 127.0.0.1:5000:5000 \
+    -e LDAP_URL=ldap://your.openldap.server/ \
+    dnknth/ldap-ui:latest
+```
+
+For the even more impatient: Start a demo with
+
+```shell
+docker compose up -d
+```
+
+and go to <http://localhost:5000/>. You are automatically logged in as `Fred Flintstone`.
+
+### Pip
+
+Install the `python-ldap` dependency with your system's package manager.
+Otherwise, Pip will try to compile it from source and this will likely fail because it lacks a development environment.
+
+Then install `ldap-ui` in a virtual environment:
+
+```shell
+python3 -m venv --system-site-packages venv
+. venv/bin/activate
+pip3 install ldap-ui
+```
+
+Possibly after a shell `rehash`, it is available as `ldap-ui`:
+
+```text
+Usage: ldap-ui [OPTIONS]
+
+Options:
+  -b, --base-dn TEXT              LDAP base DN. Required unless the BASE_DN
+                                  environment variable is set.
+  -h, --host TEXT                 Bind socket to this host.  [default:
+                                  127.0.0.1]
+  -p, --port INTEGER              Bind socket to this port. If 0, an available
+                                  port will be picked.  [default: 5000]
+  -l, --log-level [critical|error|warning|info|debug|trace]
+                                  Log level. [default: info]
+  --version                       Display the current version and exit.
+  --help                          Show this message and exit.
+```
+
+## Development
+
+Prerequisites:
+
+* [GNU make](https://www.gnu.org/software/make/)
+* [node.js](https://nodejs.dev) LTS version with NPM
+* [Python3](https://www.python.org) ≥ 3.7
+* [pip3](https://packaging.python.org/tutorials/installing-packages/)
+* [python-ldap](https://pypi.org/project/python-ldap/); To compile the Python module:
+  * Debian / Ubuntu: `apt-get install libsasl2-dev python-dev libldap2-dev libssl-dev`
+  * RedHat / CentOS: `yum install python-devel openldap-devel`
+
+`ldap-ui` consists of a Vue frontend and a Python backend that roughly translates a subset of the LDAP protocol to a stateless ReST API.
+
+For the frontend, `npm run build` assembles everything in `backend/ldap_ui/statics`.
+
+Review the configuration in [settings.py](settings.py). It is short and mostly self-explaining.
+Most settings can (and should) be overridden by environment variables or settings in a `.env` file; see [env.demo](env.demo) or [env.example](env.example).
+
+The backend can be run locally with `make`, which will also install dependencies and build the frontend if needed.
+
+## Notes
+
+### Authentication methods
+
+The UI always uses a simple `bind` operation to authenticate with the LDAP directory. How the `bind` DN is obtained from a given user name depends on a combination of OS environment variables, possibly from a `.env` file:
+
+1. Search by some attribute. By default, this is the `uid`, which can be overridden by the environment variable `LOGIN_ATTR`, e.g. `LOGIN_ATTR=cn`.
+2. If the environment variable `BIND_PATTERN` is set, then no search is performed. Login with a full DN can be configured with `BIND_PATTERN=%s`, which for example allows to login as user `cn=admin,dc=example,dc=org`. If a partial DN like `BIND_PATTERN=%s,dc=example,dc=org` is configured, the corresponding login would be `cn=admin`. If a specific pattern like `BIND_PATTERN=cn=%s,dc=example,dc=org` is configured, the login name is just `admin`.
+3. If security is no concern, then a fixed `BIND_DN` and `BIND_PASSWORD` can be set in the environment. This is for demo purposes only, and probably a very bad idea if access to the UI is not restricted by any other means.
+
+### Searching
+
+Search uses a (configurable) set of criteria (`cn`, `gn`, `sn`, and `uid`) if the query does not contain `=`.
+Wildcards are supported, e.g. `f*` will match all `cn`, `gn`, `sn`, and `uid` starting with `f`.
+Additionally, arbitrary attributes can be searched with an LDAP filter specification, for example `sn=F*`.
+
+### Caveats
+
+* The software works with [OpenLdap](http://www.openldap.org) using simple bind. Other directories have not been tested much, although [389 DS](https://www.port389.org) works to some extent.
+* SASL authentication schemes are presently not supported.
+* Passwords are transmitted as plain text. The LDAP server is expected to hash them (OpenLdap 2.4 does). I strongly recommend to expose the app through a TLS-enabled web server.
+* HTTP *Basic Authentication* is triggered unless the `AUTHORIZATION` request variable is already set by some upstream HTTP server.
+
+## Q&A
+
+* Q: Why are some fields not editable?
+  * A: The RDN of an entry is read-only. To change it, rename the entry with a different RDN, then change the old RDN and rename back. To change passwords, click on the question mark icon on the right side. Binary fields (as per schema) are read-only. You do not want to modify them accidentally.
+* Q: Why did you write this?
+  * A: [PHPLdapAdmin](http://phpldapadmin.sf.net/) has not seen updates for ages. I needed a replacement, and wanted to try Vue.
+
+## Acknowledgements
+
+The Python backend uses [FastAPI](https://fastapi.tiangolo.com). The UI is built with [Vue.js](https://vuejs.org) and [Tailwind CSS](https://tailwindcss.com/). Kudos to the authors of these elegant frameworks!

ldap_ui-0.10.3/backend/ldap_ui/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.10.3"

ldap_ui-0.10.3/backend/ldap_ui/__main__.py

@@ -0,0 +1,88 @@
+import logging
+
+import click
+import uvicorn
+from uvicorn.config import LOG_LEVELS
+from uvicorn.logging import ColourizedFormatter
+from uvicorn.main import LEVEL_CHOICES
+
+import ldap_ui
+
+from . import settings
+
+
+def print_version(ctx: click.Context, param: click.Parameter, value: bool) -> None:
+    if value:
+        click.echo(ldap_ui.__version__)
+        ctx.exit()
+
+
+@click.command()
+@click.option(
+    "-b",
+    "--base-dn",
+    type=str,
+    default=settings.BASE_DN,
+    help="LDAP base DN.  [default: Detect from root DSE]",
+)
+@click.option(
+    "-h",
+    "--host",
+    type=str,
+    default="127.0.0.1",
+    help="Bind socket to this IP.",
+    show_default=True,
+)
+@click.option(
+    "-p",
+    "--port",
+    type=int,
+    default=5000,
+    help="Bind socket to this port (or 0 for any available port).",
+    show_default=True,
+)
+@click.option(
+    "-u",
+    "--ldap-url",
+    type=str,
+    default=settings.LDAP_URL,
+    help="LDAP directory connection URL.",
+    show_default=True,
+)
+@click.option(
+    "-l",
+    "--log-level",
+    type=LEVEL_CHOICES,
+    default="info",
+    help="Log level.",
+    show_default=True,
+)
+@click.option(
+    "--reload",
+    is_flag=True,
+    help="Watch for changes and reload?",
+)
+@click.option(
+    "--version",
+    is_flag=True,
+    callback=print_version,
+    expose_value=False,
+    is_eager=True,
+    help="Display the current version and exit.",
+)
+def main(base_dn, host, port, ldap_url, log_level, reload):
+    logging.basicConfig(level=LOG_LEVELS[log_level])
+    rootHandler = logging.getLogger().handlers[0]
+    rootHandler.setFormatter(ColourizedFormatter(fmt="%(levelprefix)s %(message)s"))
+
+    if base_dn is not None:
+        settings.BASE_DN = base_dn
+
+    if ldap_url is not None:
+        settings.LDAP_URL = ldap_url
+
+    uvicorn.run("ldap_ui.app:app", host=host, port=port, reload=reload)
+
+
+if __name__ == "__main__":
+    main()

ldap_ui-0.10.3/backend/ldap_ui/app.py

@@ -0,0 +1,90 @@
+"""
+Simplistic ReST proxy for LDAP access.
+
+Authentication is either hard-wired in the settings,
+or else only HTTP basic auth is supported.
+
+The backend is stateless, it re-connects to the directory on every request.
+No sessions, no cookies, nothing else.
+"""
+
+import logging
+from http import HTTPStatus
+
+from fastapi import FastAPI, Request, Response
+from fastapi.middleware.gzip import GZipMiddleware
+from fastapi.responses import JSONResponse
+from fastapi.staticfiles import StaticFiles
+from ldap import (  # type: ignore
+    ALREADY_EXISTS,  # type: ignore
+    INSUFFICIENT_ACCESS,  # type: ignore
+    INVALID_CREDENTIALS,  # type: ignore
+    NO_SUCH_OBJECT,  # type: ignore
+    OBJECT_CLASS_VIOLATION,  # type: ignore
+    UNWILLING_TO_PERFORM,  # type: ignore  # type: ignore
+    LDAPError,  # type: ignore
+)
+
+from . import __version__, ldap_api, settings
+
+# Main ASGI entry
+
+app = FastAPI(debug=settings.DEBUG, title="LDAP UI", version=__version__)
+app.include_router(ldap_api.api)
+app.mount("/", StaticFiles(packages=["ldap_ui"], html=True))
+
+app.add_middleware(GZipMiddleware, minimum_size=1000, compresslevel=5)
+
+
+@app.middleware("http")
+async def cache_buster(request: Request, call_next) -> Response:
+    "Forbid caching of API responses"
+    response = await call_next(request)
+    if request.url.path.startswith("/api"):
+        response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
+        response.headers["Pragma"] = "no-cache"
+        response.headers["Expires"] = "0"
+    return response
+
+
+# API error handling
+
+LDAP_ERROR_TO_STATUS = {
+    ALREADY_EXISTS: HTTPStatus.CONFLICT,
+    INSUFFICIENT_ACCESS: HTTPStatus.FORBIDDEN,
+    INVALID_CREDENTIALS: HTTPStatus.UNAUTHORIZED,
+    NO_SUCH_OBJECT: HTTPStatus.NOT_FOUND,
+    OBJECT_CLASS_VIOLATION: HTTPStatus.BAD_REQUEST,
+    UNWILLING_TO_PERFORM: HTTPStatus.FORBIDDEN,
+}
+
+
+@app.exception_handler(LDAPError)
+def handle_ldap_error(request: Request, exc: LDAPError) -> Response:
+    "General handler for LDAP errors"
+
+    exc_type = type(exc)
+    if exc_type is UNWILLING_TO_PERFORM:
+        logging.critical("Need BIND_DN or BIND_PATTERN to authenticate")
+
+    if exc_type is INVALID_CREDENTIALS:
+        return Response(
+            status_code=HTTPStatus.UNAUTHORIZED,
+            headers={
+                "WWW-Authenticate": 'Basic realm="Please log in", charset="UTF-8"'
+            },
+        )
+
+    if exc_type not in LDAP_ERROR_TO_STATUS:
+        # Unknown error --> log it since FastApi won't do it for us
+        logging.exception("Error in %s %s:", request.method, request.url, exc_info=exc)
+
+    cause = exc.args[0] if exc.args else {}
+    desc = cause.get("desc", "LDAP error").capitalize()
+    msg = f"{desc}" if "info" not in cause else f"{desc}: {cause['info'].capitalize()}"
+    return JSONResponse(
+        {"detail": [msg]},
+        status_code=LDAP_ERROR_TO_STATUS.get(
+            exc_type, HTTPStatus.INTERNAL_SERVER_ERROR
+        ),
+    )

ldap_ui-0.10.3/backend/ldap_ui/entities.py

@@ -0,0 +1,50 @@
+"Data types for ReST endpoints"
+
+from pydantic import BaseModel
+
+
+class TreeItem(BaseModel):
+    "Entry in the navigation tree"
+
+    dn: str
+    structuralObjectClass: str
+    hasSubordinates: bool
+    level: int
+
+
+Attributes = dict[str, list[str]]
+
+AttributeNames = list[str]  # Names of modified attributes
+
+
+class Entry(BaseModel):
+    "Directory entry"
+
+    dn: str
+    attrs: Attributes
+    binary: AttributeNames
+    autoFilled: AttributeNames
+    changed: AttributeNames
+    isNew: bool = False
+
+
+class ChangePasswordRequest(BaseModel):
+    "Change a password"
+
+    old: str
+    new1: str
+
+
+class SearchResult(BaseModel):
+    "Search result"
+
+    dn: str
+    name: str
+
+
+class Range(BaseModel):
+    "Numeric attribute range"
+
+    min: int
+    max: int
+    next: int