python 调用ldap同步密码

1. windows + python2.7 安装 python-ldap
   https://www.lfd.uci.edu/~gohlke/pythonlibs/#python-ldap

2.python 同步密码

# encoding: utf-8
"""
  Created by Jeff Liu on 2019/12/2
"""
import ldap
import re

PORTAL_LDAP = {
    'bind_dn': '',
    'bind_pass': '',
    'ldap_server': '',
    'port':"",
    'user_dn': '',
    'group_dn': ''
}
DEVOPS_LDAP = {
    'bind_dn': '',
    'bind_pass': '',
    'ldap_server': '',
    'port':"",
    'user_dn': '',
    'group_dn': ''
}


def connect_ldap(my_ldap):
    """
    建立ldap连接
    :param my_ldap: ldap连接信息
    :return: 返回ldap连接对象
    """
    ip = my_ldap['ldap_server']
    port = my_ldap['port']
    bind_dn = my_ldap['bind_dn']
    bind_pass = my_ldap['bind_pass']
    # 如果是ldaps, 需要指定CA cert file
    # ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, "/path/to/ldaps.cert.file")
    # 如果是self-signed cert, 加上这行
    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
    # 初始化LDAP连接
    ldap_connect = ldap.initialize('ldap://' + ip + ':' + port)
    ldap_connect.set_option(ldap.OPT_REFERRALS, 0)
    ldap_connect.protocol_version = ldap.VERSION3
    ldap_connect.simple_bind_s(bind_dn, bind_pass)
    print("ldap: {} is connected.".format(ip))
    return ldap_connect


def get_password(ldap_connect, uid, user_dn):
    """
    获取用户密码（加密)
    :param ldap_connect: ldap连接对象
    :param uid: 用户账号
    :param user_dn: 用户base dn
    :return: 用户密码信息
    """
    try:
        result_set = ldap_connect.search_s(user_dn, ldap.SCOPE_SUBTREE, 'uid=' + uid)
        name, attrs = result_set[0]
        if hasattr(attrs, 'has_key') and attrs.has_key('uid'):
            userPassword = attrs['userPassword'][0]
            return userPassword
        else:
            print "get_password error: %s not found." %uid
            return None
    except Exception, e:
        print "get_password error: uid=%s, %s" %(uid, str(e))
        return None


def change_password(ldap_to_connect, uid, user_dn, new_password):
    """
    修改用户密码
    :param ldap_to_connect: ldap连接对象
    :param uid: 用户账号
    :param user_dn: 用户base dn
    :param new_password: 新密码
    :return: 用户密码
    """
    try:
        dn = 'uid=%s, %s' %(uid, user_dn)
        modlist = [(ldap.MOD_REPLACE, 'userPassword', new_password)]
        ldap_to_connect.modify_s(dn, modlist)
        return True
    except Exception,e:
        print "change_password error: %s, %s" %(uid ,str(e))
        return False


def get_group_member(ldap_to_connect, cn, group_dn):
    """
    获取组成员
    :param ldap_to_connect: ldap连接对象
    :param cn: 组名称
    :param group_dn: 组base dn
    :return: 组成员列表
    """
    try:
        result_set = ldap_to_connect.search_s(group_dn, ldap.SCOPE_SUBTREE, 'cn=' + cn)
        name, attrs = result_set[0]
        user_pattern = 'uid=(.*?),.*'
        user_list = []
        if hasattr(attrs, 'has_key') and attrs.has_key('uniqueMember'):
            member_list_dn = attrs['uniqueMember']
            for m in member_list_dn:
                username = re.findall(user_pattern, m)
                if username:
                    user_list.append(username[0])
            return user_list
        else:
            print "get_group_member error: key not found."
            return None
    except Exception, e:
        print "get_group_member error: ", str(e)
        return None


def add_group_member(ldap_to, groupname, group_dn, user_dn, user_list):
    """
    添加组成员信息
    :param ldap_to: ldap连接对象
    :param groupname: ldap组名称
    :param group_dn: ldap group base dn
    :param user_list: 用户列表 ['1111','2222']
    :return: 返回 False/True
    """
    user_dn_list = []
    for user in user_list:
        user_dn_list.append('uid=%s,%s' %(user, user_dn))
    ldap_to_connect = connect_ldap(ldap_to)
    modlist = []
    if len(user_dn_list) == 0:
        modlist.append((ldap.MOD_REPLACE, 'uniqueMember', ""))
    for index in range(len(user_dn_list)):
        if index == 0:
            modlist.append((ldap.MOD_REPLACE, 'uniqueMember', str(user_dn_list[index])))
        else:
            modlist.append((ldap.MOD_ADD, 'uniqueMember', str(user_dn_list[index])))
    try:
        modifyDN = "cn=%s,%s" % (groupname, group_dn)
        print(modifyDN)
        print(modlist)
        ldap_to_connect.modify_s(modifyDN, modlist)
        return True
    except ldap.LDAPError, e:
        print("add_group_member: %s add group memeber failed，reason: %s" % (groupname, str(e)))
    return False


def sync(group_name, ldap_from, ldap_to):
    """
    同步用户组成员密码
    :param group_name: 组名称
    :param ldap_from: ldap 来源server
    :param ldap_to: ldap 目标server
    :return: dict 更新结果
    """
    ldap_to_connect = connect_ldap(ldap_to)
    ldap_from_connect = connect_ldap(ldap_from)
    user_list = get_group_member(ldap_to_connect, group_name, ldap_to['group_dn'])
    count = 0
    for user in user_list:
        user_password = get_password(ldap_from_connect, user, ldap_from['user_dn'])
        if user_password:
            if change_password(ldap_to_connect, user, ldap_to['user_dn'], user_password):
                count += 1
                print "changed: ", user
    ldap_to_connect.unbind_s()
    ldap_from_connect.unbind_s()
    return {'success': count, 'total': len(user_list)}


if __name__ == '__main__':
    # 同步jenkins群组
    result = sync("oa-jenkins", PORTAL_LDAP, DEVOPS_LDAP)
    print(result)
    # 同步gitlab群组
    result = sync("oa-gitlab", PORTAL_LDAP, DEVOPS_LDAP)
    print(result)
    # 同步组成员
    #user_list = []
    #result = add_group_member(DEVOPS_LDAP, 'oa-jenkins', DEVOPS_LDAP['group_dn'], DEVOPS_LDAP['user_dn'], user_list)
    print(result)