A library for integrating with Microsoft Active Directory domains
MIT License
Bot releases are hidden (Show)
The primary components of this release are:
Additionally, the following issues have been fixed:
Full Changelog: https://github.com/zorn96/ms_active_directory/compare/v1.12.1...v1.13.0
Published by zorn96 almost 3 years ago
Fixed a regression in finding primary groups.
Published by zorn96 almost 3 years ago
The primary component of this release is user principal name functionality. New features include:
Other small enhancements include:
Published by zorn96 almost 3 years ago
Added the following functionality:
Getting the primary group for users
Options to speed up user/group/computer creation when location has been pre-validated
Published by zorn96 almost 3 years ago
Contains fixes to the hash function for ADObject
s and minor optimizations for user creation.
Published by zorn96 almost 3 years ago
New functionality in 1.11.0 includes:
Ability to locally configure a windows, macOS, or linux device's kerberos client when creating an ADDomain object, or independently using one or more ADDomain objects
Ability to create groups (thanks @TrinityDevelopers )
Ability to create unmanaged users (thanks @TrinityDevelopers )
Ability to create managed users, which (just like managed computers) will automatically generate kerberos keys for the users to authenticate with, and support a variety of auxiliary functionality
Published by zorn96 about 3 years ago
Bug fix for an issue where trailing commas were left in the relative distinguished name of objects.
Published by zorn96 about 3 years ago
Added new functionality for discovering policies.
There's a new function to find all of the group policies within a domain, and their attributes.
There's also functionality added to ADObject objects, and all of their derivatives, to parse the linked group policy information and make it simple to see the list of the distinguished names of policies attached to the object. There have also been new ADObject derivatives added for group policy objects, organizational units, and domain objects, making it somewhat easier to work with container-type objects and their policies.
Published by zorn96 about 3 years ago
Primary release focus: added documentation and a documentation build system.
Find the docs at https://ms-active-directory.readthedocs.io/en/latest/
This release also added completed docstrings for all functions, as a few were missing them.
Type annotations were also added for the return types of all functions.
Minor tweaks to line lengths were made in the name of PEP8 compliance.
Published by zorn96 about 3 years ago
Added support for looking up members of groups.
There's now functions for the following:
For all of these, members will be cast to the most appropriate object type (e.g. ADUser or ADGroup) in the response, making it easy to tell what types the members are.
Published by zorn96 about 3 years ago
Added windows path support and made some performance improvements.
Previously, only LDAP distinguished names were supported for most operations.
However, not everyone is comfortable with that style of naming. Many people
on windows are familiar with canonical names (also called "windows path style"
naming).
For example, OU=nested-org,OU=org,CN=org-containers,DC=example,DC=com
would be example.com/org-containers/org/nested-org
The library now supports looking up these names and using them for things like
domain joining.
There's also some minor performance enhancements. There's now an option to
skip validation that names exist in the domain for many lookup operations and
other operations. This makes actions such as bulk addition of users to groups
or modifications of users/groups/computers more efficient when utilized, as
it removes all of the existence check queries. This is useful for those who are
planning to guarantee the existence of things externally.
Published by zorn96 about 3 years ago
Added extended multi-domain support - the library now supports transferring authenticated session from one AD Domain to other trusted domains.
This action can be taken on a trusted domain with a session.
If this is done, it transfers all connection attributes, including authentication
attributes, network attributes/strategies, and formatting-related
attributes, from the existing session and tries to authenticate a new
session with the trusted domain.
A function also exists in a session to create transfer sessions to
all trusted domains. This allows a caller to spin out their sessions
and create new sessions. It could even be done recursively to get
sessions for all of the domains that are connected in the trust web
that a user is trusted within.
Made a small enhancement to netbios name querying when subdomains
and parent domains exist.
Included minor README corrections.
Added a feature roadmap document to track plans for the library.
Published by zorn96 about 3 years ago
Added basic multi-domain support.
Added support for discovering trusted domains, of various types, and attributes about them such as whether the trust is transitive, whether it's bidirectional, whether SID filtering is in use, etc.
Added support for turning Active Directory domain trust objects into Active Directory domain objects.
Added a few more utility functions, like checking if a session's user if a member of the session's domain.
Beefed up type annotations.
Fixed a few small bugs around shared servers across sessions.
Published by zorn96 about 3 years ago
Changed the naming style for computer objects and added a lot of new computer functionality.
Renamed the ad_computers.py file to managed_ad_objects.py and renamed
ad_users_and_groups.py to ad_objects.py
Descendants of ADObject represent objects in AD that we've read and
may make modifications to, but that we did not create and cannot
act as.
ManagedADObject and its descendents are objects that we can act as,
and have a password defined for them at a minimum (and kerberos
keys can be generated for them too).
This rename is technically a breaking change, but the library only
has like 5 users so that's ok and we should pull the trigger sooner
rather than later.
A bunch of computer management functions have also been added.
The same style of functions that existed for users and groups now
exist for computers. Find by various names/attributes, find groups
for computers, modify attributes in various ways, etc.
The type annotations for functions to change passwords and whatnot
have been expanded to include the new ADComputer object type used
in these functions.
Also loosened how we accept authentication mechanisms when creating
sessions in order to make it easier to use SASL authentication without
knowing whether something is a sasl mech or an authentication mech.
Published by zorn96 about 3 years ago
Added support for modifying attributes of users, groups, and objects.
Added support for:
Both append and overwrite will succeed at setting values for fields that currently have no value.
Append will atomically add more values for a multi-valued attribute and will fail to update single-valued attributes that have a value already. The atomicity is done server-side - so there's no read and write-back. Whether duplicates are allowed and how values are validated depends on the attribute and server policies.
Overwrite will overwrite both single and multi-valued attributes with ease, regardless of their current values. The validation of the value used to overwrite is still done server side.
Published by zorn96 about 3 years ago
Added support for enabling and disabling accounts.
Many automated account de-provisioning systems will disable accounts before deleting them. This allows quick rollback in case of disruption by simply re-enabling the account.
This supports enabling/disabling both users and computers.
Published by zorn96 about 3 years ago
Added functionality to support joining an AD domain by taking over a pre-existing/pre-created computer account.
This can allow the permissions granted to the credentials used to join the domain to be greatly restricted.
Instead of general "create computers in this location" permissions, now joining is possible by just having permission to RESET PASSWORD on a single computer (or CHANGE PASSWORD if the current computer password is provided). This supports environments where the team joining machines to the domain is never supposed to create computers themselves, and just takes over ones provided by another team, and that other team sets up the services and hostnames and encryption types.
Published by zorn96 about 3 years ago
Added functionality for the following:
Published by zorn96 about 3 years ago
Fixed a bug related to looking up kerberos and LDAP servers in DNS
Published by zorn96 about 3 years ago
Version 1.1.0 is here!
It includes 1 user-requested enhancement, and new user/group management functionality.
The user-requested enhancement is de-duplication of SRV records for ldap/kerberos servers that have the same hostname and port. These duplicate SRV records can get created due to a bug in AD when upgrading from older versions to 2016/2019, and is recognized as a bug by microsoft. Just in case domain admins don't remove the duplicate records, the library now removes them to improve efficiency and functionality.
There's features for looking up users and groups in a variety of ways and getting attributes about them, looking up the groups that users belong to or the groups that groups belong to, and adding/removing users and groups to/from other groups.