search

CyberNinjas / pam_aad

Azure Active Directory PAM Module
GNU General Public License v3.0
55 stars 19 forks source link

User Provisioning Helper #22

Closed Jnchi closed 5 years ago

Jnchi commented 5 years ago 
https://graph.windows.net/cyberninjas.com/users/

ad_data.value[i].mailNickname

References:

Jnchi commented 5 years ago

/etc/libnss-aad.conf

{
  "client": {
    "id": "1234abcd-1234-abcd-efgh-123456abcdef",
    "secret": "<url-encoded secret>"
  },
  "tenant": "<company>.onmicrosoft.com"
}
Jnchi commented 5 years ago

/etc/aad-config.json

{
    "tenant" : "<company>.onmicrosoft.com",
    "clientId" : "1234abcd-1234-abcd-efgh-123456abcdef",
    "clientSecret" : "secret="
}

/usr/local/bin/provision_users.py

import json
import logging
import os
import sys
import adal
import subprocess
import requests

# The information inside such file can be obtained via app registration.
# See https://github.com/AzureAD/azure-activedirectory-library-for-python/wiki/Register-your-application-with-Azure-Active-Directory
#
# {
#    "tenant" : "rrandallaad1.onmicrosoft.com",
#    "authorityHostUrl" : "https://login.microsoftonline.com",
#    "clientId" : "624ac9bd-4c1c-4687-aec8-b56a8991cfb3",
#    "clientSecret" : "verySecret=""
# }

config_file = (sys.argv[1] if len(sys.argv) == 2 else
                   os.environ.get('AAD_CONFIG_FILE'))

if config_file:
    with open(config_file, 'r') as f:
        parameters = f.read()
    config_opts = json.loads(parameters)
else:
    raise ValueError('Please provide config file with account information.')

context = adal.AuthenticationContext('https://login.microsoftonline.com/'
        + config_opts['tenant'], validate_authority=None)

token = context.acquire_token_with_client_credentials('00000002-0000-0000-c000-000000000000',
        config_opts['clientId'], config_opts['clientSecret'])

headers = {"Authorization": "Bearer " + token['accessToken']}
request = 'https://graph.windows.net/' + config_opts['tenant'] + '/users'
payload = {"api-version": '1.6'}
users = requests.get(request, headers=headers, params=payload).json()

users = users['value']

for user_name in users:
    nickname = user_name['mailNickname']
    if(subprocess.check_output(["id", nickname], shell=True)):
        subprocess.run(["useradd", "-mG", "sudo", nickname])

Modified from: https://github.com/AzureAD/azure-activedirectory-library-for-python

chmod +x /usr/local/bin/provision_users.py

(crontab -l 2>/dev/null; echo "0,30 * * * * /usr/local/bin/provision_users.py") | crontab -

Source: https://stackoverflow.com/questions/4880290/how-do-i-create-a-crontab-through-a-script

NOTE: Requires the Azure Active Directory Graph API permission Directory.Read.All, which requires Admin consent

Jnchi commented 5 years ago

libnss module rewritten from scratch and split out into its own repository (See: https://github.com/CyberNinjas/libnss_aad).