Skip to content

Commit

Permalink
Fix #23
Browse files Browse the repository at this point in the history
  • Loading branch information
Seji64 committed Apr 17, 2024
1 parent 4c9fa50 commit d5b93e9
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 43 deletions.
2 changes: 1 addition & 1 deletion src/Interfaces/ILDAPService.cs
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,6 @@ public interface ILdapService
Task<List<Domain>> GetDomainsAsync();
public Task<ADComputer?> GetADComputerAsync(string domainName, LdapCredential ldapCredential, string distinguishedName);
public Task<List<ADComputer>> SearchADComputersAsync(string domainName, LdapCredential ldapCredential, string query);
public Task<bool> ClearLapsPassword(string domainName, LdapCredential ldapCredential, string distinguishedName, LAPSVersion version, bool encrypted);
public Task<bool> ClearLapsPassword(string domainName, LdapCredential ldapCredential, string distinguishedName, LAPSVersion version);
}
}
4 changes: 1 addition & 3 deletions src/Pages/LAPS.razor.cs
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ private async Task ClearLapsPassword(ADComputer computer)
if (_tab != null && computer.LAPSInformations != null)
{
LAPSVersion version = LAPSVersion.v1;
bool encrypted = false;

if (_tab.ActivePanel.ID.ToString() == "v1")
{
Expand All @@ -62,7 +61,6 @@ private async Task ClearLapsPassword(ADComputer computer)
if (_tab.ActivePanel.ID.ToString() == "v2")
{
version = LAPSVersion.v2;
encrypted = computer.LAPSInformations.Single(x => x.Version == LAPSVersion.v2 && x.IsCurrent).WasEncrypted;
}
var parameters = new DialogParameters { ["ContentText"] = $"Clear LAPS {version} Password on Computer '{computer.Name}' ?{Environment.NewLine}You have to invoke gpupdate /force on computer '{computer.Name}' in order so set a new LAPS password", ["CancelButtonText"] = "Cancel", ["ConfirmButtonText"] = "Clear", ["ConfirmButtonColor"] = Color.Error };
IDialogReference dialog = Dialog.Show<Confirmation>("Clear LAPS Password", parameters,new DialogOptions() { NoHeader = true });
Expand All @@ -72,7 +70,7 @@ private async Task ClearLapsPassword(ADComputer computer)
{
computer.LAPSInformations.Clear();
await InvokeAsync(StateHasChanged);
await LDAPService.ClearLapsPassword(DomainName ?? await sessionManager.GetDomainAsync(), LdapCredential ?? await sessionManager.GetLdapCredentialsAsync(), computer.DistinguishedName, version, encrypted);
await LDAPService.ClearLapsPassword(DomainName ?? await sessionManager.GetDomainAsync(), LdapCredential ?? await sessionManager.GetLdapCredentialsAsync(), computer.DistinguishedName, version);
Snackbar.Add($"LAPS {version} Password for computer '{computer.Name}' successfully cleared! - Please invoke gpupdate on {computer.Name} to set a new LAPS Password", Severity.Success);
}
}
Expand Down
8 changes: 7 additions & 1 deletion src/Properties/launchSettings.json
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,13 @@
"commandName": "Project",
"launchBrowser": true,
"environmentVariables": {
"ASPNETCORE_ENVIRONMENT": "Development"
"ASPNETCORE_ENVIRONMENT": "Development",
"Domains__0__Name": "prime.k-sys.io",
"Domains__0__Ldap__Server": "ldap.prime.k-sys.io",
"Domains__0__Ldap__Port": "636",
"Domains__0__Ldap__UseSSL": "true",
"Domains__0__Ldap__SearchBase": "OU=Klett IT GmbH,DC=prime,DC=k-sys,DC=io",
" Domains__0__Ldap__TrustAllCertificates": "true"
},
"applicationUrl": "https://localhost:7213;http://localhost:5213",
"dotnetRunMessages": true
Expand Down
53 changes: 15 additions & 38 deletions src/Services/LDAPService.cs
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,9 @@
using LAPS_WebUI.Interfaces;
using LAPS_WebUI.Models;
using LdapForNet;
using LdapForNet.Native;
using Microsoft.Extensions.Options;
using Serilog;
using System;
using System.Runtime.InteropServices;
using System.Security.Principal;
using System.Text;
using System.Text.Json;
using static LdapForNet.Native.Native;
Expand Down Expand Up @@ -89,58 +86,38 @@ public async Task<bool> TestCredentialsAsync(string domainName, LdapCredential l
}
}

public async Task<bool> ClearLapsPassword(string domainName, LdapCredential ldapCredential, string distinguishedName, LAPSVersion version, bool encrypted)
public async Task<bool> ClearLapsPassword(string domainName, LdapCredential ldapCredential, string distinguishedName, LAPSVersion version)
{
Domain? domain = _Domains.Value.SingleOrDefault(x => x.Name == domainName) ?? throw new Exception($"No configured domain found with name {domainName}");

if (ldapCredential is null)
{
throw new Exception("Failed to get LDAP Credentials");
}
using LdapConnection? ldapConnection = await CreateBindAsync(domainName, ldapCredential.UserName, ldapCredential.Password) ?? throw new Exception("LDAP bind failed!");

string? defaultNamingContext = domain.Ldap.SearchBase;
string attribute = string.Empty;

if (version == LAPSVersion.v1)
{
attribute = "ms-Mcs-AdmPwd";
attribute = "ms-Mcs-AdmPwdExpirationTime";
}

if (version == LAPSVersion.v2)
{
attribute = encrypted ? "msLAPS-EncryptedPassword" : "msLAPS-Password";
attribute = "msLAPS-PasswordExpirationTime";
}

var ldapSearchResult = (await ldapConnection.SearchAsync(defaultNamingContext, $"(&(objectCategory=computer)(distinguishedName={distinguishedName}))", [attribute], LdapSearchScope.LDAP_SCOPE_SUB)).SingleOrDefault();

if (ldapSearchResult != null)
var resetRequest = new DirectoryModificationAttribute
{
var resetRequest = new DirectoryModificationAttribute
{
LdapModOperation = LdapModOperation.LDAP_MOD_DELETE,
Name = attribute
};

if (version == LAPSVersion.v1 || !encrypted)
{
resetRequest.Add(ldapSearchResult.DirectoryAttributes[attribute].GetValues<string>().First().ToString());
}
else
{
resetRequest.Add(ldapSearchResult.DirectoryAttributes[attribute].GetValues<byte[]>().First().ToArray());
}
LdapModOperation = LdapModOperation.LDAP_MOD_REPLACE,
Name = attribute
};

var response = (ModifyResponse)await ldapConnection.SendRequestAsync(new ModifyRequest(distinguishedName, resetRequest));
resetRequest.Add(DateTime.Now.ToFileTimeUtc().ToString());

return response.ResultCode == ResultCode.Success;
}
else
{
throw new Exception($"AD Computer with DN '{distinguishedName}' could not be found");
}
var response = (ModifyResponse)await ldapConnection.SendRequestAsync(new ModifyRequest(distinguishedName, resetRequest));


return response.ResultCode == ResultCode.Success;
}

public async Task<ADComputer?> GetADComputerAsync(string domainName, LdapCredential ldapCredential, string distinguishedName)
Expand Down Expand Up @@ -181,7 +158,7 @@ public async Task<bool> ClearLapsPassword(string domainName, LdapCredential ldap
Version = LAPSVersion.v1,
Account = null,
Password = ldapSearchResult.DirectoryAttributes["ms-Mcs-AdmPwd"].GetValues<string>().First().ToString(),
PasswordExpireDate = DateTime.FromFileTimeUtc(Convert.ToInt64(ldapSearchResult.DirectoryAttributes["ms-Mcs-AdmPwdExpirationTime"].GetValues<string>().First().ToString())),
PasswordExpireDate = DateTime.FromFileTimeUtc(Convert.ToInt64(ldapSearchResult.DirectoryAttributes["ms-Mcs-AdmPwdExpirationTime"].GetValues<string>().First().ToString())).ToLocalTime(),
IsCurrent = true,
PasswordSetDate = null
};
Expand Down Expand Up @@ -219,10 +196,10 @@ public async Task<bool> ClearLapsPassword(string domainName, LdapCredential ldap
Account = msLAPS_Payload.ManagedAccountName,
Password = msLAPS_Payload.Password,
WasEncrypted = !domain.Laps.EncryptionDisabled,
PasswordExpireDate = DateTime.FromFileTimeUtc(Convert.ToInt64(ldapSearchResult.DirectoryAttributes["msLAPS-PasswordExpirationTime"].GetValues<string>().First().ToString())),
PasswordExpireDate = DateTime.FromFileTimeUtc(Convert.ToInt64(ldapSearchResult.DirectoryAttributes["msLAPS-PasswordExpirationTime"].GetValues<string>().First().ToString())).ToLocalTime(),
IsCurrent = true,
PasswordSetDate = DateTime.FromFileTimeUtc(Int64.Parse(msLAPS_Payload.PasswordUpdateTime!, System.Globalization.NumberStyles.HexNumber))
PasswordSetDate = DateTime.FromFileTimeUtc(Int64.Parse(msLAPS_Payload.PasswordUpdateTime!, System.Globalization.NumberStyles.HexNumber)).ToLocalTime()

};

ADComputer.LAPSInformations.Add(lapsInformationEntry);
Expand All @@ -245,7 +222,7 @@ public async Task<bool> ClearLapsPassword(string domainName, LdapCredential ldap
Account = historic_msLAPS_Payload.ManagedAccountName,
Password = historic_msLAPS_Payload.Password,
PasswordExpireDate = null,
PasswordSetDate = DateTime.FromFileTimeUtc(Int64.Parse(historic_msLAPS_Payload.PasswordUpdateTime!, System.Globalization.NumberStyles.HexNumber))
PasswordSetDate = DateTime.FromFileTimeUtc(Int64.Parse(historic_msLAPS_Payload.PasswordUpdateTime!, System.Globalization.NumberStyles.HexNumber)).ToLocalTime()
};

ADComputer.LAPSInformations.Add(historicLapsInformationEntry);
Expand Down

0 comments on commit d5b93e9

Please sign in to comment.