first

Author: Vijay Vishwakarma

.gitignore

@@ -0,0 +1,72 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# Virtual Environment
+.venv/
+venv/
+ENV/
+env/
+
+# Flask
+flask_session/
+instance/
+
+# Environment variables and configuration
+.env
+.env.local
+.env.production
+config/production.env
+config/*.env
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+
+# Logs
+*.log
+logs/
+
+# Temporary files
+*.tmp
+*.temp
+
+# LDIF files (examples in documentation)
+*.ldif
+
+# Test files
+test_*.py
+*_test.py

POSIX_LOCKING_SUMMARY.md

@@ -0,0 +1,75 @@
+# POSIX Account Locking Enhancement Summary
+
+## Issue Identified
+- Standard accounts could be locked using `shadowFlag=1` 
+- POSIX accounts showed as "locked" in the UI but users could still log in
+- The `shadowFlag` attribute alone is insufficient for POSIX account locking
+
+## Solution Implemented
+Enhanced the locking mechanism with a three-tier approach:
+
+### 1. Enhanced `lock_user_account()` Function
+**Multi-step locking process:**
+1. **Primary Method**: Set `shadowFlag=1` (standard shadow account locking)
+2. **POSIX Method**: Change `loginShell` to `/bin/false` (prevents login for POSIX accounts)
+3. **Fallback Method**: Add "ACCOUNT_LOCKED" to description field
+
+### 2. Enhanced `unlock_user_account()` Function
+**Multi-step unlocking process:**
+1. **Primary Method**: Set `shadowFlag=0` (re-enable shadow account)
+2. **POSIX Method**: Restore original `loginShell` (re-enable login for POSIX accounts)
+3. **Fallback Method**: Remove "ACCOUNT_LOCKED" from description field
+
+### 3. Enhanced `is_user_locked()` Function
+**Multi-tier detection:**
+1. Check `shadowFlag == '1'` (traditional method)
+2. Check `loginShell == '/bin/false'` (POSIX method) 
+3. Check description contains "ACCOUNT_LOCKED" (fallback method)
+
+### 4. Updated Template Logic
+Updated `templates/admin/users.html` to properly detect all locking methods:
+```jinja2
+{% set is_shadow_locked = user.attributes.get('shadowFlag', [''])[0] == '1' %}
+{% set is_shell_locked = user.attributes.get('loginShell', [''])[0] == '/bin/false' %}
+{% set is_desc_locked = 'ACCOUNT_LOCKED' in (user.attributes.get('description', [''])[0] or '') %}
+{% set is_locked = is_shadow_locked or is_shell_locked or is_desc_locked %}
+```
+
+## Technical Details
+
+### Why loginShell=/bin/false Works
+- When a user's login shell is set to `/bin/false`, login attempts are immediately terminated
+- This effectively prevents both SSH and local login access
+- Works for all POSIX-compliant systems
+
+### Fallback Protection
+- Description field method ensures no account can bypass locking
+- Provides admin visibility of lock reason
+- Works even if LDAP schema doesn't support other methods
+
+### Backwards Compatibility
+- Still supports standard `shadowFlag` locking for non-POSIX accounts
+- Graceful degradation if attributes are missing
+- No disruption to existing functionality
+
+## Security Benefits
+1. **Comprehensive Coverage**: Both standard and POSIX accounts properly locked
+2. **Multiple Redundancy**: Three independent locking mechanisms
+3. **Immediate Effect**: Login blocking takes effect immediately
+4. **Admin Visibility**: Clear indication of lock status in UI
+5. **Audit Trail**: Lock reason preserved in description field
+
+## Testing Verified
+- ✅ Standard account locking (shadowFlag=1)
+- ✅ POSIX account locking (loginShell=/bin/false) 
+- ✅ Fallback locking (description field)
+- ✅ Mixed account type detection
+- ✅ Template UI correctly shows lock status
+- ✅ Application loads without errors
+
+## Production Ready
+The enhanced POSIX account locking mechanism is now production-ready with:
+- Proper error handling
+- Debug mode conditioning  
+- Comprehensive attribute management
+- Full backwards compatibility

README.md

@@ -0,0 +1,247 @@
+# LDAP Management Portal
+
+A comprehensive Flask-based web application for LDAP administration and user self-service portal built with Bootstrap 5.
+
+## Features
+
+### 👤 User Self-Service Portal
+- **User Login**: Normal users can login with their LDAP credentials
+- **Profile Management**: Users can update their personal information (email, phone, description, etc.)
+- **Profile Photos**: Upload and manage profile photos using jpegPhoto attribute with automatic resizing
+- **Password Change**: Secure password change functionality with SSHA encryption
+- **Password Expiry Information**: View password expiry status and remaining days (POSIX users)
+- **User Directory**: Browse and search other users in the organization
+- **Clean Dashboard**: Intuitive interface showing account status and quick actions
+
+### 🛡️ Multi-Tier Admin System
+#### Super Administrator (`cn=admin,dc=mylab,dc=lan`)
+- **Full system access** with all administrative privileges
+- **System account protection** (cannot modify own profile)
+- **Login**: Use username `admin` with admin DN credentials
+
+#### Group Administrators (members of `cn=admins` group)
+- **User management** capabilities
+- **Group management** access
+- **Limited administrative privileges**
+- **Self-profile modification** allowed
+
+### 🔧 Administrative Features
+- ✅ **Complete User Management**: Create, read, update, delete user accounts
+- ✅ **POSIX User Support**: Create users with POSIX attributes (UID, GID, home directory, shell)
+- ✅ **Complete Group Management**: 
+  - Create both standard and POSIX groups
+  - Delete existing groups
+  - Add/remove members from groups
+  - View group membership details
+- ✅ **Bulk User Creation**: Upload CSV files to create multiple users at once
+- ✅ **Profile Photo Management**: Upload, preview, and manage user photos (jpegPhoto attribute)
+- ✅ **Password Expiry Management**: View and manage password expiration for POSIX users
+- ✅ **User Search & Filtering**: Search users by name, email, or other attributes
+- ✅ **Comprehensive Statistics**: LDAP server statistics dashboard with user/group counts
+- ✅ **Generic Entry Editor**: Edit any LDAP entry with all attributes
+- ✅ **Lock/Unlock Users**: Temporarily disable user accounts
+- ✅ **Admin Dashboard**: Comprehensive administrative interface with real-time statistics
+- ✅ **Security Features**: Environment-based configuration, secure password handling
+
+## Technology Stack
+
+- **Backend**: Python 3.12+ with Flask
+- **Frontend**: Bootstrap 5 with Font Awesome icons
+- **LDAP Client**: ldap3 library for robust LDAP operations
+- **Authentication**: Session-based authentication with LDAP bind
+- **Security**: Environment variable configuration, no hardcoded passwords
+
+## Quick Start
+
+1. **Set up environment variables**:
+   ```bash
+   export LDAP_ADMIN_PASSWORD="your_admin_password"
+   ```
+   Or use the interactive setup script:
+   ```bash
+   ./setup_env.sh
+   ```
+
+2. **Install dependencies**:
+   ```bash
+   python -m venv .venv
+   source .venv/bin/activate
+   pip install -r requirements.txt
+   ```
+
+3. **Run the application**:
+   ```bash
+   python app.py
+   ```
+
+4. **Access the portal**:
+   - **URL**: http://localhost:5000
+   - **Admin Login**: Username `admin` + your LDAP admin password
+   - **User Login**: Any valid LDAP user credentials
+
+## Production Deployment
+
+For production deployment with systemd service, Nginx proxy, and complete LDAP server setup, see the comprehensive [SETUP.md](SETUP.md) guide.
+
+## Configuration
+
+The application supports environment-based configuration:
+
+| Environment Variable | Default Value | Description |
+|---------------------|---------------|-------------|
+| `LDAP_SERVER` | `192.168.1.1` | LDAP server hostname/IP |
+| `LDAP_PORT` | `389` | LDAP server port |
+| `LDAP_BASE_DN` | `dc=mylab,dc=lan` | LDAP base DN |
+| `LDAP_ADMIN_DN` | `cn=admin,dc=mylab,dc=lan` | LDAP admin DN |
+| `LDAP_ADMIN_PASSWORD` | **(Required)** | LDAP admin password |
+| `DEBUG_MODE` | `False` | Enable debug logging (set to `true` only for development) |
+
+## Security Features
+
+- ✅ **No hardcoded passwords** - All credentials via environment variables
+- ✅ **Secure session management** - Flask-Session with filesystem storage
+- ✅ **LDAP authentication** - Direct LDAP bind for user verification
+- ✅ **Multi-tier access control** - Super admin vs Group admin privileges
+- ✅ **Input validation** - Form validation and LDAP injection prevention
+- ✅ **Secure configuration** - Environment-based sensitive data handling
+
+## File Structure
+
+```
+pythonldapman/
+├── app.py                 # Main Flask application
+├── requirements.txt       # Python dependencies
+├── setup_env.sh          # Environment setup script
+├── INSTALLATION.md       # Complete installation guide
+├── static/               # Frontend assets (CSS, JS, images)
+├── templates/            # Jinja2 HTML templates
+└── config/              # Configuration files (created during setup)
+```
+
+## License
+
+This project is developed for LDAP administration and user self-service purposes.
+
+## Support
+
+For installation and configuration issues, refer to [SETUP.md](SETUP.md) or check the application logs.
+   ```bash
+   python app.py
+   ```
+
+2. Open your web browser and go to: `http://localhost:5000`
+
+3. Login credentials:
+   - **Admin**: Username `admin` with your admin password
+   - **Users**: Use their LDAP username and password
+
+## User Guide
+
+### For Regular Users
+1. Login with your LDAP username and password
+2. Navigate to "My Profile" to update your information
+3. Use "Change Password" to update your password
+4. All changes are saved directly to the LDAP directory
+
+### For Administrators
+1. Login with username `admin` and your admin password
+2. Access the "Admin Panel" from the navigation menu
+3. Manage users through "Manage Users"
+4. Create new users with "Add New User"
+5. Edit any LDAP entry with the generic entry editor
+6. Delete entries with confirmation dialogs
+
+## Security Features
+
+- **LDAP Authentication**: All logins verified against LDAP server
+- **Session Management**: Secure session handling with Flask-Session
+- **Password Hashing**: SSHA password hashing for new passwords
+- **Access Control**: Role-based access with user/admin separation
+- **Input Validation**: Form validation and sanitization
+
+## LDAP Schema Support
+
+The application supports standard LDAP object classes:
+
+### User Accounts (inetOrgPerson)
+- uid (username)
+- cn (common name)
+- sn (surname)
+- givenName (first name)
+- mail (email)
+- telephoneNumber (phone)
+- userPassword (password)
+- description
+
+### Groups (groupOfNames)
+- cn (group name)
+- description
+- member (group members)
+
+## File Structure
+
+```
+pythonldapman/
+├── app.py                 # Main Flask application
+├── requirements.txt       # Python dependencies
+├── templates/            # Jinja2 templates
+│   ├── base.html         # Base template with Bootstrap
+│   ├── login.html        # Login page
+│   ├── dashboard.html    # User dashboard
+│   ├── profile.html      # User profile editor
+│   ├── change_password.html # Password change form
+│   └── admin/           # Admin templates
+│       ├── panel.html   # Admin dashboard
+│       ├── users.html   # User management
+│       ├── groups.html  # Group management
+│       ├── add_user.html # Add user form
+│       └── edit_entry.html # Generic entry editor
+└── static/              # Static files (if needed)
+```
+
+## Customization
+
+### LDAP Configuration
+Edit the configuration variables in `app.py`:
+
+```python
+LDAP_SERVER = '192.168.1.1'
+LDAP_PORT = 389
+LDAP_BASE_DN = 'dc=mylab,dc=lan'
+LDAP_ADMIN_DN = 'cn=admin,dc=mylab,dc=com'
+```
+
+### UI Customization
+- Templates use Bootstrap 5 classes for easy customization
+- Modify `templates/base.html` for global layout changes
+- Add custom CSS in the `static/` directory
+
+## Error Handling
+
+The application includes comprehensive error handling:
+- LDAP connection errors
+- Authentication failures
+- Invalid form data
+- Missing entries
+- Permission denied scenarios
+
+## Development
+
+To contribute or modify the application:
+
+1. The main application logic is in `app.py`
+2. Templates are in the `templates/` directory
+3. Use the Flask development server for testing
+4. All LDAP operations go through the `LDAPManager` class
+
+## License
+
+This project is open-source and available for modification and distribution.
+
+## Support
+
+For issues or questions:
+1. Check the LDAP server connectivity
+2. Verify credentials and DN configuration
+3. Review Flask application logs
+4. Test LDAP operations manually with ldapsearch