tis-laps icon

LAPS

Silent install package for LAPS

1-0
Security
Security
Luti Build VirusTotal

  • package: tis-laps
  • name: LAPS
  • version: 1-0
  • categories: Security
  • maintainer: WAPT Team,Tranquil IT
  • locale: all
  • target_os: linux,macos
  • architecture: all
  • signature_date:
  • size: 6.78 Ko

package           : tis-laps
version           : 1-0
architecture      : all
section           : base
priority          : optional
name              : LAPS
categories        : Security
maintainer        : WAPT Team,Tranquil IT
description       : Local Administrator Password Solution (LAPS) for clients (CSE)
depends           : 
conflicts         : 
maturity          : PROD
locale            : all
target_os         : linux,macos
min_wapt_version  : 2.0
sources           : 
installed_size    : 
impacted_process  : 
description_fr    : Solution de mot de passe pour administrateur local (LAPS) pour les clients (CSE)
description_pl    : Local Administrator Password Solution (LAPS) dla klientów (CSE)
description_de    : Lokale Administrator-Passwort-Lösung (LAPS) für Clients (CSE)
description_es    : Solución de contraseña de administrador local (LAPS) para clientes (CSE)
description_pt    : Solução de Senha de Administrador Local (LAPS) para clientes (CSE)
description_it    : Soluzione per la password dell’amministratore locale (LAPS) per i client (CSE)
description_nl    : Oplossing voor wachtwoorden voor lokale beheerders (LAPS) voor cliënten (CSE)
description_ru    : Решение для паролей локального администратора (LAPS) для клиентов (CSE)
audit_schedule    : 
editor            : 
keywords          : 
licence           : 
homepage          : 
package_uuid      : 84c7f9b1-f841-4001-a551-39e50b092729
valid_from        : 
valid_until       : 
forced_install_on : 
changelog         : 
min_os_version    : 
max_os_version    : 
icon_sha256sum    : 19679fbbaf7e1b6630e722c5a99e9b7d270aa39ebacbe6ef568257fab346db09
signer            : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature_date    : 2026-03-22T17:12:58.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature         : LdAEcN34v6zvGfVfDiK5M4ucrrgFtVBDxxMyLzrx6TIjWap17/Mh5bOtMxfKWE1VpWRt8I6/YOM0JAzYdOKyVRySsAHUU0AB6/zOLVCAG3GOPIGvoJ3wfI/IwocosomxeeVARzz2DOzXQPjjtRQ4uCp7z1mha3eWGP7NUUvXVnM7psFduUh+LDRhuN1Pao5KKHmdYywmBDCTirRjeXk3qCkc+igq+S3czD5kXTGcI4bL+Vd5HHf3vTgq9Kq0jsstrwREnPagMithWvH1Ie44ONisepdTVaVi3p7eoWqryhIQtInYx6cRXfucH24wFlOXTzaICJBENllAuSJ+YUA7eQ==

from setuphelpers import *
from waptutils import get_hostname_and_domain
from datetime import datetime, timedelta, timezone
import json
import pyldap
import string
import random
import time

users_to_change = 'root'
expiration_days = 30

def install():
    pass

def audit():
    if params.get("install_with_luti", False):
        return "OK"
        
    hostname_from_keytab, domain_from_keytab = get_hostname_and_domain()
    print('hostname_from_keytab:', hostname_from_keytab)
    print('domain_from_keytab:', domain_from_keytab)

    if not hostname_from_keytab.endswith('$'):
        hostname_from_keytab = hostname_from_keytab + '$'

    c = pyldap.PyLdapClient(domain_name=domain_from_keytab)
    r = c.bind_sasl_kerberos()
    if not r[0]:
        print('Kerberos bind failed')
        return "ERROR"

    ldap_filter = '(samaccountname=%s)' % hostname_from_keytab
    ldap_result = c.search_first(
        c.root_dn(),
        ldap_filter,
        ['msLAPS-PasswordExpirationTime'],
    )

    if not ldap_result:
        print('Computer object not found:', hostname_from_keytab)
        return "ERROR"

    expire = get_attribute_value(ldap_result, 'msLAPS-PasswordExpirationTime')
    print('current_expire_raw:', expire)

    is_expire = False

    if not expire:
        is_expire = True
        print('No expiration found, password considered expired')
    else:
        expiration = from_windows_filetime(int(expire))
        print('current_expire_dt_utc:', expiration.isoformat())
        is_expire = datetime.now(timezone.utc) >= expiration

    if not is_expire:
        print('not expire')
        return "OK"

    randompassword = password_generator(size=20, chars=string.ascii_letters + string.digits)

    laps_timestamp_hex = hex(int((time.time() + 11644473600) * 10_000_000))[2:]
    laps_payload = json.dumps({
        "n": users_to_change,
        "t": laps_timestamp_hex,
        "p": randompassword
    })

    print('Updating msLAPS-Password')
    if not c.modify(
        ldap_result.object_name,
        pyldap.lmoReplace,
        pyldap.PyLdapAttribute('msLAPS-Password', [laps_payload], 0)
    ):
        print('Failed to update msLAPS-Password')
        return "ERROR"

    print('Updating local unix password')


    if platform.system() == 'Linux':
        run(r'usermod --password $(echo %s | openssl passwd -1 -stdin) %s' % (
            randompassword,
            users_to_change
        ))

    elif platform.system() == 'Darwin':
        run(r"dscl . -passwd /Users/%s '%s'" % (
            randompassword,
            users_to_change
        ))
    else:
        error('Platform is %s' % platform.system())

    new_expire = str(laps_expiration_from_now(days=expiration_days))
    print('new_expire_raw:', new_expire)
    print('new_expire_dt_utc:', from_windows_filetime(int(new_expire)).isoformat())

    print('Updating msLAPS-PasswordExpirationTime')
    if not c.modify(
        ldap_result.object_name,
        pyldap.lmoReplace,
        pyldap.PyLdapAttribute('msLAPS-PasswordExpirationTime', [new_expire], 0)
    ):
        print('Failed to update msLAPS-PasswordExpirationTime')
        return "ERROR"

    return "OK"


def password_generator(size=20, chars=string.ascii_letters + string.digits):
    return "".join(random.choice(chars) for _ in range(size))

def to_windows_filetime(dt: datetime) -> int:
    dt_utc = dt.astimezone(timezone.utc)
    return int((dt_utc.timestamp() + 11644473600) * 10_000_000)

def from_windows_filetime(value: int) -> datetime:
    return datetime.fromtimestamp(
        (value - 116444736000000000) / 10_000_000,
        tz=timezone.utc,
    )

def laps_expiration_from_now(days=0, hours=0, minutes=0, seconds=0) -> int:
    target = datetime.now(timezone.utc) + timedelta(
        days=days,
        hours=hours,
        minutes=minutes,
        seconds=seconds,
    )
    return to_windows_filetime(target)

def get_attribute_value(search_result, attr_name):
    if not search_result:
        return ''

    for attr in search_result.object_attributes:
        if attr.name == attr_name:
            for value in attr.values:
                return value
    return ''

38d056ab130f7bf7c481c12636a4e9959de36561d3dfcbe54c6e3571bc0c1dc3 : WAPT/certificate.crt
a18976a34f2406912656f1cb91dcaf0e2108be6af6cc46890063d78bd268156b : WAPT/control
19679fbbaf7e1b6630e722c5a99e9b7d270aa39ebacbe6ef568257fab346db09 : WAPT/icon.png
f7a66da98036f15160bdaa5d594af055e2fa2a5bb6115999292ff3c7b92f9387 : luti.json
f22d6b8f48013a31be86d87169b23f183613c12439f2074ea0be5e6cafa63519 : setup.py