tis-laps icon

LAPS

Silent install package for LAPS

3-0
Security
Security
Luti Build VirusTotal

  • package: tis-laps
  • name: LAPS
  • version: 3-0
  • categories: Security
  • maintainer: WAPT Team,Tranquil IT
  • locale: all
  • target_os: linux,macos
  • architecture: all
  • signature_date:
  • size: 6.79 Ko

package           : tis-laps
version           : 3-0
architecture      : all
section           : base
priority          : optional
name              : LAPS
categories        : Security
maintainer        : WAPT Team,Tranquil IT
description       : Local Administrator Password Solution (LAPS) for clients (CSE)
depends           : 
conflicts         : 
maturity          : PROD
locale            : all
target_os         : linux,macos
min_wapt_version  : 2.0
sources           : 
installed_size    : 
impacted_process  : 
description_fr    : Solution de mot de passe pour administrateur local (LAPS) pour les clients (CSE)
description_pl    : Local Administrator Password Solution (LAPS) dla klientów (CSE)
description_de    : Lokale Administrator-Passwort-Lösung (LAPS) für Clients (CSE)
description_es    : Solución de contraseña de administrador local (LAPS) para clientes (CSE)
description_pt    : Solução de Senha de Administrador Local (LAPS) para clientes (CSE)
description_it    : Soluzione per la password dell’amministratore locale (LAPS) per i client (CSE)
description_nl    : Oplossing voor wachtwoorden voor lokale beheerders (LAPS) voor cliënten (CSE)
description_ru    : Решение для паролей локального администратора (LAPS) для клиентов (CSE)
audit_schedule    : 
editor            : 
keywords          : 
licence           : 
homepage          : 
package_uuid      : d8511912-1a02-4961-99a4-f700a84b6583
valid_from        : 
valid_until       : 
forced_install_on : 
changelog         : 
min_os_version    : 
max_os_version    : 
icon_sha256sum    : 19679fbbaf7e1b6630e722c5a99e9b7d270aa39ebacbe6ef568257fab346db09
signer            : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature_date    : 2026-03-23T18:41:48.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature         : B6iWb46kmitYFqKjleykPtWSW4M8GLPLGKvtWZeN0IdN+jE3FuRVHC+RrhOYDvsvnZAxnecpSyy2IVYs3t3pI+nJv9BY+tXnDE034A79XzKLSa7XgsPkjRPfMN1v6mqdLS5Juko4FEXN/WHYz2PY8schqnNGrKFY3AQfrCfEhPWrBURwhbYgoV8OyLWQotxluQDddv6NshH4vHMDp04voxVOrZMEFEG/NophcgW355Nea5i0F0IljINtBxbxTpXlxnLDrFCadasIlrCpBxLbhKWoKzISu//KdF6JoSsk7XXwhXiG//9q77CaVy3svlkjtvnDkmvUuBNd11PF93Va3A==

from setuphelpers import *
from waptutils import get_hostname_and_domain
from datetime import datetime, timedelta, timezone
import json
import pyldap
import string
import random
import time
import platform

users_to_change = 'root'
expiration_days = 30

def install():
    pass

def audit():
    if params.get("install_with_luti", False):
        return "OK"
        
    hostname_from_keytab, domain_from_keytab = get_hostname_and_domain()
    print('hostname_from_keytab:', hostname_from_keytab)
    print('domain_from_keytab:', domain_from_keytab)

    if not hostname_from_keytab.endswith('$'):
        hostname_from_keytab = hostname_from_keytab + '$'

    c = pyldap.PyLdapClient(domain_name=domain_from_keytab)
    r = c.bind_sasl_kerberos()
    if not r[0]:
        print('Kerberos bind failed')
        return "ERROR"

    ldap_filter = '(samaccountname=%s)' % hostname_from_keytab
    ldap_result = c.search_first(
        c.root_dn(),
        ldap_filter,
        ['msLAPS-PasswordExpirationTime'],
    )

    if not ldap_result:
        print('Computer object not found:', hostname_from_keytab)
        return "ERROR"

    expire = get_attribute_value(ldap_result, 'msLAPS-PasswordExpirationTime')
    print('current_expire_raw:', expire)

    is_expire = False

    if not expire:
        is_expire = True
        print('No expiration found, password considered expired')
    else:
        expiration = from_windows_filetime(int(expire))
        print('current_expire_dt_utc:', expiration.isoformat())
        is_expire = datetime.now(timezone.utc) >= expiration

    if not is_expire:
        print('not expire')
        return "OK"

    randompassword = password_generator(size=20, chars=string.ascii_letters + string.digits)

    laps_timestamp_hex = hex(int((time.time() + 11644473600) * 10_000_000))[2:]
    laps_payload = json.dumps({
        "n": users_to_change,
        "t": laps_timestamp_hex,
        "p": randompassword
    })

    print('Updating msLAPS-Password')
    if not c.modify(
        ldap_result.object_name,
        pyldap.lmoReplace,
        pyldap.PyLdapAttribute('msLAPS-Password', [laps_payload], 0)
    ):
        print('Failed to update msLAPS-Password')
        return "ERROR"

    print('Updating local unix password')


    if platform.system() == 'Linux':
        run(r'usermod --password $(echo %s | openssl passwd -1 -stdin) %s' % (
            randompassword,
            users_to_change
        ))

    elif platform.system() == 'Darwin':
        run(r"dscl . -passwd /Users/%s '%s'" % (
            users_to_change,
            randompassword
        ))
    else:
        error('Platform is %s' % platform.system())

    new_expire = str(laps_expiration_from_now(days=expiration_days))
    print('new_expire_raw:', new_expire)
    print('new_expire_dt_utc:', from_windows_filetime(int(new_expire)).isoformat())

    print('Updating msLAPS-PasswordExpirationTime')
    if not c.modify(
        ldap_result.object_name,
        pyldap.lmoReplace,
        pyldap.PyLdapAttribute('msLAPS-PasswordExpirationTime', [new_expire], 0)
    ):
        print('Failed to update msLAPS-PasswordExpirationTime')
        return "ERROR"

    return "OK"


def password_generator(size=20, chars=string.ascii_letters + string.digits):
    return "".join(random.choice(chars) for _ in range(size))

def to_windows_filetime(dt: datetime) -> int:
    dt_utc = dt.astimezone(timezone.utc)
    return int((dt_utc.timestamp() + 11644473600) * 10_000_000)

def from_windows_filetime(value: int) -> datetime:
    return datetime.fromtimestamp(
        (value - 116444736000000000) / 10_000_000,
        tz=timezone.utc,
    )

def laps_expiration_from_now(days=0, hours=0, minutes=0, seconds=0) -> int:
    target = datetime.now(timezone.utc) + timedelta(
        days=days,
        hours=hours,
        minutes=minutes,
        seconds=seconds,
    )
    return to_windows_filetime(target)

def get_attribute_value(search_result, attr_name):
    if not search_result:
        return ''

    for attr in search_result.object_attributes:
        if attr.name == attr_name:
            for value in attr.values:
                return value
    return ''

38d056ab130f7bf7c481c12636a4e9959de36561d3dfcbe54c6e3571bc0c1dc3 : WAPT/certificate.crt
52c7322f353b7be982dbcfdd56bdff6dae5b20807e85347f1dcd55f9060d0736 : WAPT/control
19679fbbaf7e1b6630e722c5a99e9b7d270aa39ebacbe6ef568257fab346db09 : WAPT/icon.png
92bf7fcd7beeb4323cd941b899e9541f9e27e83bdb067146711112016a9b6c5d : luti.json
b46a2d39396c81d6eb6d212ef5555ba35cf2a0aed8666cc63ec05b479cb6ed17 : setup.py