Having implemented LAPS (Local Administrator Password Solution) on all of our PCs there became a need to access the password when in the field away from a PC with easy access to AD / the LAPS GUI.

As we use Slack for primary out-of-office communications, it made sense to create a Slack Slash Command to return the LAPS Password.

It is accessed by using /password PCNAME  and returns the password to the user who requested it. PC Name isn’t returned so passwords cannot be easily matched with PC names.

The slash command uses PHP and its inbuilt LDAP module. Slash commands are configured from the Slash Command Configuration page.

Code below. It’s very simplistic but does the job.

<?php

    //-- check the slack token --//
    if($_POST['token'] != ''){
        echo 'You do now have permission to use this slack command';
        exit();
    }

    //-- check the domain, just to be sure --//
    if($_POST['team_domain'] != ''){
        echo 'You do now have permission to use this slack command';
        exit();
    }

    //-- check for the correct slash command --//
    if($_POST['command'] != '/password'){
        echo 'You have used the wrong slash command. Please try again';
        exit();
    }

    //-- ensure they've entered a PC name --//
    if($_POST['text'] == ""){
        header("Content-type: application/json");
        $text = array("text" => 'You forgot to give a PC name. Please try again');
        echo json_encode($text);
        exit();
    }

    //-- IP / DNS name of LDAP Server --//
    $ldapserver = '';

    //-- Username of user to authenticate in AD --//
    $ldapuser   = '';  

    //-- Password of the above user --//
    $ldappass   = '';

    //-- The DN of the main PC OU --//
    $ldaptree   = "";

    //-- Connect to the LDAP Server --//
    $ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");

    //-- Assign the PC name to a search variable --//
    $search = $_POST['text'];

    if($ldapconn) {

        // binding to ldap server
        $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));

        // verify binding
        if ($ldapbind) {

            //-- Perform a search for the computer name --//
            $result = ldap_search($ldapconn,$ldaptree, "(&(cn~=".$search.")(objectClass=computer))") or die ("Error in search query: ".ldap_error($ldapconn));

            //-- Get data from search --//
            $data = ldap_get_entries($ldapconn, $result);

            //-- Extract the LDAP attribute for LAPS Password --//
            $password = $data[0]['ms-mcs-admpwd'][0];

            //-- If it's blank, password hasn't been change by LAPS yet --//
            if($password == ""){
                header("Content-type: application/json");
                $text = array("text" => 'Password has not been changed by LAPS yet. Will be the default');
                echo json_encode($text);

            //-- Else, output the password --//
            }else{
                header("Content-type: application/json");
                $text = array("text" => $data[0]['ms-mcs-admpwd'][0]);
                echo json_encode($text);
            }           

        }
    }

?>
Categories: ADLAPSSlack

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.