I'm including the playbook below. I'm still unable to find a way to ignore
any user that does not have the krblastpwdchange property set. When I run
the playbook, I still get the following error:
TASK [Find users who's password will expire in the next 10 days]
*******************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "Unexpected templating type error
occurred on ({{ user_show.results |
json_query('[*].json.result.result.{uid: uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'defined') |
selectattr('pwdchg', '<', expire_date) | list }}): '<' not supported
between instances of 'NoneType' and 'AnsibleUnsafeText'. '<' not supported
between instances of 'NoneType' and 'AnsibleUnsafeText'"}
Playbook:
---
- name: Gather User Password Expiration information from IDM server
hosts: localhost
gather_facts: no
pre_tasks:
- setup:
filter: 'ansible_date_time'
vars_files:
- /etc/ansible/vault.yml
vars:
idmfqdn: idmserver
binduser: 'admin'
bindpasswd: '{{ secure_ipa_pass }}'
warning_days: 10
tasks:
- name: Set list of users to ignore
ansible.builtin.set_fact:
ignore_users:
- "root"
- "some.user"
- "some.c-ctr.user"
- "test.redhat"
- "admin"
- name: Login to IDM use returned cookie to access the API in later tasks
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/login_password";
method: POST
headers:
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/x-www-form-urlencoded"
Accept: "text/plain"
body_format: form-urlencoded
body:
user: "{{binduser}}"
password: "{{bindpasswd}}"
status_code: 200
follow_redirects: all
register: login
- name: Get IDM API version using previously stored session cookie
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/json";
method: POST
headers:
Cookie: "{{ login.set_cookie }}"
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/json"
Accept: "application/json"
body_format: json
body: '{"method": "ping","params": [[],{}]}'
register: api_vers_out
- name: Set fact for api version
ansible.builtin.set_fact:
api_vers: "{{
api_vers_out.json.result.messages|json_query('[*].data.server_version')|join()
}}"
- name: Run user_find from IDM API using previously stored session cookie
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/json";
method: POST
headers:
Cookie: "{{ login.set_cookie }}"
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/json"
Accept: "application/json"
body_format: json
body: "{\"method\": \"user_find/1\",\"params\": [[],{\"version\":
\"{{ api_vers }}\"}]}"
no_log: true
register: user_find
- name: Set users fact
ansible.builtin.set_fact:
uid: "{{
user_find.json.result.result|map(attribute='uid')|flatten|difference(ignore_users)
}}"
- name: Run user_show from IDM API using previously stored session cookie
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/json";
method: POST
headers:
Cookie: "{{ login.set_cookie }}"
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/json"
Accept: "application/json"
body_format: json
body: "{\"method\": \"user_show\",\"params\": [[ \"{{ item
}}\"],{\"all\": true,\"version\": \"{{ api_vers }}\"}]}"
register: user_show
loop: "{{ uid | json_query('[:1]') }}"
- name: Set expire date
ansible.builtin.set_fact:
expire_date: '{{ lookup(''pipe'', ''date -u --date="today + {{
warning_days }} days" +%Y%m%d000000Z'') }}'
- name: Show expire date
ansible.builtin.debug:
msg: "{{ expire_date }}"
- name: Show user info
debug:
msg: "{{ user_show.results | json_query('[*].json.result.result.{uid:
uid[0], pwdchg: krblastpwdchange[0].__datetime__}') }}"
- name: Find users who's password will expire in the next {{ warning_days
}} days
ansible.builtin.set_fact:
pwd_expire_soon: "{{ user_show.results |
json_query('[*].json.result.result.{uid: uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'defined') |
selectattr('pwdchg', '<', expire_date) | list }}"
- name: Show accounts that are due to expire in the next {{ warning_days
}} days
ansible.builtin.debug:
msg: "{{ pwd_expire_soon }}"
Thanks,
Harry
On Friday, February 23, 2024 at 2:54:06 PM UTC-5 [email protected] wrote:
> So it looks like the VERY 1st user in our system has never logged in, so
> the krblaspwdchange property has never gotten set. Is there a way to
> ignore when that field doesn't exist or is null?
>
> Thanks,
> Harry
>
> On Friday, February 23, 2024 at 2:46:07 PM UTC-5 Todd Lewis wrote:
>
>> The original problem is you're comparing 'NoneType' and 'str'. So, for at
>> least one of your principals there's no krblastpwdchange. You need to work
>> on the subset of data relevant to the comparison.
>>
>>
>> On 2/23/24 2:09 PM, [email protected] wrote:
>>
>> I'm not including the entire playbook, but the URI module call where
>> user_show gets registered, then the debug statements:
>>
>> - name: Run user_show from IDM API using previously stored session
>> cookie
>> ansible.builtin.uri:
>> url: "https://{{idmfqdn}}/ipa/session/json";
>> <https://%7B%7Bidmfqdn%7D%7D/ipa/session/json>
>> method: POST
>> headers:
>> Cookie: "{{ login.set_cookie }}"
>> Referer: "https://{{idmfqdn}}/ipa";
>> <https://%7B%7Bidmfqdn%7D%7D/ipa>
>> Content-Type: "application/json"
>> Accept: "application/json"
>> body_format: json
>> body: "{\"method\": \"user_show\",\"params\": [[ \"{{ item
>> }}\"],{\"all\": true,\"version\": \"{{ api_vers }}\"}]}"
>> register: user_show
>> loop: "{{ uid | json_query('[:10]') }}"
>>
>>
>> - name: Set expire date
>> ansible.builtin.set_fact:
>> expire_date: '{{ lookup(''pipe'', ''date -u --date="today + 10
>> days" +%Y%m%d000000Z'') }}'
>>
>> - name: Show expire date
>> ansible.builtin.debug:
>> msg: "{{ expire_date }}"
>>
>> - name: Show user info
>> debug:
>> msg: "{{ user_show.results |
>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>> krblastpwdchange[0].__datetime__}') }}"
>>
>> Thanks,
>> Harry
>> On Friday, February 23, 2024 at 1:58:04 PM UTC-5 Todd Lewis wrote:
>>
>>> Without showing us the expression you used in your debug's "msg:", this
>>> doesn't tell us anything.
>>>
>>>
>>> On 2/23/24 1:05 PM, [email protected] wrote:
>>>
>>> Looks OK to me:
>>>
>>> TASK [Show user info]
>>> **************************************************************************************************************************************************************************************
>>> ok: [localhost] => {
>>> "msg": [
>>> {
>>> "pwdchg": "20210416141027Z",
>>> "uid": "user1"
>>> }
>>> ]
>>> }
>>>
>>>
>>> Thanks,
>>> Harry
>>> On Friday, February 23, 2024 at 12:13:07 PM UTC-5 Rowe, Walter P. (Fed)
>>> wrote:
>>>
>>>> {{ user_show.results | json_query('[*].json.result.result.{uid:
>>>> uid[0], pwdchg: krblastpwdchange[0].__datetime__}') }}
>>>>
>>>> I would display this info in a debug to see what the resulting data
>>>> stream looks like. Maybe the selectattr('pwdchg') is in inaccurate
>>>> reference to pwdchg?
>>>>
>>>>
>>>> Walter
>>>> --
>>>> Walter Rowe, Division Chief
>>>> Infrastructure Services Division
>>>> Mobile: 202.355.4123 <(202)%20355-4123>
>>>>
>>>> On Feb 23, 2024, at 12:09 PM, [email protected] <[email protected]>
>>>> wrote:
>>>>
>>>> Just pull out those fields from the returned user information. I use
>>>> that in 2 or 3 other playbooks so I know that it works.
>>>>
>>>> Thanks,
>>>> Harry
>>>>
>>>> On Friday, February 23, 2024 at 11:53:04 AM UTC-5 Rowe, Walter P. (Fed)
>>>> wrote:
>>>>
>>>>> pwd_expire_soon: "{{ user_show.results |
>>>>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>>>>> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg',
>>>>> 'lessthan', 'expire_date') | list }}"
>>>>>
>>>>> What are you expecting this red portion to do? I don't think it is
>>>>> valid in json_query.
>>>>>
>>>>> Walter
>>>>> --
>>>>> Walter Rowe, Division Chief
>>>>> Infrastructure Services Division
>>>>> Mobile: 202.355.4123 <(202)%20355-4123>
>>>>>
>>>>> On Feb 23, 2024, at 11:30 AM, [email protected] <[email protected]>
>>>>> wrote:
>>>>>
>>>>> I am trying to determine when user's password's are going to expire in
>>>>> the next 10 days. After I traverse my FreeIPA users and store those
>>>>> users
>>>>> into a variable, I try to set a fact like so:
>>>>> - name: Find users who's password will expire in the next 10 days
>>>>> set_fact:
>>>>> pwd_expire_soon: "{{ user_show.results |
>>>>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>>>>> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'lessthan',
>>>>> 'expire_date') | list }}"
>>>>>
>>>>> When I run my playbook, I get the following error:
>>>>>
>>>>> fatal: [localhost]: FAILED! => {"msg": "Unexpected templating type
>>>>> error occurred on ({{ user_show.results |
>>>>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>>>>> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'lessthan',
>>>>> 'expire_date') | list }}): '<' not supported between instances of
>>>>> 'NoneType' and 'str'. '<' not supported between instances of 'NoneType'
>>>>> and
>>>>> 'str'"}
>>>>>
>>>>> I can't seem to find what the issue is. I originally had '<' instead
>>>>> of 'lessthan' but got the same error. Any ideas?
>>>>>
>>>>> Thanks,
>>>>> Harry
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Ansible Project" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to [email protected].
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/a1131cb0-bc23-46bb-afbf-ca9ad6f4ce34n%40googlegroups.com
>>>>>
>>>>> <https://groups.google.com/d/msgid/ansible-project/a1131cb0-bc23-46bb-afbf-ca9ad6f4ce34n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>>
>>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>>
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/c0b4de3d-50e2-4fff-85b1-0437076137dcn%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/ansible-project/c0b4de3d-50e2-4fff-85b1-0437076137dcn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>>
>>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>>
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/f76c158f-1107-4d10-8977-12638128d056n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/ansible-project/f76c158f-1107-4d10-8977-12638128d056n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>>
>>> --
>>> Todd
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>>
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/6c29210e-e854-414c-9007-13c37edb3265n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/6c29210e-e854-414c-9007-13c37edb3265n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>>
>> --
>> Todd
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/11a5adb1-a9ff-4e30-93ec-ab7b44488c04n%40googlegroups.com.
