On Fri, 15 Nov 2013, Antti Peltonen wrote:
Hi,
On 14 November 2013 21:06, Dmitri Pal <d...@redhat.com> wrote:
A quick look at the tool's command line indicates that it is probably not
using any of the IPA framework and rather goes over LDAP. I am not sure
that this is the best approach, let us discuss...
Could you please point me towards to some documentation on howto implement
this tool with IPA framework or should I just go and read some code? :)
You can start with http://abbra.fedorapeople.org/guide.html
Attached is a simple rewrite of your code that I did in ~30 minutes or
so. Just drop it into ipalib/plugins
(/usr/lib/python2.7/site-packages/ipalib/plugins/user_addon.py on my
Fedora 19 VM) and restart the server. There is a lot to polish there
(unrelated options need to be masked/removed, better handling of expire
option, etc.) but it works by providing you a list of users whose passwords
did expire:
$ LANG=en_US.utf8 ipa user-find-expire --expire=20150201000000
-----------------
1 account matched
-----------------
User login: admin
Full name: Administrator
Expire date: 20140211151057Z
----------------------------
Number of entries returned 1
----------------------------
Also worth noting, the way IPA framework is built, the same file must
present at the client where 'ipa' utility is being run -- we do so by
packaging all ipalib/plugins/* to a freeipa-python subpackage and then
freeipa-admintools simply requiring it.
--
/ Alexander Bokovoy
from ipalib.plugins.baseldap import *
from ipalib import api, errors
from ipalib import Str
from ipalib import _, ngettext
import datetime
class user_find_expire(LDAPSearch):
__doc__ = _('Search for expiring accounts.')
msg_summary = ngettext(
'%(count)d account matched', '%(count)d accounts matched', 0
)
takes_options = LDAPSearch.takes_options + (
Str('krbpasswordexpiration?',
cli_name='expire',
label=_('Expire date'),
doc=_('Password expiration date, YYYYMMDDHHMMSS'),
),
)
has_output_params = LDAPSearch.has_output_params
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args,
**options):
assert isinstance(base_dn, DN)
if not ('krbpasswordexpiration' in options):
expire = datetime.datetime.now()
else:
exp = options['krbpasswordexpiration']
if exp.lower() == u'now':
expire = datetime.datetime.now()
else:
try:
expire = datetime.datetime.strptime(exp, '%Y%m%d%H%M%S')
except ValueError:
raise errors.ValidationError(name='expire', error=_('Date
cannot be parsed'))
custom_filter = '(&(objectclass=posixAccount)' \
'(objectClass=krbPrincipalAux)' \
'(krbPasswordExpiration<={zulu})' \
')'.format(zulu=expire.strftime("%Y%m%d%H%M%SZ"))
# Remove everything from the pre-populated attrs_list, set own view of
it
n = len(attrs_list)
for i in range(0, n):
attrs_list.pop()
attrs_list.extend(['uid',
'cn','displayname','mail','krbpasswordexpiration'])
return (
ldap.combine_filters((custom_filter, filter), rules=ldap.MATCH_ALL),
base_dn, ldap.SCOPE_ONELEVEL
)
api.register(user_find_expire)
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel