On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
> Hi Petr:
> I implemented what you suggested and everything worked pretty well but I
> ran into three issues that you might be able to help me with.
> ISSUE #1
> The first issue (and the most important) is that the password is only
> temporary. I am prompted to reset it the first time that I login. My
> goal is to setup a working system quickly to test different
> configurations in a batch fashion but having to reset the password for
> each user makes that challenging. How can I disable the reset
> requirement for my test environment?
>     ssh user5@cuthbert
>     user5@cuthbert's password: 
>     Password expired. Change your password now.
>     Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
>     WARNING: Your password has expired.
>     You must change your password now and login again!
>     Changing password for user user5.
>     Current Password: 
>     New password: 
>     Retype new password: 
>     passwd: all authentication tokens updated successfully.
>     Connection to cuthbert closed.

Hi Joe,

This is a security measure, somebody else may correct me, but I don't
think this can be turned off. You can use an attached Python function
which can be used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to
be able to reset it. You could you is it for the same purpose from the
script (function) I attached.

> ISSUE #2
> The second issue is really more of a question. I need to add these users
> to groups. My guess is that I need to setup a similar call using the
> 'group_add' command. Is that right? If so, do you have an example that I
> could follow? 

You can try this one:

pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'gidnumber': (u'4800015',),
            'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
            'objectclass': (u'top',
 'summary': u'Added group "foogroup"',
 'value': u'foogroup'}

pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
 'failed': {'member': {'group': (), 'user': ()}},
 'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'gidnumber': (u'4800015',),
            'member_user': (u'admin',)}}

{'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'gidnumber': (u'4800015',),
            'member_user': (u'admin',)},
 'summary': None,
 'value': u'foogroup'}

> ISSUE #3
> The third and final issue is that the I get traceback from what appears
> to be the validation in the batch command. How can I correct that?
>     Traceback (most recent call last):
>       File "./u1.py", line 35, in <module>
>         result = api.Command['batch'](*add_cmds)
>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
> 443, in __call__
>         self.validate_output(ret)
>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
> 903, in validate_output
>         nice, o.name, o.type, type(value), value)
>     TypeError: batch.validate_output():
>       output['results']: need <type 'list'>; got <type 'tuple'>:
> ({'summary': u'Added user "user5"', 'result': {'dn':
> u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True,
> 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass':
> (u'top', u'person', u'organizationalperson', u'inetorgperson',
> u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux',
> u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber':
> (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',),
> 'has_password': True, 'sn': (u'last',), 'homedirectory':
> (u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname':
> (u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first
> last',), 'gecos': (u'first last',), 'ipauniqueid':
> (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error':
> None},)

You may just have found a bug. Batch command is not normally executed
from XML-RPC, there may be an issue. We will investigate it.

Meanwhile, I would recommend using simple command, I think its easier to
read and code.


import socket
import sys
import pycurl
import urllib


def change_password(hostname, user, old_password, new_password):
    url = 'https://%s/ipa/session/change_password' % hostname
    print "Perform password change on the IPA server URL: %s", url
    print "Change password for '%s'from '%s' to '%s'" % (user, old_password, new_password)

    request = {
        'user': user,
        'old_password': old_password,
        'new_password': new_password,

    request_data = urllib.urlencode(request, True)

    c = pycurl.Curl()
    c.setopt(pycurl.URL, url)
    c.setopt(pycurl.HTTPHEADER, [
        "Content-Type: application/x-www-form-urlencoded",
        "Referer: %s" % url

    #set POST fields
    c.setopt(pycurl.POST, 1)
    c.setopt(pycurl.POSTFIELDS, request_data)
    c.setopt(pycurl.SSL_VERIFYPEER, False)

    if DEBUG:
        c.setopt(pycurl.VERBOSE, 1)


if __name__ == "__main__":
    if len(sys.argv) != 4:
        sys.exit('Usage: ./changepw.py USER OLD_PASSWORD NEW_PASSWORD')

    hostname=socket.gethostname()   # use current hostname

    change_password(hostname, user, old_password, new_password)
Freeipa-users mailing list

Reply via email to