Hi Martin:

Thank you. This is very helpful.

I am going to try the group functions tomorrow morning (PST).



-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com] 
Sent: Friday, June 29, 2012 12:07 AM
To: Joe Linoff
Cc: Petr Vobornik; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python script?

On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
> Hi Petr:
> I implemented what you suggested and everything worked pretty well but 
> I ran into three issues that you might be able to help me with.
> ISSUE #1
> The first issue (and the most important) is that the password is only 
> temporary. I am prompted to reset it the first time that I login. My 
> goal is to setup a working system quickly to test different 
> configurations in a batch fashion but having to reset the password for 
> each user makes that challenging. How can I disable the reset 
> requirement for my test environment?
>     ssh user5@cuthbert
>     user5@cuthbert's password: 
>     Password expired. Change your password now.
>     Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
>     WARNING: Your password has expired.
>     You must change your password now and login again!
>     Changing password for user user5.
>     Current Password: 
>     New password: 
>     Retype new password: 
>     passwd: all authentication tokens updated successfully.
>     Connection to cuthbert closed.

Hi Joe,

This is a security measure, somebody else may correct me, but I don't think 
this can be turned off. You can use an attached Python function which can be 
used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to be able 
to reset it. You could you is it for the same purpose from the script 
(function) I attached.

> ISSUE #2
> The second issue is really more of a question. I need to add these 
> users to groups. My guess is that I need to setup a similar call using 
> the 'group_add' command. Is that right? If so, do you have an example 
> that I could follow?

You can try this one:

pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'gidnumber': (u'4800015',),
            'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
            'objectclass': (u'top',
 'summary': u'Added group "foogroup"',
 'value': u'foogroup'}

pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
 'failed': {'member': {'group': (), 'user': ()}},
 'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'gidnumber': (u'4800015',),
            'member_user': (u'admin',)}}

{'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'gidnumber': (u'4800015',),
            'member_user': (u'admin',)},
 'summary': None,
 'value': u'foogroup'}

> ISSUE #3
> The third and final issue is that the I get traceback from what 
> appears to be the validation in the batch command. How can I correct that?
>     Traceback (most recent call last):
>       File "./u1.py", line 35, in <module>
>         result = api.Command['batch'](*add_cmds)
>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 
> 443, in __call__
>         self.validate_output(ret)
>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 
> 903, in validate_output
>         nice, o.name, o.type, type(value), value)
>     TypeError: batch.validate_output():
>       output['results']: need <type 'list'>; got <type 'tuple'>:
> ({'summary': u'Added user "user5"', 'result': {'dn':
> u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': 
> True,
> 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass':
> (u'top', u'person', u'organizationalperson', u'inetorgperson', 
> u'inetuser', u'posixaccount', u'krbprincipalaux', 
> u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 
> 'uidnumber':
> (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',),
> 'has_password': True, 'sn': (u'last',), 'homedirectory':
> (u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname':
> (u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first 
> last',), 'gecos': (u'first last',), 'ipauniqueid':
> (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error':
> None},)

You may just have found a bug. Batch command is not normally executed from 
XML-RPC, there may be an issue. We will investigate it.

Meanwhile, I would recommend using simple command, I think its easier to read 
and code.


Freeipa-users mailing list

Reply via email to