On Fri, 29 Jun 2012, Martin Kosek wrote:
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
Hi Petr:

I implemented what you suggested and everything worked pretty well but I
ran into three issues that you might be able to help me with.

ISSUE #1
The first issue (and the most important) is that the password is only
temporary. I am prompted to reset it the first time that I login. My
goal is to setup a working system quickly to test different
configurations in a batch fashion but having to reset the password for
each user makes that challenging. How can I disable the reset
requirement for my test environment?

    ssh user5@cuthbert
    user5@cuthbert's password:
    Password expired. Change your password now.
    Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
    WARNING: Your password has expired.
    You must change your password now and login again!
    Changing password for user user5.
    Current Password:
    New password:
    Retype new password:
    passwd: all authentication tokens updated successfully.
    Connection to cuthbert closed.

Hi Joe,

This is a security measure, somebody else may correct me, but I don't
think this can be turned off. You can use an attached Python function
which can be used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to
be able to reset it. You could you is it for the same purpose from the
script (function) I attached.
What you can do is to change the same password as a user -- given that
these are test configurations, you can:
0. Change minimum acceptable password lifetime to 0
   ipa pwpolicy-mod  --minlife=0
1. Add all users, note their passwords
2. For each user:
2.1. kinit <user>
2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd 2.3 kdestroy

This way you'll get passwords set back as those users. Or use the script
that Martin provided.



ISSUE #2
The second issue is really more of a question. I need to add these users
to groups. My guess is that I need to setup a similar call using the
'group_add' command. Is that right? If so, do you have an example that I
could follow?

You can try this one:

pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
           'description': (u'foo group',),
           'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
           'gidnumber': (u'4800015',),
           'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
           'objectclass': (u'top',
                           u'groupofnames',
                           u'nestedgroup',
                           u'ipausergroup',
                           u'ipaobject',
                           u'posixgroup')},
'summary': u'Added group "foogroup"',
'value': u'foogroup'}

pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
'failed': {'member': {'group': (), 'user': ()}},
'result': {'cn': (u'foogroup',),
           'description': (u'foo group',),
           'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
           'gidnumber': (u'4800015',),
           'member_user': (u'admin',)}}

pprint(api.Command['group_show'](u'foogroup'))
{'result': {'cn': (u'foogroup',),
           'description': (u'foo group',),
           'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
           'gidnumber': (u'4800015',),
           'member_user': (u'admin',)},
'summary': None,
'value': u'foogroup'}


ISSUE #3
The third and final issue is that the I get traceback from what appears
to be the validation in the batch command. How can I correct that?

    Traceback (most recent call last):
      File "./u1.py", line 35, in <module>
        result = api.Command['batch'](*add_cmds)
      File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
443, in __call__
        self.validate_output(ret)
      File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
903, in validate_output
        nice, o.name, o.type, type(value), value)
    TypeError: batch.validate_output():
      output['results']: need <type 'list'>; got <type 'tuple'>:
Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed
in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012.

You may just have found a bug. Batch command is not normally executed
from XML-RPC, there may be an issue. We will investigate it.
Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it
is fixed already.


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to