Hi Alexander:

Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a
CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution.

Regards,

Joe

-----Original Message-----
From: Alexander Bokovoy [mailto:aboko...@redhat.com] 
Sent: Friday, June 29, 2012 12:31 AM
To: Martin Kosek
Cc: Joe Linoff; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python
script?

On Fri, 29 Jun 2012, Martin Kosek wrote:
>On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
>> Hi Petr:
>>
>> I implemented what you suggested and everything worked pretty well 
>> but I ran into three issues that you might be able to help me with.
>>
>> ISSUE #1
>> The first issue (and the most important) is that the password is only

>> temporary. I am prompted to reset it the first time that I login. My 
>> goal is to setup a working system quickly to test different 
>> configurations in a batch fashion but having to reset the password 
>> for each user makes that challenging. How can I disable the reset 
>> requirement for my test environment?
>>
>>     ssh user5@cuthbert
>>     user5@cuthbert's password:
>>     Password expired. Change your password now.
>>     Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
>>     WARNING: Your password has expired.
>>     You must change your password now and login again!
>>     Changing password for user user5.
>>     Current Password:
>>     New password:
>>     Retype new password:
>>     passwd: all authentication tokens updated successfully.
>>     Connection to cuthbert closed.
>
>Hi Joe,
>
>This is a security measure, somebody else may correct me, but I don't 
>think this can be turned off. You can use an attached Python function 
>which can be used to change (reset) user password via web interface.
>Normally, this backend is used by Web UI users with expired password to

>be able to reset it. You could you is it for the same purpose from the 
>script (function) I attached.
What you can do is to change the same password as a user -- given that
these are test configurations, you can:
0. Change minimum acceptable password lifetime to 0
    ipa pwpolicy-mod  --minlife=0
1. Add all users, note their passwords
2. For each user:
2.1. kinit <user>
2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd
2.3  kdestroy

This way you'll get passwords set back as those users. Or use the script
that Martin provided.


>>
>> ISSUE #2
>> The second issue is really more of a question. I need to add these 
>> users to groups. My guess is that I need to setup a similar call 
>> using the 'group_add' command. Is that right? If so, do you have an 
>> example that I could follow?
>
>You can try this one:
>
>pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
>{'result': {'cn': (u'foogroup',),
>            'description': (u'foo group',),
>            'dn':
>u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
om',
>            'gidnumber': (u'4800015',),
>            'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
>            'objectclass': (u'top',
>                            u'groupofnames',
>                            u'nestedgroup',
>                            u'ipausergroup',
>                            u'ipaobject',
>                            u'posixgroup')},
> 'summary': u'Added group "foogroup"',
> 'value': u'foogroup'}
>
>pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
>{'completed': 1,
> 'failed': {'member': {'group': (), 'user': ()}},
> 'result': {'cn': (u'foogroup',),
>            'description': (u'foo group',),
>            'dn':
>u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
om',
>            'gidnumber': (u'4800015',),
>            'member_user': (u'admin',)}}
>
>pprint(api.Command['group_show'](u'foogroup'))
>{'result': {'cn': (u'foogroup',),
>            'description': (u'foo group',),
>            'dn':
>u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
om',
>            'gidnumber': (u'4800015',),
>            'member_user': (u'admin',)},
> 'summary': None,
> 'value': u'foogroup'}
>
>>
>> ISSUE #3
>> The third and final issue is that the I get traceback from what 
>> appears to be the validation in the batch command. How can I correct
that?
>>
>>     Traceback (most recent call last):
>>       File "./u1.py", line 35, in <module>
>>         result = api.Command['batch'](*add_cmds)
>>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", 
>> line 443, in __call__
>>         self.validate_output(ret)
>>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", 
>> line 903, in validate_output
>>         nice, o.name, o.type, type(value), value)
>>     TypeError: batch.validate_output():
>>       output['results']: need <type 'list'>; got <type 'tuple'>:
Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed
in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012.

>You may just have found a bug. Batch command is not normally executed 
>from XML-RPC, there may be an issue. We will investigate it.
Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it
is fixed already.


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to