Re: [Freeipa-devel] Include proposal to contrib (expired user accounts query tool)
On Fri, 15 Nov 2013, Antti Peltonen wrote: Hi, On 14 November 2013 21:06, Dmitri Pal d...@redhat.com wrote: A quick look at the tool's command line indicates that it is probably not using any of the IPA framework and rather goes over LDAP. I am not sure that this is the best approach, let us discuss... Could you please point me towards to some documentation on howto implement this tool with IPA framework or should I just go and read some code? :) You can start with http://abbra.fedorapeople.org/guide.html Attached is a simple rewrite of your code that I did in ~30 minutes or so. Just drop it into ipalib/plugins (/usr/lib/python2.7/site-packages/ipalib/plugins/user_addon.py on my Fedora 19 VM) and restart the server. There is a lot to polish there (unrelated options need to be masked/removed, better handling of expire option, etc.) but it works by providing you a list of users whose passwords did expire: $ LANG=en_US.utf8 ipa user-find-expire --expire=2015020100 - 1 account matched - User login: admin Full name: Administrator Expire date: 20140211151057Z Number of entries returned 1 Also worth noting, the way IPA framework is built, the same file must present at the client where 'ipa' utility is being run -- we do so by packaging all ipalib/plugins/* to a freeipa-python subpackage and then freeipa-admintools simply requiring it. -- / Alexander Bokovoy from ipalib.plugins.baseldap import * from ipalib import api, errors from ipalib import Str from ipalib import _, ngettext import datetime class user_find_expire(LDAPSearch): __doc__ = _('Search for expiring accounts.') msg_summary = ngettext( '%(count)d account matched', '%(count)d accounts matched', 0 ) takes_options = LDAPSearch.takes_options + ( Str('krbpasswordexpiration?', cli_name='expire', label=_('Expire date'), doc=_('Password expiration date, MMDDHHMMSS'), ), ) has_output_params = LDAPSearch.has_output_params def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): assert isinstance(base_dn, DN) if not ('krbpasswordexpiration' in options): expire = datetime.datetime.now() else: exp = options['krbpasswordexpiration'] if exp.lower() == u'now': expire = datetime.datetime.now() else: try: expire = datetime.datetime.strptime(exp, '%Y%m%d%H%M%S') except ValueError: raise errors.ValidationError(name='expire', error=_('Date cannot be parsed')) custom_filter = '((objectclass=posixAccount)' \ '(objectClass=krbPrincipalAux)' \ '(krbPasswordExpiration={zulu})' \ ')'.format(zulu=expire.strftime(%Y%m%d%H%M%SZ)) # Remove everything from the pre-populated attrs_list, set own view of it n = len(attrs_list) for i in range(0, n): attrs_list.pop() attrs_list.extend(['uid', 'cn','displayname','mail','krbpasswordexpiration']) return ( ldap.combine_filters((custom_filter, filter), rules=ldap.MATCH_ALL), base_dn, ldap.SCOPE_ONELEVEL ) api.register(user_find_expire) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Include proposal to contrib (expired user accounts query tool)
Hi, Neat little dirty rework but it appears that the framework took all the fun out of learning Python-LDAP away. ;) I think I keep the current codebase of my tool as it is and do a fork from it to run as a IPA plugin. I will on later date submit that for a contrib review when it is as complete as the standalone version is now. On 15 November 2013 10:22, Alexander Bokovoy aboko...@redhat.com wrote: On Fri, 15 Nov 2013, Antti Peltonen wrote: Hi, On 14 November 2013 21:06, Dmitri Pal d...@redhat.com wrote: A quick look at the tool's command line indicates that it is probably not using any of the IPA framework and rather goes over LDAP. I am not sure that this is the best approach, let us discuss... Could you please point me towards to some documentation on howto implement this tool with IPA framework or should I just go and read some code? :) You can start with http://abbra.fedorapeople.org/guide.html Attached is a simple rewrite of your code that I did in ~30 minutes or so. Just drop it into ipalib/plugins (/usr/lib/python2.7/site- packages/ipalib/plugins/user_addon.py on my Fedora 19 VM) and restart the server. There is a lot to polish there (unrelated options need to be masked/removed, better handling of expire option, etc.) but it works by providing you a list of users whose passwords did expire: $ LANG=en_US.utf8 ipa user-find-expire --expire=2015020100 - 1 account matched - User login: admin Full name: Administrator Expire date: 20140211151057Z Number of entries returned 1 Also worth noting, the way IPA framework is built, the same file must present at the client where 'ipa' utility is being run -- we do so by packaging all ipalib/plugins/* to a freeipa-python subpackage and then freeipa-admintools simply requiring it. -- / Alexander Bokovoy -- Antti Peltonen | Homo sapiens | planet Earth blog http://bcow.me | email antti.peltonen@iki.f antti.pelto...@iki.fii irc bcow@IRCNet,Freenode ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] Include proposal to contrib (expired user accounts query tool)
Hi all, I have created the following https://bitbucket.org/bcow/freeipa-expired-user-accounts-query tool to mitigate a situation when users in directory never login to servers and therefore do not receive alerts about expiring passwords. My tool can be used to query the LDAP directory and list users that have expired passwords and/or users with passwords about to expire in given amount of days. External script can then be executed for each matching user to generate a warning for the user via selected medium, for example by email. -- Antti Peltonen | Homo sapiens | planet Earth blog http://bcow.me | email antti.peltonen@iki.f antti.pelto...@iki.fii irc bcow@IRCNet,Freenode ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Include proposal to contrib (expired user accounts query tool)
On 11/14/2013 12:08 PM, Antti Peltonen wrote: Hi all, I have created the following https://bitbucket.org/bcow/freeipa-expired-user-accounts-query tool to mitigate a situation when users in directory never login to servers and therefore do not receive alerts about expiring passwords. My tool can be used to query the LDAP directory and list users that have expired passwords and/or users with passwords about to expire in given amount of days. External script can then be executed for each matching user to generate a warning for the user via selected medium, for example by email. -- Antti Peltonen | Homo sapiens | planet Earth blog http://bcow.me | email antti.peltonen@iki.f mailto:antti.pelto...@iki.fii irc bcow@IRCNet,Freenode ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Thank you for the contribution! A quick look at the tool's command line indicates that it is probably not using any of the IPA framework and rather goes over LDAP. I am not sure that this is the best approach, let us discuss... For the tool to become a part of the IPA ecosystem it should probably take advantage of the framework. The framework would take care of things like --gssapi --server ipaserver.example.tld --basedn cn=users,cn=accounts,dc=example,dc=tld I think next steps would be: 1) Open a ticket for this RFE and describe the use case and need there. 2) Create a design page on the wiki, it should not be long but I suspect several paragraphs would help others to understand what is going on under the hood. The page would cover command line parameter, their use, authentication, examples of scripts, etc. Though may be instead of a script as an argument the command would allow piped output to a script. Just a thought... This is exactly a thing that should be discussed during a design review. 3) Send design for review Based on the design discussion it would become clearer what needs to change (if anything) for the tool to be accepted. Thanks again for the contribution! I think we have a huge lack of good reporting tools in FreeIPA. Would be great if someone can make a dent at them some day: https://fedorahosted.org/freeipa/ticket/3024 -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Include proposal to contrib (expired user accounts query tool)
Hi, On 14 November 2013 21:06, Dmitri Pal d...@redhat.com wrote: A quick look at the tool's command line indicates that it is probably not using any of the IPA framework and rather goes over LDAP. I am not sure that this is the best approach, let us discuss... Could you please point me towards to some documentation on howto implement this tool with IPA framework or should I just go and read some code? :) -- Antti Peltonen | Homo sapiens | planet Earth blog http://bcow.me | email antti.peltonen@iki.f antti.pelto...@iki.fii irc bcow@IRCNet,Freenode ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel