Re: [Freeipa-users] How can I change my password from a python script?
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
Hi Petr:
I implemented what you suggested and everything worked pretty well but I
ran into three issues that you might be able to help me with.
ISSUE #1
The first issue (and the most important) is that the password is only
temporary. I am prompted to reset it the first time that I login. My
goal is to setup a working system quickly to test different
configurations in a batch fashion but having to reset the password for
each user makes that challenging. How can I disable the reset
requirement for my test environment?
ssh user5@cuthbert
user5@cuthbert's password:
Password expired. Change your password now.
Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user5.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to cuthbert closed.
Hi Joe,
This is a security measure, somebody else may correct me, but I don't
think this can be turned off. You can use an attached Python function
which can be used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to
be able to reset it. You could you is it for the same purpose from the
script (function) I attached.
ISSUE #2
The second issue is really more of a question. I need to add these users
to groups. My guess is that I need to setup a similar call using the
'group_add' command. Is that right? If so, do you have an example that I
could follow?
You can try this one:
pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
'objectclass': (u'top',
u'groupofnames',
u'nestedgroup',
u'ipausergroup',
u'ipaobject',
u'posixgroup')},
'summary': u'Added group foogroup',
'value': u'foogroup'}
pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
'failed': {'member': {'group': (), 'user': ()}},
'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)}}
pprint(api.Command['group_show'](u'foogroup'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)},
'summary': None,
'value': u'foogroup'}
ISSUE #3
The third and final issue is that the I get traceback from what appears
to be the validation in the batch command. How can I correct that?
Traceback (most recent call last):
File ./u1.py, line 35, in module
result = api.Command['batch'](*add_cmds)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
443, in __call__
self.validate_output(ret)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
903, in validate_output
nice, o.name, o.type, type(value), value)
TypeError: batch.validate_output():
output['results']: need type 'list'; got type 'tuple':
({'summary': u'Added user user5', 'result': {'dn':
u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True,
'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass':
(u'top', u'person', u'organizationalperson', u'inetorgperson',
u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux',
u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber':
(u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',),
'has_password': True, 'sn': (u'last',), 'homedirectory':
(u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname':
(u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first
last',), 'gecos': (u'first last',), 'ipauniqueid':
(u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error':
None},)
You may just have found a bug. Batch command is not normally executed
from XML-RPC, there may be an issue. We will investigate it.
Meanwhile, I would recommend using simple command, I think its easier to
read and code.
Martin
#!/usr/bin/python
import socket
import sys
import pycurl
import urllib
DEBUG=True
def change_password(hostname, user, old_password, new_password):
url =
Re: [Freeipa-users] How can I change my password from a python script?
Hi Martin:
Thank you. This is very helpful.
I am going to try the group functions tomorrow morning (PST).
Regards,
Joe
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Friday, June 29, 2012 12:07 AM
To: Joe Linoff
Cc: Petr Vobornik; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python script?
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
Hi Petr:
I implemented what you suggested and everything worked pretty well but
I ran into three issues that you might be able to help me with.
ISSUE #1
The first issue (and the most important) is that the password is only
temporary. I am prompted to reset it the first time that I login. My
goal is to setup a working system quickly to test different
configurations in a batch fashion but having to reset the password for
each user makes that challenging. How can I disable the reset
requirement for my test environment?
ssh user5@cuthbert
user5@cuthbert's password:
Password expired. Change your password now.
Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user5.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to cuthbert closed.
Hi Joe,
This is a security measure, somebody else may correct me, but I don't think
this can be turned off. You can use an attached Python function which can be
used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to be able
to reset it. You could you is it for the same purpose from the script
(function) I attached.
ISSUE #2
The second issue is really more of a question. I need to add these
users to groups. My guess is that I need to setup a similar call using
the 'group_add' command. Is that right? If so, do you have an example
that I could follow?
You can try this one:
pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
'objectclass': (u'top',
u'groupofnames',
u'nestedgroup',
u'ipausergroup',
u'ipaobject',
u'posixgroup')},
'summary': u'Added group foogroup',
'value': u'foogroup'}
pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
'failed': {'member': {'group': (), 'user': ()}},
'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)}}
pprint(api.Command['group_show'](u'foogroup'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)},
'summary': None,
'value': u'foogroup'}
ISSUE #3
The third and final issue is that the I get traceback from what
appears to be the validation in the batch command. How can I correct that?
Traceback (most recent call last):
File ./u1.py, line 35, in module
result = api.Command['batch'](*add_cmds)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
443, in __call__
self.validate_output(ret)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
903, in validate_output
nice, o.name, o.type, type(value), value)
TypeError: batch.validate_output():
output['results']: need type 'list'; got type 'tuple':
({'summary': u'Added user user5', 'result': {'dn':
u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab':
True,
'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass':
(u'top', u'person', u'organizationalperson', u'inetorgperson',
u'inetuser', u'posixaccount', u'krbprincipalaux',
u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',),
'uidnumber':
(u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',),
'has_password': True, 'sn': (u'last',), 'homedirectory':
(u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname':
(u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first
last',), 'gecos': (u'first last',), 'ipauniqueid':
(u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error':
None},)
You may
Re: [Freeipa-users] How can I change my password from a python script?
On Fri, 29 Jun 2012, Martin Kosek wrote:
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
Hi Petr:
I implemented what you suggested and everything worked pretty well but I
ran into three issues that you might be able to help me with.
ISSUE #1
The first issue (and the most important) is that the password is only
temporary. I am prompted to reset it the first time that I login. My
goal is to setup a working system quickly to test different
configurations in a batch fashion but having to reset the password for
each user makes that challenging. How can I disable the reset
requirement for my test environment?
ssh user5@cuthbert
user5@cuthbert's password:
Password expired. Change your password now.
Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user5.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to cuthbert closed.
Hi Joe,
This is a security measure, somebody else may correct me, but I don't
think this can be turned off. You can use an attached Python function
which can be used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to
be able to reset it. You could you is it for the same purpose from the
script (function) I attached.
What you can do is to change the same password as a user -- given that
these are test configurations, you can:
0. Change minimum acceptable password lifetime to 0
ipa pwpolicy-mod --minlife=0
1. Add all users, note their passwords
2. For each user:
2.1. kinit user
2.2. echo -e $PASSWORD\n$PASSWORD\$PASSWORD | ipa passwd
2.3 kdestroy
This way you'll get passwords set back as those users. Or use the script
that Martin provided.
ISSUE #2
The second issue is really more of a question. I need to add these users
to groups. My guess is that I need to setup a similar call using the
'group_add' command. Is that right? If so, do you have an example that I
could follow?
You can try this one:
pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
'objectclass': (u'top',
u'groupofnames',
u'nestedgroup',
u'ipausergroup',
u'ipaobject',
u'posixgroup')},
'summary': u'Added group foogroup',
'value': u'foogroup'}
pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
'failed': {'member': {'group': (), 'user': ()}},
'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)}}
pprint(api.Command['group_show'](u'foogroup'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)},
'summary': None,
'value': u'foogroup'}
ISSUE #3
The third and final issue is that the I get traceback from what appears
to be the validation in the batch command. How can I correct that?
Traceback (most recent call last):
File ./u1.py, line 35, in module
result = api.Command['batch'](*add_cmds)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
443, in __call__
self.validate_output(ret)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
903, in validate_output
nice, o.name, o.type, type(value), value)
TypeError: batch.validate_output():
output['results']: need type 'list'; got type 'tuple':
Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed
in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012.
You may just have found a bug. Batch command is not normally executed
from XML-RPC, there may be an issue. We will investigate it.
Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it
is fixed already.
--
/ Alexander Bokovoy
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
IMHO, 2.1.3 - 2.2 upgrade should be safe, although I don't know if
something was changed in CentOS compared to RHEL where this should just
work.
Btw there is one thing I just realized, you will probably have to go
with Alexander's approach as the password expiration backend is
available in GIT in master branch only, i.e. in future IPA 3.0.
Martin
On Fri, 2012-06-29 at 00:33 -0700, Joe Linoff wrote:
Hi Alexander:
Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a
CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution.
Regards,
Joe
-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Friday, June 29, 2012 12:31 AM
To: Martin Kosek
Cc: Joe Linoff; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python
script?
On Fri, 29 Jun 2012, Martin Kosek wrote:
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
Hi Petr:
I implemented what you suggested and everything worked pretty well
but I ran into three issues that you might be able to help me with.
ISSUE #1
The first issue (and the most important) is that the password is only
temporary. I am prompted to reset it the first time that I login. My
goal is to setup a working system quickly to test different
configurations in a batch fashion but having to reset the password
for each user makes that challenging. How can I disable the reset
requirement for my test environment?
ssh user5@cuthbert
user5@cuthbert's password:
Password expired. Change your password now.
Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user5.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to cuthbert closed.
Hi Joe,
This is a security measure, somebody else may correct me, but I don't
think this can be turned off. You can use an attached Python function
which can be used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to
be able to reset it. You could you is it for the same purpose from the
script (function) I attached.
What you can do is to change the same password as a user -- given that
these are test configurations, you can:
0. Change minimum acceptable password lifetime to 0
ipa pwpolicy-mod --minlife=0
1. Add all users, note their passwords
2. For each user:
2.1. kinit user
2.2. echo -e $PASSWORD\n$PASSWORD\$PASSWORD | ipa passwd
2.3 kdestroy
This way you'll get passwords set back as those users. Or use the script
that Martin provided.
ISSUE #2
The second issue is really more of a question. I need to add these
users to groups. My guess is that I need to setup a similar call
using the 'group_add' command. Is that right? If so, do you have an
example that I could follow?
You can try this one:
pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
om',
'gidnumber': (u'4800015',),
'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
'objectclass': (u'top',
u'groupofnames',
u'nestedgroup',
u'ipausergroup',
u'ipaobject',
u'posixgroup')},
'summary': u'Added group foogroup',
'value': u'foogroup'}
pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
'failed': {'member': {'group': (), 'user': ()}},
'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
om',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)}}
pprint(api.Command['group_show'](u'foogroup'))
{'result': {'cn': (u'foogroup',),
'description': (u'foo group',),
'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
om',
'gidnumber': (u'4800015',),
'member_user': (u'admin',)},
'summary': None,
'value': u'foogroup'}
ISSUE #3
The third and final issue is that the I get traceback from what
appears to be the validation in the batch command. How can I correct
that?
Traceback (most recent call last):
File ./u1.py, line 35, in module
result = api.Command['batch'](*add_cmds)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py,
line 443, in __call__
self.validate_output(ret
Re: [Freeipa-users] How can I change my password from a python script?
On Fri, 29 Jun 2012, Joe Linoff wrote: Hi Alexander: Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. I haven't used CentOS 6.2 so I cannot suggest anything on this front. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Rob: This is so only the end-user knows the password. That makes good sense. Your suggestions will help me in my test environment. Thanks, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, June 29, 2012 8:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? This is so only the end-user knows the password. You can add the DN of the user you are changing passwords with to a list of users who are exempt from password policy. Think carefully about what user you add to this list, you may not want to use the admin user. Add the DN to the passSyncManagersDNs attribute in the entry cn=ipa_pwd_extop,cn=plugins,cn=config rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
On 06/28/2012 03:34 AM, Joe Linoff wrote:
Hi Everybody:
I need to add a lot of users to an LDAP system for testing and I would
like to do it in batch mode. For my small tests have been doing
something like this:
A batch command might be useful for this case.
Example (note that I'm not a python guy):
#!/usr/bin/env python
import pprint
from ipalib import api
# Bootstrap
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
# Prepare request
users = [
(u'Foo', u'Bar', u'f...@foo.baz', u'psw1', u'Sales guy'),
(u'John', u'Doe', u'j...@foo.baz', u'psw2', u'Tech guy'),
]
add_commands = []
for user in users:
(firstname, surname, email, psw, desc) = user
add_commands.append({
method: 'user_add',
params: [
[],
{
givenname: firstname,
sn: surname,
mail: email,
userpassword: psw,
setattr: description='+desc+'
},
],
})
# Execute as batch
result = api.Command['batch'](*add_commands)
# Print
pp = pprint.PrettyPrinter()
pp.pprint(result)
#!/bin/bash
# Script to create a new user.
ipa user-add bigbob \
--email=b...@bigbobsemporium.com \
--first=Bob \
--last=Bigg \
--password \
--setattr=description='The sales guy.'-EOF
b1gB0bsTmpPwd
b1gB0bsTmpPwd
EOF
However, I am python guy and would like to use it instead. I am sure
that I can do a similar thing using pexpect in python. Probably
something like this:
# This code has not been tested. It is only for a thought experiment.
# Add a user and enter the password using pexpect.
cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium.
cmd += --first=Bob --last=Bigg --password
cmd += --setattr=description='The sales guy.'
rets = ['Password', 'Enter Password again to verify', pexpect.EOF,
pexpect.TIMEOUT]
c = pexpect.spawn(cmd,timeout=None)
i = c.expect(rets)
if i == 0: # Password
child.sendline('b1gB0bsTmpPwd')
i = c.expect(rets)
if i == 1: # Enter Password again to verify
child.sendline('b1gB0bsTmpPwd')
i = c.expect(rets)
if i == 2:
print 'SUCCESS'
else:
sys.exit('ERROR: something bad happened #1')
else:
sys.exit('ERROR: something bad happened #2')
else:
sys.exit('ERROR: something bad happened #3')
But I was wondering whether there was a better using the IPA API. Is
there a way for me to do that?
Any help or insights would be greatly appreciated.
Thanks,
Joe
--
Petr Vobornik
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
On 06/28/2012 03:34 AM, Joe Linoff wrote:
Hi Everybody:
I need to add a lot of users to an LDAP system for testing and I would like to
do it in batch mode. For my small tests have been doing something like this:
#!/bin/bash
# Script to create a new user.
ipa user-add bigbob \
--email=b...@bigbobsemporium.com mailto:b...@bigbobsemporium.com \
--first=Bob \
--last=Bigg \
--password \
--setattr=description='The sales guy.' -EOF
b1gB0bsTmpPwd
b1gB0bsTmpPwd
EOF
However, I am python guy and would like to use it instead. I am sure that I
can
do a similar thing using pexpect in python. Probably something like this:
# This code has not been tested. It is only for a thought experiment.
# Add a user and enter the password using pexpect.
cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium.
cmd += --first=Bob --last=Bigg --password
cmd += --setattr=description='The sales guy.'
rets = ['Password', 'Enter Password again to verify', pexpect.EOF,
pexpect.TIMEOUT]
c = pexpect.spawn(cmd,timeout=None)
i = c.expect(rets)
if i == 0: # Password
child.sendline('b1gB0bsTmpPwd')
i = c.expect(rets)
if i == 1: # Enter Password again to verify
child.sendline('b1gB0bsTmpPwd')
i = c.expect(rets)
if i == 2:
print 'SUCCESS'
else:
sys.exit('ERROR: something bad happened #1')
else:
sys.exit('ERROR: something bad happened #2')
else:
sys.exit('ERROR: something bad happened #3')
But I was wondering whether there was a better using the IPA API. Is there a
way for me to do that?
Any help or insights would be greatly appreciated.
Thanks,
Joe
Hello Joe,
if you don't want to use batch command as Petr suggested you can try the
following example. It also uses --random option available in recent FreeIPA
version to let FreeIPA handle the password generation:
# cat add-users.py
#!/usr/bin/env python
from ipalib import api
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
for i in xrange(5):
login = u'user%d' % i
result = api.Command['user_add'](login, givenname=u'Test', \
sn=u'User #%d' % i, random=True)
password = result['result']['randompassword']
print Created user '%s' with password '%s' % (login, password)
When I execute it:
# ./add-users.py
Created user 'user0' with password 'EvzY+Of5pk@+'
Created user 'user1' with password 'kyRHb9RMFzBO'
Created user 'user2' with password 'u2mt_oGU_UIX'
Created user 'user3' with password 'Lm6ONeErNFgz'
Created user 'user4' with password 'AS=EeFozvbE-'
HTH,
Martin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Martin:
Thank you once again for your excellent insights. I really appreciate
your help. FreeIPA is really impressive.
Regards,
Joe
-Original Message-
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Thursday, June 28, 2012 1:46 AM
To: Joe Linoff
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python
script?
On 06/28/2012 03:34 AM, Joe Linoff wrote:
Hi Everybody:
I need to add a lot of users to an LDAP system for testing and I would
like to do it in batch mode. For my small tests have been doing
something like this:
#!/bin/bash
# Script to create a new user.
ipa user-add bigbob \
--email=b...@bigbobsemporium.com mailto:b...@bigbobsemporium.com
\
--first=Bob \
--last=Bigg \
--password \
--setattr=description='The sales guy.' -EOF
b1gB0bsTmpPwd
b1gB0bsTmpPwd
EOF
However, I am python guy and would like to use it instead. I am sure
that I can do a similar thing using pexpect in python. Probably
something like this:
# This code has not been tested. It is only for a thought experiment.
# Add a user and enter the password using pexpect.
cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium.
cmd += --first=Bob --last=Bigg --password
cmd += --setattr=description='The sales guy.'
rets = ['Password', 'Enter Password again to verify', pexpect.EOF,
pexpect.TIMEOUT]
c = pexpect.spawn(cmd,timeout=None)
i = c.expect(rets)
if i == 0: # Password
child.sendline('b1gB0bsTmpPwd')
i = c.expect(rets)
if i == 1: # Enter Password again to verify
child.sendline('b1gB0bsTmpPwd')
i = c.expect(rets)
if i == 2:
print 'SUCCESS'
else:
sys.exit('ERROR: something bad happened #1')
else:
sys.exit('ERROR: something bad happened #2')
else:
sys.exit('ERROR: something bad happened #3')
But I was wondering whether there was a better using the IPA API. Is
there a way for me to do that?
Any help or insights would be greatly appreciated.
Thanks,
Joe
Hello Joe,
if you don't want to use batch command as Petr suggested you can try the
following example. It also uses --random option available in recent
FreeIPA version to let FreeIPA handle the password generation:
# cat add-users.py
#!/usr/bin/env python
from ipalib import api
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
for i in xrange(5):
login = u'user%d' % i
result = api.Command['user_add'](login, givenname=u'Test', \
sn=u'User #%d' % i, random=True)
password = result['result']['randompassword']
print Created user '%s' with password '%s' % (login, password)
When I execute it:
# ./add-users.py
Created user 'user0' with password 'EvzY+Of5pk@+'
Created user 'user1' with password 'kyRHb9RMFzBO'
Created user 'user2' with password 'u2mt_oGU_UIX'
Created user 'user3' with password 'Lm6ONeErNFgz'
Created user 'user4' with password 'AS=EeFozvbE-'
HTH,
Martin
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Petr:
I implemented what you suggested and everything worked pretty well but I
ran into three issues that you might be able to help me with.
ISSUE #1
The first issue (and the most important) is that the password is only
temporary. I am prompted to reset it the first time that I login. My
goal is to setup a working system quickly to test different
configurations in a batch fashion but having to reset the password for
each user makes that challenging. How can I disable the reset
requirement for my test environment?
ssh user5@cuthbert
user5@cuthbert's password:
Password expired. Change your password now.
Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user5.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Connection to cuthbert closed.
ISSUE #2
The second issue is really more of a question. I need to add these users
to groups. My guess is that I need to setup a similar call using the
'group_add' command. Is that right? If so, do you have an example that I
could follow?
ISSUE #3
The third and final issue is that the I get traceback from what appears
to be the validation in the batch command. How can I correct that?
Traceback (most recent call last):
File ./u1.py, line 35, in module
result = api.Command['batch'](*add_cmds)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
443, in __call__
self.validate_output(ret)
File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line
903, in validate_output
nice, o.name, o.type, type(value), value)
TypeError: batch.validate_output():
output['results']: need type 'list'; got type 'tuple':
({'summary': u'Added user user5', 'result': {'dn':
u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True,
'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass':
(u'top', u'person', u'organizationalperson', u'inetorgperson',
u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux',
u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber':
(u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',),
'has_password': True, 'sn': (u'last',), 'homedirectory':
(u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname':
(u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first
last',), 'gecos': (u'first last',), 'ipauniqueid':
(u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error':
None},)
Regards,
Joe
-Original Message-
From: Petr Vobornik [mailto:pvobo...@redhat.com]
Sent: Thursday, June 28, 2012 1:32 AM
To: Joe Linoff
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python
script?
On 06/28/2012 03:34 AM, Joe Linoff wrote:
Hi Everybody:
I need to add a lot of users to an LDAP system for testing and I would
like to do it in batch mode. For my small tests have been doing
something like this:
A batch command might be useful for this case.
Example (note that I'm not a python guy):
#!/usr/bin/env python
import pprint
from ipalib import api
# Bootstrap
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
# Prepare request
users = [
(u'Foo', u'Bar', u'f...@foo.baz', u'psw1', u'Sales guy'),
(u'John', u'Doe', u'j...@foo.baz', u'psw2', u'Tech guy'), ]
add_commands = []
for user in users:
(firstname, surname, email, psw, desc) = user
add_commands.append({
method: 'user_add',
params: [
[],
{
givenname: firstname,
sn: surname,
mail: email,
userpassword: psw,
setattr: description='+desc+'
},
],
})
# Execute as batch
result = api.Command['batch'](*add_commands)
# Print
pp = pprint.PrettyPrinter()
pp.pprint(result)
#!/bin/bash
# Script to create a new user.
ipa user-add bigbob \
--email=b...@bigbobsemporium.com \
--first=Bob \
--last=Bigg \
--password \
--setattr=description='The sales guy.'-EOF
b1gB0bsTmpPwd
b1gB0bsTmpPwd
EOF
However, I am python guy and would like to use it instead. I am sure
that I can do a similar thing using pexpect in python. Probably
something like this:
# This code has not been tested. It is only for a thought experiment.
# Add a user and enter the password using pexpect.
cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium.
cmd += --first=Bob --last=Bigg --password
cmd += --setattr=description='The sales guy.'
rets = ['Password', 'Enter Password again to verify', pexpect.EOF,
pexpect.TIMEOUT]
c = pexpect.spawn(cmd,timeout=None)
i = c.expect(rets)
if i == 0: # Password
child.sendline
