Re: [Freeipa-users] How can I change my password from a python script?
On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5@cuthbert user5@cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. Hi Joe, This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface. Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? You can try this one: pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), 'objectclass': (u'top', u'groupofnames', u'nestedgroup', u'ipausergroup', u'ipaobject', u'posixgroup')}, 'summary': u'Added group foogroup', 'value': u'foogroup'} pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) {'completed': 1, 'failed': {'member': {'group': (), 'user': ()}}, 'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}} pprint(api.Command['group_show'](u'foogroup')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}, 'summary': None, 'value': u'foogroup'} ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File ./u1.py, line 35, in module result = api.Command['batch'](*add_cmds) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 903, in validate_output nice, o.name, o.type, type(value), value) TypeError: batch.validate_output(): output['results']: need type 'list'; got type 'tuple': ({'summary': u'Added user user5', 'result': {'dn': u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True, 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': (u'top', u'person', u'organizationalperson', u'inetorgperson', u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), 'has_password': True, 'sn': (u'last',), 'homedirectory': (u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname': (u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first last',), 'gecos': (u'first last',), 'ipauniqueid': (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': None},) You may just have found a bug. Batch command is not normally executed from XML-RPC, there may be an issue. We will investigate it. Meanwhile, I would recommend using simple command, I think its easier to read and code. Martin #!/usr/bin/python import socket import sys import pycurl import urllib DEBUG=True def change_password(hostname, user, old_password, new_password): url =
Re: [Freeipa-users] How can I change my password from a python script?
Hi Martin: Thank you. This is very helpful. I am going to try the group functions tomorrow morning (PST). Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Friday, June 29, 2012 12:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5@cuthbert user5@cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. Hi Joe, This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface. Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? You can try this one: pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), 'objectclass': (u'top', u'groupofnames', u'nestedgroup', u'ipausergroup', u'ipaobject', u'posixgroup')}, 'summary': u'Added group foogroup', 'value': u'foogroup'} pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) {'completed': 1, 'failed': {'member': {'group': (), 'user': ()}}, 'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}} pprint(api.Command['group_show'](u'foogroup')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}, 'summary': None, 'value': u'foogroup'} ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File ./u1.py, line 35, in module result = api.Command['batch'](*add_cmds) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 903, in validate_output nice, o.name, o.type, type(value), value) TypeError: batch.validate_output(): output['results']: need type 'list'; got type 'tuple': ({'summary': u'Added user user5', 'result': {'dn': u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True, 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': (u'top', u'person', u'organizationalperson', u'inetorgperson', u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), 'has_password': True, 'sn': (u'last',), 'homedirectory': (u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname': (u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first last',), 'gecos': (u'first last',), 'ipauniqueid': (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': None},) You may
Re: [Freeipa-users] How can I change my password from a python script?
On Fri, 29 Jun 2012, Martin Kosek wrote: On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5@cuthbert user5@cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. Hi Joe, This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface. Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached. What you can do is to change the same password as a user -- given that these are test configurations, you can: 0. Change minimum acceptable password lifetime to 0 ipa pwpolicy-mod --minlife=0 1. Add all users, note their passwords 2. For each user: 2.1. kinit user 2.2. echo -e $PASSWORD\n$PASSWORD\$PASSWORD | ipa passwd 2.3 kdestroy This way you'll get passwords set back as those users. Or use the script that Martin provided. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? You can try this one: pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), 'objectclass': (u'top', u'groupofnames', u'nestedgroup', u'ipausergroup', u'ipaobject', u'posixgroup')}, 'summary': u'Added group foogroup', 'value': u'foogroup'} pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) {'completed': 1, 'failed': {'member': {'group': (), 'user': ()}}, 'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}} pprint(api.Command['group_show'](u'foogroup')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}, 'summary': None, 'value': u'foogroup'} ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File ./u1.py, line 35, in module result = api.Command['batch'](*add_cmds) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 903, in validate_output nice, o.name, o.type, type(value), value) TypeError: batch.validate_output(): output['results']: need type 'list'; got type 'tuple': Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012. You may just have found a bug. Batch command is not normally executed from XML-RPC, there may be an issue. We will investigate it. Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it is fixed already. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
IMHO, 2.1.3 - 2.2 upgrade should be safe, although I don't know if something was changed in CentOS compared to RHEL where this should just work. Btw there is one thing I just realized, you will probably have to go with Alexander's approach as the password expiration backend is available in GIT in master branch only, i.e. in future IPA 3.0. Martin On Fri, 2012-06-29 at 00:33 -0700, Joe Linoff wrote: Hi Alexander: Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. Regards, Joe -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Friday, June 29, 2012 12:31 AM To: Martin Kosek Cc: Joe Linoff; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On Fri, 29 Jun 2012, Martin Kosek wrote: On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5@cuthbert user5@cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. Hi Joe, This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface. Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached. What you can do is to change the same password as a user -- given that these are test configurations, you can: 0. Change minimum acceptable password lifetime to 0 ipa pwpolicy-mod --minlife=0 1. Add all users, note their passwords 2. For each user: 2.1. kinit user 2.2. echo -e $PASSWORD\n$PASSWORD\$PASSWORD | ipa passwd 2.3 kdestroy This way you'll get passwords set back as those users. Or use the script that Martin provided. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? You can try this one: pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', 'gidnumber': (u'4800015',), 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), 'objectclass': (u'top', u'groupofnames', u'nestedgroup', u'ipausergroup', u'ipaobject', u'posixgroup')}, 'summary': u'Added group foogroup', 'value': u'foogroup'} pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) {'completed': 1, 'failed': {'member': {'group': (), 'user': ()}}, 'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}} pprint(api.Command['group_show'](u'foogroup')) {'result': {'cn': (u'foogroup',), 'description': (u'foo group',), 'dn': u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', 'gidnumber': (u'4800015',), 'member_user': (u'admin',)}, 'summary': None, 'value': u'foogroup'} ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File ./u1.py, line 35, in module result = api.Command['batch'](*add_cmds) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret
Re: [Freeipa-users] How can I change my password from a python script?
On Fri, 29 Jun 2012, Joe Linoff wrote: Hi Alexander: Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution. I haven't used CentOS 6.2 so I cannot suggest anything on this front. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Rob: This is so only the end-user knows the password. That makes good sense. Your suggestions will help me in my test environment. Thanks, Joe -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Friday, June 29, 2012 8:07 AM To: Joe Linoff Cc: Petr Vobornik; freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? Joe Linoff wrote: Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? This is so only the end-user knows the password. You can add the DN of the user you are changing passwords with to a list of users who are exempt from password policy. Think carefully about what user you add to this list, you may not want to use the admin user. Add the DN to the passSyncManagersDNs attribute in the entry cn=ipa_pwd_extop,cn=plugins,cn=config rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
On 06/28/2012 03:34 AM, Joe Linoff wrote: Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: A batch command might be useful for this case. Example (note that I'm not a python guy): #!/usr/bin/env python import pprint from ipalib import api # Bootstrap api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Prepare request users = [ (u'Foo', u'Bar', u'f...@foo.baz', u'psw1', u'Sales guy'), (u'John', u'Doe', u'j...@foo.baz', u'psw2', u'Tech guy'), ] add_commands = [] for user in users: (firstname, surname, email, psw, desc) = user add_commands.append({ method: 'user_add', params: [ [], { givenname: firstname, sn: surname, mail: email, userpassword: psw, setattr: description='+desc+' }, ], }) # Execute as batch result = api.Command['batch'](*add_commands) # Print pp = pprint.PrettyPrinter() pp.pprint(result) #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.'-EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 1: # Enter Password again to verify child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 2: print 'SUCCESS' else: sys.exit('ERROR: something bad happened #1') else: sys.exit('ERROR: something bad happened #2') else: sys.exit('ERROR: something bad happened #3') But I was wondering whether there was a better using the IPA API. Is there a way for me to do that? Any help or insights would be greatly appreciated. Thanks, Joe -- Petr Vobornik ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
On 06/28/2012 03:34 AM, Joe Linoff wrote: Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com mailto:b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.' -EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 1: # Enter Password again to verify child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 2: print 'SUCCESS' else: sys.exit('ERROR: something bad happened #1') else: sys.exit('ERROR: something bad happened #2') else: sys.exit('ERROR: something bad happened #3') But I was wondering whether there was a better using the IPA API. Is there a way for me to do that? Any help or insights would be greatly appreciated. Thanks, Joe Hello Joe, if you don't want to use batch command as Petr suggested you can try the following example. It also uses --random option available in recent FreeIPA version to let FreeIPA handle the password generation: # cat add-users.py #!/usr/bin/env python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() for i in xrange(5): login = u'user%d' % i result = api.Command['user_add'](login, givenname=u'Test', \ sn=u'User #%d' % i, random=True) password = result['result']['randompassword'] print Created user '%s' with password '%s' % (login, password) When I execute it: # ./add-users.py Created user 'user0' with password 'EvzY+Of5pk@+' Created user 'user1' with password 'kyRHb9RMFzBO' Created user 'user2' with password 'u2mt_oGU_UIX' Created user 'user3' with password 'Lm6ONeErNFgz' Created user 'user4' with password 'AS=EeFozvbE-' HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Martin: Thank you once again for your excellent insights. I really appreciate your help. FreeIPA is really impressive. Regards, Joe -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Thursday, June 28, 2012 1:46 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On 06/28/2012 03:34 AM, Joe Linoff wrote: Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com mailto:b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.' -EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 1: # Enter Password again to verify child.sendline('b1gB0bsTmpPwd') i = c.expect(rets) if i == 2: print 'SUCCESS' else: sys.exit('ERROR: something bad happened #1') else: sys.exit('ERROR: something bad happened #2') else: sys.exit('ERROR: something bad happened #3') But I was wondering whether there was a better using the IPA API. Is there a way for me to do that? Any help or insights would be greatly appreciated. Thanks, Joe Hello Joe, if you don't want to use batch command as Petr suggested you can try the following example. It also uses --random option available in recent FreeIPA version to let FreeIPA handle the password generation: # cat add-users.py #!/usr/bin/env python from ipalib import api api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() for i in xrange(5): login = u'user%d' % i result = api.Command['user_add'](login, givenname=u'Test', \ sn=u'User #%d' % i, random=True) password = result['result']['randompassword'] print Created user '%s' with password '%s' % (login, password) When I execute it: # ./add-users.py Created user 'user0' with password 'EvzY+Of5pk@+' Created user 'user1' with password 'kyRHb9RMFzBO' Created user 'user2' with password 'u2mt_oGU_UIX' Created user 'user3' with password 'Lm6ONeErNFgz' Created user 'user4' with password 'AS=EeFozvbE-' HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] How can I change my password from a python script?
Hi Petr: I implemented what you suggested and everything worked pretty well but I ran into three issues that you might be able to help me with. ISSUE #1 The first issue (and the most important) is that the password is only temporary. I am prompted to reset it the first time that I login. My goal is to setup a working system quickly to test different configurations in a batch fashion but having to reset the password for each user makes that challenging. How can I disable the reset requirement for my test environment? ssh user5@cuthbert user5@cuthbert's password: Password expired. Change your password now. Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user user5. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. Connection to cuthbert closed. ISSUE #2 The second issue is really more of a question. I need to add these users to groups. My guess is that I need to setup a similar call using the 'group_add' command. Is that right? If so, do you have an example that I could follow? ISSUE #3 The third and final issue is that the I get traceback from what appears to be the validation in the batch command. How can I correct that? Traceback (most recent call last): File ./u1.py, line 35, in module result = api.Command['batch'](*add_cmds) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret) File /usr/lib/python2.6/site-packages/ipalib/frontend.py, line 903, in validate_output nice, o.name, o.type, type(value), value) TypeError: batch.validate_output(): output['results']: need type 'list'; got type 'tuple': ({'summary': u'Added user user5', 'result': {'dn': u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True, 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass': (u'top', u'person', u'organizationalperson', u'inetorgperson', u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber': (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',), 'has_password': True, 'sn': (u'last',), 'homedirectory': (u'/home/user5',), 'mail': (u'us...@example.com',), 'krbprincipalname': (u'us...@example.com',), 'givenname': (u'first',), 'cn': (u'first last',), 'gecos': (u'first last',), 'ipauniqueid': (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error': None},) Regards, Joe -Original Message- From: Petr Vobornik [mailto:pvobo...@redhat.com] Sent: Thursday, June 28, 2012 1:32 AM To: Joe Linoff Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] How can I change my password from a python script? On 06/28/2012 03:34 AM, Joe Linoff wrote: Hi Everybody: I need to add a lot of users to an LDAP system for testing and I would like to do it in batch mode. For my small tests have been doing something like this: A batch command might be useful for this case. Example (note that I'm not a python guy): #!/usr/bin/env python import pprint from ipalib import api # Bootstrap api.bootstrap_with_global_options(context='cli') api.finalize() api.Backend.xmlclient.connect() # Prepare request users = [ (u'Foo', u'Bar', u'f...@foo.baz', u'psw1', u'Sales guy'), (u'John', u'Doe', u'j...@foo.baz', u'psw2', u'Tech guy'), ] add_commands = [] for user in users: (firstname, surname, email, psw, desc) = user add_commands.append({ method: 'user_add', params: [ [], { givenname: firstname, sn: surname, mail: email, userpassword: psw, setattr: description='+desc+' }, ], }) # Execute as batch result = api.Command['batch'](*add_commands) # Print pp = pprint.PrettyPrinter() pp.pprint(result) #!/bin/bash # Script to create a new user. ipa user-add bigbob \ --email=b...@bigbobsemporium.com \ --first=Bob \ --last=Bigg \ --password \ --setattr=description='The sales guy.'-EOF b1gB0bsTmpPwd b1gB0bsTmpPwd EOF However, I am python guy and would like to use it instead. I am sure that I can do a similar thing using pexpect in python. Probably something like this: # This code has not been tested. It is only for a thought experiment. # Add a user and enter the password using pexpect. cmd = ipa user-add bigbob --email='bbob@BigBobsEmporium. cmd += --first=Bob --last=Bigg --password cmd += --setattr=description='The sales guy.' rets = ['Password', 'Enter Password again to verify', pexpect.EOF, pexpect.TIMEOUT] c = pexpect.spawn(cmd,timeout=None) i = c.expect(rets) if i == 0: # Password child.sendline