[Freeipa-devel] Include proposal to contrib (expired user accounts query tool)

Fri Nov 15 08:22:54 UTC 2013

On Fri, 15 Nov 2013, Antti Peltonen wrote:
>Hi,
>
>On 14 November 2013 21:06, Dmitri Pal <dpal at redhat.com> wrote:
>
>> A quick look at the tool's command line indicates that it is probably not
>> using any of the IPA framework and rather goes over LDAP. I am not sure
>> that this is the best approach, let us discuss...
>
>Could you please point me towards to some documentation on howto implement
>this tool with IPA framework or should I just go and read some code? :)
You can start with http://abbra.fedorapeople.org/guide.html

Attached is a simple rewrite of your code that I did in ~30 minutes or
so. Just drop it into ipalib/plugins (/usr/lib/python2.7/site-packages/ipalib/plugins/user_addon.py on my
Fedora 19 VM) and restart the server. There is a lot to polish there
(unrelated options need to be masked/removed, better handling of expire
option, etc.) but it works by providing you a list of users whose passwords
did expire:

$ LANG=en_US.utf8 ipa user-find-expire  --expire=20150201000000
-----------------
1 account matched
-----------------
   User login: admin
   Full name: Administrator
   Expire date: 20140211151057Z
----------------------------
Number of entries returned 1
----------------------------

Also worth noting, the way IPA framework is built, the same file must
present at the client where 'ipa' utility is being run -- we do so by
packaging all ipalib/plugins/* to a freeipa-python subpackage and then
freeipa-admintools simply requiring it.

-- 
/ Alexander Bokovoy
-------------- next part --------------
from ipalib.plugins.baseldap import *
from ipalib import api, errors
from ipalib import Str
from ipalib import _, ngettext
import datetime

class user_find_expire(LDAPSearch):
    __doc__ = _('Search for expiring accounts.')

    msg_summary = ngettext(
        '%(count)d account matched', '%(count)d accounts matched', 0
    )
    takes_options = LDAPSearch.takes_options + (
        Str('krbpasswordexpiration?',
            cli_name='expire',
            label=_('Expire date'),
            doc=_('Password expiration date, YYYYMMDDHHMMSS'),
        ),
    )
    has_output_params = LDAPSearch.has_output_params

    def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
        assert isinstance(base_dn, DN)

        if not ('krbpasswordexpiration' in options):
            expire = datetime.datetime.now()
        else:
            exp = options['krbpasswordexpiration']
            if exp.lower() == u'now':
                expire = datetime.datetime.now()
            else:
                try:
                    expire = datetime.datetime.strptime(exp, '%Y%m%d%H%M%S')
                except ValueError:
                    raise errors.ValidationError(name='expire', error=_('Date cannot be parsed'))
        custom_filter = '(&(objectclass=posixAccount)' \
                          '(objectClass=krbPrincipalAux)' \
                          '(krbPasswordExpiration<={zulu})' \
                        ')'.format(zulu=expire.strftime("%Y%m%d%H%M%SZ"))

        # Remove everything from the pre-populated attrs_list, set own view of it
        n = len(attrs_list)
        for i in range(0, n):
            attrs_list.pop()
        attrs_list.extend(['uid', 'cn','displayname','mail','krbpasswordexpiration'])
        return (
            ldap.combine_filters((custom_filter, filter), rules=ldap.MATCH_ALL),
            base_dn, ldap.SCOPE_ONELEVEL
        )

api.register(user_find_expire)