[Freeipa-users] What is the best way to make batch changes to the LDAP?

Wed Jun 27 06:34:11 UTC 2012

On 06/27/2012 01:56 AM, Joe Linoff wrote:
> Hi Everybody:
> 
>  
> 
> Here is a python approach that I am experimenting with based on reading the
> source code. It seems to work but it is re-entrant? Does this make sense? Is
> there a better way (like ldapmodify)?
> 
>  
> 
> #!/usr/bin/env python
> 
> #
> 
> # Emulate the ipa command line interface in a script so that
> 
> # to batch some updates.
> 
> #
> 
> import sys
> 
> import shlex
> 
> from ipalib import api, cli
> 
>  
> 
> # ================================================================
> 
> # bootstrap
> 
> # ================================================================
> 
> def bootstrap():
> 
>     """
> 
>     Bootstrap the script.
> 
>     I hope that all of this stuff is re-entrant.
> 
>     Also, api is defined in __init__.py.
> 
>     """
> 
>     api.bootstrap_with_global_options(context='cli')
> 
>     for klass in cli.cli_plugins:
> 
>         api.register(klass)
> 
>     api.load_plugins()
> 
>     api.finalize()
> 
>     if not 'config_loaded' in api.env:
> 
>         raise NotConfiguredError()
> 
>  
> 
> # ================================================================
> 
> # cmd
> 
> # ================================================================
> 
> def cmd(cmd):
> 
>     """
> 
>     Execute an IPA command.
> 
>     The command is entered as a string. I use shlex.split
> 
>     to break it into an args list.
> 
>     @param cmd The command to execute (as a string).
> 
>     """
> 
>     print
> 
>     print '# %s' % ('='*64)
> 
>     print '# CMD: %s' % (cmd)
> 
>     print '# %s' % ('='*64)
> 
>    args=shlex.split(cmd)
> 
>     api.Backend.cli.run(args)
> 
>  
> 
> if __name__ == '__main__':
> 
>     bootstrap()
> 
>  
> 
>     # Some test calls.
> 
>     cmd('help')
> 
>     cmd('help user')
> 
>     cmd('help user-mod')
> 
>  
> 
>     # Update the fields.
> 
>     users=['bob', 'carol', 'ted', 'alice']
> 
>     mod='--street="123 Main Street" --city="Anytown" --state="AK"
> --postalcode="12345"'
> 
>     for user in users:
> 
>         cmd('user-mod %s %s' % (user, mod))
> 
>  
> 
> Regards,
> 
>  
> 
> Joe
> 
>  
> 
> *From:*Joe Linoff
> *Sent:* Tuesday, June 26, 2012 3:04 PM
> *To:* freeipa-users at redhat.com
> *Cc:* Joe Linoff
> *Subject:* What is the best way to make batch changes to the LDAP?
> 
>  
> 
> Hi Everybody:
> 
>  
> 
> I need to change the mailing address information for a group of employees in
> the FreeIPA LDAP and would like to do it in a script. I know that I can do it
> using “ipa user-mod” in a shell script but I was wondering whether I could use
> python.
> 
>  
> 
> Does using python make sense?
> 
>  
> 
> If so, are there any examples that I can look at? It seems that I could import
> ipalib and go from there but I am not sure if there is a simple interface for
> doing user modifications.
> 
>  
> 
> Any help would be greatly appreciated.
> 
>  
> 
> Thanks,
> 
>  
> 
> Joe
>

Hello Joe,

This is a very good start. But it can be made even easier, without any command
line option parsing. Please see the following example to simply modify users in
Python:

# kinit admin
Password for admin at IDM.LAB.BOS.REDHAT.COM:
# python
>>> from ipalib import api
>>> api.bootstrap_with_global_options(context='cli')
>>> api.finalize()
>>> api.Backend.xmlclient.connect()

# Lets see custom user "fbar"
>>> api.Command['user_show'](u'admin')
{'result': {'dn':
u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',),
'uidnumber': (u'65200000',), 'gidnumber': (u'65200000',), 'memberof_group':
(u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',),
'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin',
'summary': None}

# See that result is a native Python dictionary, i.e. very easy to manipulate later
# Now lets try to modify user's address:
>>> api.Command['user_mod'](u'fbar', street=u'221B Baker Street', l=u'London',
st=u'UK', postalcode=u'NW1 6XE')
{'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid':
(u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'65200001',), 'l':
(u'London',), 'st': (u'UK',), 'gidnumber': (u'65200001',), 'memberof_group':
(u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory':
(u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',),
'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary':
u'Modified user "fbar"'}

The user is now modified, I can verify it with standard CLI command:

# ipa user-show fbar --all
  dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  User login: fbar
...
  Street address: 221B Baker Street
  City: London
  State/Province: UK
  ZIP: NW1 6XE
...

Our source code is a good source of information (I used it to find out exact
names of the command attributes). Besides that, you can check:
http://www.freeipa.org/page/DocumentationPortal
There are several doc guides, including "Extending IPA" guide which should
provide you with more info about additional extensions of FreeIPA.

HTH,
Martin