[Freeipa-users] What is the best way to make batch changes to the LDAP?
Martin Kosek
mkosek at redhat.com
Wed Jun 27 06:34:11 UTC 2012
On 06/27/2012 01:56 AM, Joe Linoff wrote:
> Hi Everybody:
>
>
>
> Here is a python approach that I am experimenting with based on reading the
> source code. It seems to work but it is re-entrant? Does this make sense? Is
> there a better way (like ldapmodify)?
>
>
>
> #!/usr/bin/env python
>
> #
>
> # Emulate the ipa command line interface in a script so that
>
> # to batch some updates.
>
> #
>
> import sys
>
> import shlex
>
> from ipalib import api, cli
>
>
>
> # ================================================================
>
> # bootstrap
>
> # ================================================================
>
> def bootstrap():
>
> """
>
> Bootstrap the script.
>
> I hope that all of this stuff is re-entrant.
>
> Also, api is defined in __init__.py.
>
> """
>
> api.bootstrap_with_global_options(context='cli')
>
> for klass in cli.cli_plugins:
>
> api.register(klass)
>
> api.load_plugins()
>
> api.finalize()
>
> if not 'config_loaded' in api.env:
>
> raise NotConfiguredError()
>
>
>
> # ================================================================
>
> # cmd
>
> # ================================================================
>
> def cmd(cmd):
>
> """
>
> Execute an IPA command.
>
> The command is entered as a string. I use shlex.split
>
> to break it into an args list.
>
> @param cmd The command to execute (as a string).
>
> """
>
> print
>
> print '# %s' % ('='*64)
>
> print '# CMD: %s' % (cmd)
>
> print '# %s' % ('='*64)
>
> args=shlex.split(cmd)
>
> api.Backend.cli.run(args)
>
>
>
> if __name__ == '__main__':
>
> bootstrap()
>
>
>
> # Some test calls.
>
> cmd('help')
>
> cmd('help user')
>
> cmd('help user-mod')
>
>
>
> # Update the fields.
>
> users=['bob', 'carol', 'ted', 'alice']
>
> mod='--street="123 Main Street" --city="Anytown" --state="AK"
> --postalcode="12345"'
>
> for user in users:
>
> cmd('user-mod %s %s' % (user, mod))
>
>
>
> Regards,
>
>
>
> Joe
>
>
>
> *From:*Joe Linoff
> *Sent:* Tuesday, June 26, 2012 3:04 PM
> *To:* freeipa-users at redhat.com
> *Cc:* Joe Linoff
> *Subject:* What is the best way to make batch changes to the LDAP?
>
>
>
> Hi Everybody:
>
>
>
> I need to change the mailing address information for a group of employees in
> the FreeIPA LDAP and would like to do it in a script. I know that I can do it
> using “ipa user-mod” in a shell script but I was wondering whether I could use
> python.
>
>
>
> Does using python make sense?
>
>
>
> If so, are there any examples that I can look at? It seems that I could import
> ipalib and go from there but I am not sure if there is a simple interface for
> doing user modifications.
>
>
>
> Any help would be greatly appreciated.
>
>
>
> Thanks,
>
>
>
> Joe
>
Hello Joe,
This is a very good start. But it can be made even easier, without any command
line option parsing. Please see the following example to simply modify users in
Python:
# kinit admin
Password for admin at IDM.LAB.BOS.REDHAT.COM:
# python
>>> from ipalib import api
>>> api.bootstrap_with_global_options(context='cli')
>>> api.finalize()
>>> api.Backend.xmlclient.connect()
# Lets see custom user "fbar"
>>> api.Command['user_show'](u'admin')
{'result': {'dn':
u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',),
'uidnumber': (u'65200000',), 'gidnumber': (u'65200000',), 'memberof_group':
(u'admins', u'trust admins'), 'has_password': True, 'sn': (u'Administrator',),
'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value': u'admin',
'summary': None}
# See that result is a native Python dictionary, i.e. very easy to manipulate later
# Now lets try to modify user's address:
>>> api.Command['user_mod'](u'fbar', street=u'221B Baker Street', l=u'London',
st=u'UK', postalcode=u'NW1 6XE')
{'result': {'has_keytab': True, 'street': (u'221B Baker Street',), 'uid':
(u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'65200001',), 'l':
(u'London',), 'st': (u'UK',), 'gidnumber': (u'65200001',), 'memberof_group':
(u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory':
(u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role': (u'foo',),
'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar', 'summary':
u'Modified user "fbar"'}
The user is now modified, I can verify it with standard CLI command:
# ipa user-show fbar --all
dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
User login: fbar
...
Street address: 221B Baker Street
City: London
State/Province: UK
ZIP: NW1 6XE
...
Our source code is a good source of information (I used it to find out exact
names of the command attributes). Besides that, you can check:
http://www.freeipa.org/page/DocumentationPortal
There are several doc guides, including "Extending IPA" guide which should
provide you with more info about additional extensions of FreeIPA.
HTH,
Martin
More information about the Freeipa-users
mailing list