[Freeipa-users] What is the best way to make batch changes to the LDAP?
Joe Linoff
jlinoff at tabula.com
Thu Jun 28 01:07:55 UTC 2012
Hi Martin:
Just a quick follow up: your suggestion worked great. Here is a little
code fragment that emulates the "ipa user-find --all" operation. I am
including it in the hopes that it will help someone else.
<<START>>
#!/usr/bin/env python
#
# Demonstrate how to get the contents of the command
# "ipa user-find --all" in python data structures based on the
# insights provided by Martin Kosek on the freeipa-users at redhat.com
# mailing list.
#
# It also demonstrates how to iterate over the list and grab
# individual fields.
#
import pprint
from ipalib import api
# Bootstrap.
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.xmlclient.connect()
# Load the records.
recs = api.Command['user_find'](all=True)
# Dump the whole data structure -- with nice formatting.
pprint.PrettyPrinter(indent=4).pprint( recs )
# Print out the uid and email information.
# Note that the gratuitous conversion from unicode to UTF8 and the use
# of a lambda function instead of an if/then were only for fun.
print '---'
for i in range(recs['count']):
result = recs['result'][i]
uid = result['uid' ][0].encode('utf8')
# Email can be NULL.
email = (lambda f: result[f][0].encode('utf8') if f in result is not
None else str('None'))('mail')
print '%-20s %s' % (uid,email)
<<END>>
Thanks,
Joe
-----Original Message-----
From: Joe Linoff
Sent: Wednesday, June 27, 2012 11:02 AM
To: Martin Kosek
Cc: freeipa-users at redhat.com; Joe Linoff
Subject: RE: [Freeipa-users] What is the best way to make batch changes
to the LDAP?
Hi Martin:
Excellent! Thank you.
Regards,
Joe
-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com]
Sent: Tuesday, June 26, 2012 11:34 PM
To: Joe Linoff
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] What is the best way to make batch changes
to the LDAP?
On 06/27/2012 01:56 AM, Joe Linoff wrote:
> Hi Everybody:
>
>
>
> Here is a python approach that I am experimenting with based on
> reading the source code. It seems to work but it is re-entrant? Does
> this make sense? Is there a better way (like ldapmodify)?
>
>
>
> #!/usr/bin/env python
>
> #
>
> # Emulate the ipa command line interface in a script so that
>
> # to batch some updates.
>
> #
>
> import sys
>
> import shlex
>
> from ipalib import api, cli
>
>
>
> # ================================================================
>
> # bootstrap
>
> # ================================================================
>
> def bootstrap():
>
> """
>
> Bootstrap the script.
>
> I hope that all of this stuff is re-entrant.
>
> Also, api is defined in __init__.py.
>
> """
>
> api.bootstrap_with_global_options(context='cli')
>
> for klass in cli.cli_plugins:
>
> api.register(klass)
>
> api.load_plugins()
>
> api.finalize()
>
> if not 'config_loaded' in api.env:
>
> raise NotConfiguredError()
>
>
>
> # ================================================================
>
> # cmd
>
> # ================================================================
>
> def cmd(cmd):
>
> """
>
> Execute an IPA command.
>
> The command is entered as a string. I use shlex.split
>
> to break it into an args list.
>
> @param cmd The command to execute (as a string).
>
> """
>
> print
>
> print '# %s' % ('='*64)
>
> print '# CMD: %s' % (cmd)
>
> print '# %s' % ('='*64)
>
> args=shlex.split(cmd)
>
> api.Backend.cli.run(args)
>
>
>
> if __name__ == '__main__':
>
> bootstrap()
>
>
>
> # Some test calls.
>
> cmd('help')
>
> cmd('help user')
>
> cmd('help user-mod')
>
>
>
> # Update the fields.
>
> users=['bob', 'carol', 'ted', 'alice']
>
> mod='--street="123 Main Street" --city="Anytown" --state="AK"
> --postalcode="12345"'
>
> for user in users:
>
> cmd('user-mod %s %s' % (user, mod))
>
>
>
> Regards,
>
>
>
> Joe
>
>
>
> *From:*Joe Linoff
> *Sent:* Tuesday, June 26, 2012 3:04 PM
> *To:* freeipa-users at redhat.com
> *Cc:* Joe Linoff
> *Subject:* What is the best way to make batch changes to the LDAP?
>
>
>
> Hi Everybody:
>
>
>
> I need to change the mailing address information for a group of
> employees in the FreeIPA LDAP and would like to do it in a script. I
> know that I can do it using "ipa user-mod" in a shell script but I was
> wondering whether I could use python.
>
>
>
> Does using python make sense?
>
>
>
> If so, are there any examples that I can look at? It seems that I
> could import ipalib and go from there but I am not sure if there is a
> simple interface for doing user modifications.
>
>
>
> Any help would be greatly appreciated.
>
>
>
> Thanks,
>
>
>
> Joe
>
Hello Joe,
This is a very good start. But it can be made even easier, without any
command line option parsing. Please see the following example to simply
modify users in
Python:
# kinit admin
Password for admin at IDM.LAB.BOS.REDHAT.COM:
# python
>>> from ipalib import api
>>> api.bootstrap_with_global_options(context='cli')
>>> api.finalize()
>>> api.Backend.xmlclient.connect()
# Lets see custom user "fbar"
>>> api.Command['user_show'](u'admin')
{'result': {'dn':
u'uid=admin,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
'has_keytab': True, 'uid': (u'admin',), 'loginshell': (u'/bin/bash',),
'uidnumber': (u'65200000',), 'gidnumber': (u'65200000',),
'memberof_group':
(u'admins', u'trust admins'), 'has_password': True, 'sn':
(u'Administrator',),
'homedirectory': (u'/home/admin',), 'nsaccountlock': False}, 'value':
u'admin',
'summary': None}
# See that result is a native Python dictionary, i.e. very easy to
manipulate later # Now lets try to modify user's address:
>>> api.Command['user_mod'](u'fbar', street=u'221B Baker Street',
>>> l=u'London',
st=u'UK', postalcode=u'NW1 6XE')
{'result': {'has_keytab': True, 'street': (u'221B Baker Street',),
'uid':
(u'fbar',), 'loginshell': (u'/bin/sh',), 'uidnumber': (u'65200001',),
'l':
(u'London',), 'st': (u'UK',), 'gidnumber': (u'65200001',),
'memberof_group':
(u'ipausers',), 'has_password': True, 'sn': (u'Bar',), 'homedirectory':
(u'/home/fbar',), 'postalcode': (u'NW1 6XE',), 'memberof_role':
(u'foo',),
'givenname': (u'Foo',), 'nsaccountlock': False}, 'value': u'fbar',
'summary':
u'Modified user "fbar"'}
The user is now modified, I can verify it with standard CLI command:
# ipa user-show fbar --all
dn:
uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
User login: fbar
...
Street address: 221B Baker Street
City: London
State/Province: UK
ZIP: NW1 6XE
...
Our source code is a good source of information (I used it to find out
exact names of the command attributes). Besides that, you can check:
http://www.freeipa.org/page/DocumentationPortal
There are several doc guides, including "Extending IPA" guide which
should provide you with more info about additional extensions of
FreeIPA.
HTH,
Martin
More information about the Freeipa-users
mailing list