[Freeipa-users] How can I change my password from a python script?

Joe Linoff jlinoff at tabula.com
Thu Jun 28 23:42:07 UTC 2012 

Hi Petr:

I implemented what you suggested and everything worked pretty well but I
ran into three issues that you might be able to help me with.

ISSUE #1
The first issue (and the most important) is that the password is only
temporary. I am prompted to reset it the first time that I login. My
goal is to setup a working system quickly to test different
configurations in a batch fashion but having to reset the password for
each user makes that challenging. How can I disable the reset
requirement for my test environment?

    ssh user5 at cuthbert
    user5 at cuthbert's password: 
    Password expired. Change your password now.
    Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
    WARNING: Your password has expired.
    You must change your password now and login again!
    Changing password for user user5.
    Current Password: 
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.
    Connection to cuthbert closed.

ISSUE #2
The second issue is really more of a question. I need to add these users
to groups. My guess is that I need to setup a similar call using the
'group_add' command. Is that right? If so, do you have an example that I
could follow? 

ISSUE #3
The third and final issue is that the I get traceback from what appears
to be the validation in the batch command. How can I correct that?

    Traceback (most recent call last):
      File "./u1.py", line 35, in <module>
        result = api.Command['batch'](*add_cmds)
      File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
443, in __call__
        self.validate_output(ret)
      File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
903, in validate_output
        nice, o.name, o.type, type(value), value)
    TypeError: batch.validate_output():
      output['results']: need <type 'list'>; got <type 'tuple'>:
({'summary': u'Added user "user5"', 'result': {'dn':
u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': True,
'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass':
(u'top', u'person', u'organizationalperson', u'inetorgperson',
u'inetuser', u'posixaccount', u'krbprincipalaux', u'krbticketpolicyaux',
u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber':
(u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',),
'has_password': True, 'sn': (u'last',), 'homedirectory':
(u'/home/user5',), 'mail': (u'user5 at example.com',), 'krbprincipalname':
(u'user5 at EXAMPLE.COM',), 'givenname': (u'first',), 'cn': (u'first
last',), 'gecos': (u'first last',), 'ipauniqueid':
(u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error':
None},)

Regards,

Joe

-----Original Message-----
From: Petr Vobornik [mailto:pvoborni at redhat.com] 
Sent: Thursday, June 28, 2012 1:32 AM
To: Joe Linoff
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python
script?

On 06/28/2012 03:34 AM, Joe Linoff wrote:
> Hi Everybody:
>
>
>
> I need to add a lot of users to an LDAP system for testing and I would

> like to do it in batch mode. For my small tests have been doing 
> something like this:

A batch command might be useful for this case.

Example (note that I'm not a python guy):

#!/usr/bin/env python

import pprint
from ipalib import api

# Bootstrap
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.xmlclient.connect()

# Prepare request

users = [
     (u'Foo', u'Bar', u'fbar at foo.baz', u'psw1', u'Sales guy'),
     (u'John', u'Doe', u'jdoe at foo.baz', u'psw2', u'Tech guy'), ]

add_commands = []

for user in users:
     (firstname, surname, email, psw, desc) = user
     add_commands.append({
         "method": 'user_add',
         "params": [
             [],
             {
                 "givenname": firstname,
                 "sn": surname,
                 "mail": email,
                 "userpassword": psw,
                 "setattr": "description='"+desc+"'"
             },
         ],
     })



# Execute as batch
result = api.Command['batch'](*add_commands)

# Print
pp = pprint.PrettyPrinter()
pp.pprint(result)

>
>
>
> #!/bin/bash
>
> # Script to create a new user.
>
> ipa user-add bigbob  \
>
>      --email=bbob at BigBobsEmporium.com \
>
>      --first=Bob \
>
>      --last=Bigg \
>
>      --password  \
>
>      --setattr=description='The sales guy.'<<-EOF
>
> b1gB0bsTmpPwd
>
> b1gB0bsTmpPwd
>
> EOF
>
>
>
> However, I am python guy and would like to use it instead. I am sure 
> that I can do a similar thing using pexpect in python. Probably 
> something like this:
>
>
>
> # This code has not been tested. It is only for a thought experiment.
>
> # Add a user and enter the password using pexpect.
>
> cmd = "ipa user-add bigbob --email='bbob at BigBobsEmporium."
>
> cmd += " --first=Bob --last=Bigg --password "
>
> cmd += "--setattr=description='The sales guy.'"
>
> rets = ['Password', 'Enter Password again to verify', pexpect.EOF, 
> pexpect.TIMEOUT]
>
> c = pexpect.spawn(cmd,timeout=None)
>
> i = c.expect(rets)
>
> if i == 0: # Password
>
>      child.sendline('b1gB0bsTmpPwd')
>
>      i = c.expect(rets)
>
>     if i  == 1: # Enter Password again to verify
>
>          child.sendline('b1gB0bsTmpPwd')
>
>          i = c.expect(rets)
>
>          if  i  == 2:
>
>             print 'SUCCESS'
>
>          else:
>
>              sys.exit('ERROR: something bad happened #1')
>
>      else:
>
>          sys.exit('ERROR: something bad happened #2')
>
> else:
>
>      sys.exit('ERROR: something bad happened #3')
>
>
>
> But I was wondering whether there was a better using the IPA API. Is 
> there a way for me to do that?
>
>
>
> Any help or insights would be greatly appreciated.
>
>
> Thanks,
>
>
>
> Joe
>



--
Petr Vobornik

More information about the Freeipa-users mailing list