[Freeipa-users] How can I change my password from a python script?

Joe Linoff jlinoff at tabula.com
Fri Jun 29 07:22:02 UTC 2012 

Hi Martin:

Thank you. This is very helpful.

I am going to try the group functions tomorrow morning (PST).

Regards,

Joe

-----Original Message-----
From: Martin Kosek [mailto:mkosek at redhat.com] 
Sent: Friday, June 29, 2012 12:07 AM
To: Joe Linoff
Cc: Petr Vobornik; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] How can I change my password from a python script?

On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
> Hi Petr:
> 
> I implemented what you suggested and everything worked pretty well but 
> I ran into three issues that you might be able to help me with.
> 
> ISSUE #1
> The first issue (and the most important) is that the password is only 
> temporary. I am prompted to reset it the first time that I login. My 
> goal is to setup a working system quickly to test different 
> configurations in a batch fashion but having to reset the password for 
> each user makes that challenging. How can I disable the reset 
> requirement for my test environment?
> 
>     ssh user5 at cuthbert
>     user5 at cuthbert's password: 
>     Password expired. Change your password now.
>     Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
>     WARNING: Your password has expired.
>     You must change your password now and login again!
>     Changing password for user user5.
>     Current Password: 
>     New password: 
>     Retype new password: 
>     passwd: all authentication tokens updated successfully.
>     Connection to cuthbert closed.

Hi Joe,

This is a security measure, somebody else may correct me, but I don't think this can be turned off. You can use an attached Python function which can be used to change (reset) user password via web interface.
Normally, this backend is used by Web UI users with expired password to be able to reset it. You could you is it for the same purpose from the script (function) I attached.

> 
> ISSUE #2
> The second issue is really more of a question. I need to add these 
> users to groups. My guess is that I need to setup a similar call using 
> the 'group_add' command. Is that right? If so, do you have an example 
> that I could follow?

You can try this one:

pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
{'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
            'gidnumber': (u'4800015',),
            'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
            'objectclass': (u'top',
                            u'groupofnames',
                            u'nestedgroup',
                            u'ipausergroup',
                            u'ipaobject',
                            u'posixgroup')},
 'summary': u'Added group "foogroup"',
 'value': u'foogroup'}

pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
{'completed': 1,
 'failed': {'member': {'group': (), 'user': ()}},
 'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
            'gidnumber': (u'4800015',),
            'member_user': (u'admin',)}}

pprint(api.Command['group_show'](u'foogroup'))
{'result': {'cn': (u'foogroup',),
            'description': (u'foo group',),
            'dn':
u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
            'gidnumber': (u'4800015',),
            'member_user': (u'admin',)},
 'summary': None,
 'value': u'foogroup'}

> 
> ISSUE #3
> The third and final issue is that the I get traceback from what 
> appears to be the validation in the batch command. How can I correct that?
> 
>     Traceback (most recent call last):
>       File "./u1.py", line 35, in <module>
>         result = api.Command['batch'](*add_cmds)
>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 
> 443, in __call__
>         self.validate_output(ret)
>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line 
> 903, in validate_output
>         nice, o.name, o.type, type(value), value)
>     TypeError: batch.validate_output():
>       output['results']: need <type 'list'>; got <type 'tuple'>:
> ({'summary': u'Added user "user5"', 'result': {'dn':
> u'uid=user5,cn=users,cn=accounts,dc=example,dc=com', 'has_keytab': 
> True,
> 'displayname': (u'first last',), 'uid': (u'user5',), 'objectclass':
> (u'top', u'person', u'organizationalperson', u'inetorgperson', 
> u'inetuser', u'posixaccount', u'krbprincipalaux', 
> u'krbticketpolicyaux', u'ipaobject'), 'loginshell': (u'/bin/bash',), 'uidnumber':
> (u'785400029',), 'initials': (u'fl',), 'gidnumber': (u'785400029',),
> 'has_password': True, 'sn': (u'last',), 'homedirectory':
> (u'/home/user5',), 'mail': (u'user5 at example.com',), 'krbprincipalname':
> (u'user5 at EXAMPLE.COM',), 'givenname': (u'first',), 'cn': (u'first 
> last',), 'gecos': (u'first last',), 'ipauniqueid':
> (u'dcc8845e-c178-11e1-b46e-5254006a7e38',)}, 'value': u'user5', 'error':
> None},)

You may just have found a bug. Batch command is not normally executed from XML-RPC, there may be an issue. We will investigate it.

Meanwhile, I would recommend using simple command, I think its easier to read and code.

Martin

More information about the Freeipa-users mailing list