Normally I would change
krblastpwdchange[0].__datetime__
to
krblastpwdchange[0].__datetime__ | default('0')
but your expression is part of json_query(). Perhaps there's an
equivalent of Jinja's default() in json_query(); I just don't know.
Without standing up an IPA instance and experimenting, I don't see a way
to derive what your user_show data looks like. (I did that a year or two
ago to answer a similar question, but I'm a bit swamped at the moment.)
Perhaps if you could give us the first couple of records from your
registered user_show data — the first one that's throwing the error and
another one or two that has what you expect, anonymized as appropriate
of course — that would give us enough information about your data's
structure to suggest some expressions to try.
Including the playbook helps a whole lot; alas, without sample data or
an IPA instance to play with it's not sufficient to give you a
definitive answer. Well, at least I can't.
I know this sort of problem can be extremely frustrating, and you've
been patient in asking. We really do want to help, honestly. But the IPA
thing is one level of niche, and very few people are versed in
json_query() so that adds yet another level of niche. But if you can
provide the sample data I mentioned before I think we can make some
progress.
--
Todd
On 2/26/24 9:43 AM, [email protected] wrote:
I'm including the playbook below. I'm still unable to find a way to
ignore any user that does not have the krblastpwdchange property set.
When I run the playbook, I still get the following error:
TASK [Find users who's password will expire in the next 10 days]
*******************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"msg": "Unexpected templating type
error occurred on ({{ user_show.results |
json_query('[*].json.result.result.{uid: uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'defined')
| selectattr('pwdchg', '<', expire_date) | list }}): '<' not supported
between instances of 'NoneType' and 'AnsibleUnsafeText'. '<' not
supported between instances of 'NoneType' and 'AnsibleUnsafeText'"}
Playbook:
---
- name: Gather User Password Expiration information from IDM server
hosts: localhost
gather_facts: no
pre_tasks:
- setup:
filter: 'ansible_date_time'
vars_files:
- /etc/ansible/vault.yml
vars:
idmfqdn: idmserver
binduser: 'admin'
bindpasswd: '{{ secure_ipa_pass }}'
warning_days: 10
tasks:
- name: Set list of users to ignore
ansible.builtin.set_fact:
ignore_users:
- "root"
- "some.user"
- "some.c-ctr.user"
- "test.redhat"
- "admin"
- name: Login to IDM use returned cookie to access the API in later
tasks
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/login_password";
method: POST
headers:
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/x-www-form-urlencoded"
Accept: "text/plain"
body_format: form-urlencoded
body:
user: "{{binduser}}"
password: "{{bindpasswd}}"
status_code: 200
follow_redirects: all
register: login
- name: Get IDM API version using previously stored session cookie
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/json";
method: POST
headers:
Cookie: "{{ login.set_cookie }}"
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/json"
Accept: "application/json"
body_format: json
body: '{"method": "ping","params": [[],{}]}'
register: api_vers_out
- name: Set fact for api version
ansible.builtin.set_fact:
api_vers: "{{
api_vers_out.json.result.messages|json_query('[*].data.server_version')|join()
}}"
- name: Run user_find from IDM API using previously stored session
cookie
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/json";
method: POST
headers:
Cookie: "{{ login.set_cookie }}"
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/json"
Accept: "application/json"
body_format: json
body: "{\"method\": \"user_find/1\",\"params\":
[[],{\"version\": \"{{ api_vers }}\"}]}"
no_log: true
register: user_find
- name: Set users fact
ansible.builtin.set_fact:
uid: "{{
user_find.json.result.result|map(attribute='uid')|flatten|difference(ignore_users)
}}"
- name: Run user_show from IDM API using previously stored session
cookie
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/json";
method: POST
headers:
Cookie: "{{ login.set_cookie }}"
Referer: "https://{{idmfqdn}}/ipa";
Content-Type: "application/json"
Accept: "application/json"
body_format: json
body: "{\"method\": \"user_show\",\"params\": [[ \"{{ item
}}\"],{\"all\": true,\"version\": \"{{ api_vers }}\"}]}"
register: user_show
loop: "{{ uid | json_query('[:1]') }}"
- name: Set expire date
ansible.builtin.set_fact:
expire_date: '{{ lookup(''pipe'', ''date -u --date="today + {{
warning_days }} days" +%Y%m%d000000Z'') }}'
- name: Show expire date
ansible.builtin.debug:
msg: "{{ expire_date }}"
- name: Show user info
debug:
msg: "{{ user_show.results |
json_query('[*].json.result.result.{uid: uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') }}"
- name: Find users who's password will expire in the next {{
warning_days }} days
ansible.builtin.set_fact:
pwd_expire_soon: "{{ user_show.results |
json_query('[*].json.result.result.{uid: uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'defined')
| selectattr('pwdchg', '<', expire_date) | list }}"
- name: Show accounts that are due to expire in the next {{
warning_days }} days
ansible.builtin.debug:
msg: "{{ pwd_expire_soon }}"
Thanks,
Harry
On Friday, February 23, 2024 at 2:54:06 PM UTC-5 [email protected] wrote:
So it looks like the VERY 1st user in our system has never logged
in, so the krblaspwdchange property has never gotten set. Is
there a way to ignore when that field doesn't exist or is null?
Thanks,
Harry
On Friday, February 23, 2024 at 2:46:07 PM UTC-5 Todd Lewis wrote:
The original problem is you're comparing 'NoneType' and 'str'.
So, for at least one of your principals there's no
krblastpwdchange. You need to work on the subset of data
relevant to the comparison.
On 2/23/24 2:09 PM, [email protected] wrote:
I'm not including the entire playbook, but the URI module
call where user_show gets registered, then the debug statements:
- name: Run user_show from IDM API using previously stored
session cookie
ansible.builtin.uri:
url: "https://{{idmfqdn}}/ipa/session/json";
<https://%7B%7Bidmfqdn%7D%7D/ipa/session/json>
method: POST
headers:
Cookie: "{{ login.set_cookie }}"
Referer: "https://{{idmfqdn}}/ipa";
<https://%7B%7Bidmfqdn%7D%7D/ipa>
Content-Type: "application/json"
Accept: "application/json"
body_format: json
body: "{\"method\": \"user_show\",\"params\": [[ \"{{
item }}\"],{\"all\": true,\"version\": \"{{ api_vers }}\"}]}"
register: user_show
loop: "{{ uid | json_query('[:10]') }}"
- name: Set expire date
ansible.builtin.set_fact:
expire_date: '{{ lookup(''pipe'', ''date -u
--date="today + 10 days" +%Y%m%d000000Z'') }}'
- name: Show expire date
ansible.builtin.debug:
msg: "{{ expire_date }}"
- name: Show user info
debug:
msg: "{{ user_show.results |
json_query('[*].json.result.result.{uid: uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') }}"
Thanks,
Harry
On Friday, February 23, 2024 at 1:58:04 PM UTC-5 Todd Lewis
wrote:
Without showing us the expression you used in your
debug's "msg:", this doesn't tell us anything.
On 2/23/24 1:05 PM, [email protected] wrote:
Looks OK to me:
TASK [Show user info]
**************************************************************************************************************************************************************************************
ok: [localhost] => {
"msg": [
{
"pwdchg": "20210416141027Z",
"uid": "user1"
}
]
}
Thanks,
Harry
On Friday, February 23, 2024 at 12:13:07 PM UTC-5 Rowe,
Walter P. (Fed) wrote:
{{ user_show.results |
json_query('[*].json.result.result.{uid: uid[0],
pwdchg: krblastpwdchange[0].__datetime__}') }}
I would display this info in a debug to see what the
resulting data stream looks like. Maybe the
selectattr('pwdchg') is in inaccurate reference to
pwdchg?
Walter
--
Walter Rowe, Division Chief
Infrastructure Services Division
Mobile: 202.355.4123 <tel:(202)%20355-4123>
On Feb 23, 2024, at 12:09 PM, [email protected]
<[email protected]> wrote:
Just pull out those fields from the returned user
information. I use that in 2 or 3 other playbooks
so I know that it works.
Thanks,
Harry
On Friday, February 23, 2024 at 11:53:04 AM UTC-5
Rowe, Walter P. (Fed) wrote:
pwd_expire_soon: "{{ user_show.results |
json_query('[*].json.result.result.{uid:
uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') |
selectattr('pwdchg', 'lessthan', 'expire_date')
| list }}"
What are you expecting this red portion to do?
I don't think it is valid in json_query.
Walter
--
Walter Rowe, Division Chief
Infrastructure Services Division
Mobile: 202.355.4123 <tel:(202)%20355-4123>
On Feb 23, 2024, at 11:30 AM,
[email protected] <[email protected]> wrote:
I am trying to determine when user's
password's are going to expire in the next 10
days. After I traverse my FreeIPA users and
store those users into a variable, I try to
set a fact like so:
- name: Find users who's password will
expire in the next 10 days
set_fact:
pwd_expire_soon: "{{ user_show.results |
json_query('[*].json.result.result.{uid:
uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') |
selectattr('pwdchg', 'lessthan',
'expire_date') | list }}"
When I run my playbook, I get the following error:
fatal: [localhost]: FAILED! => {"msg":
"Unexpected templating type error occurred on
({{ user_show.results |
json_query('[*].json.result.result.{uid:
uid[0], pwdchg:
krblastpwdchange[0].__datetime__}') |
selectattr('pwdchg', 'lessthan',
'expire_date') | list }}): '<' not supported
between instances of 'NoneType' and 'str'. '<'
not supported between instances of 'NoneType'
and 'str'"}
I can't seem to find what the issue is. I
originally had '<' instead of 'lessthan' but
got the same error. Any ideas?
Thanks,
Harry
--
You received this message because you are
subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop
receiving emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/a1131cb0-bc23-46bb-afbf-ca9ad6f4ce34n%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/a1131cb0-bc23-46bb-afbf-ca9ad6f4ce34n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are
subscribed to the Google Groups "Ansible Project"
group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/c0b4de3d-50e2-4fff-85b1-0437076137dcn%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/c0b4de3d-50e2-4fff-85b1-0437076137dcn%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/f76c158f-1107-4d10-8977-12638128d056n%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/f76c158f-1107-4d10-8977-12638128d056n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Todd
--
You received this message because you are subscribed to the
Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/6c29210e-e854-414c-9007-13c37edb3265n%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/6c29210e-e854-414c-9007-13c37edb3265n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Todd
--
You received this message because you are subscribed to the Google
Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/11a5adb1-a9ff-4e30-93ec-ab7b44488c04n%40googlegroups.com
<https://groups.google.com/d/msgid/ansible-project/11a5adb1-a9ff-4e30-93ec-ab7b44488c04n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
Todd
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/9a3c8e3c-1c74-4c1f-a65a-984c324b1701%40gmail.com.
