Hi Alexander: Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution.
Regards, Joe -----Original Message----- From: Alexander Bokovoy [mailto:[email protected]] Sent: Friday, June 29, 2012 12:31 AM To: Martin Kosek Cc: Joe Linoff; [email protected] Subject: Re: [Freeipa-users] How can I change my password from a python script? On Fri, 29 Jun 2012, Martin Kosek wrote: >On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote: >> Hi Petr: >> >> I implemented what you suggested and everything worked pretty well >> but I ran into three issues that you might be able to help me with. >> >> ISSUE #1 >> The first issue (and the most important) is that the password is only >> temporary. I am prompted to reset it the first time that I login. My >> goal is to setup a working system quickly to test different >> configurations in a batch fashion but having to reset the password >> for each user makes that challenging. How can I disable the reset >> requirement for my test environment? >> >> ssh user5@cuthbert >> user5@cuthbert's password: >> Password expired. Change your password now. >> Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com >> WARNING: Your password has expired. >> You must change your password now and login again! >> Changing password for user user5. >> Current Password: >> New password: >> Retype new password: >> passwd: all authentication tokens updated successfully. >> Connection to cuthbert closed. > >Hi Joe, > >This is a security measure, somebody else may correct me, but I don't >think this can be turned off. You can use an attached Python function >which can be used to change (reset) user password via web interface. >Normally, this backend is used by Web UI users with expired password to >be able to reset it. You could you is it for the same purpose from the >script (function) I attached. What you can do is to change the same password as a user -- given that these are test configurations, you can: 0. Change minimum acceptable password lifetime to 0 ipa pwpolicy-mod --minlife=0 1. Add all users, note their passwords 2. For each user: 2.1. kinit <user> 2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd 2.3 kdestroy This way you'll get passwords set back as those users. Or use the script that Martin provided. >> >> ISSUE #2 >> The second issue is really more of a question. I need to add these >> users to groups. My guess is that I need to setup a similar call >> using the 'group_add' command. Is that right? If so, do you have an >> example that I could follow? > >You can try this one: > >pprint(api.Command['group_add'](u'foogroup', description=u'foo group')) >{'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', > 'gidnumber': (u'4800015',), > 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',), > 'objectclass': (u'top', > u'groupofnames', > u'nestedgroup', > u'ipausergroup', > u'ipaobject', > u'posixgroup')}, > 'summary': u'Added group "foogroup"', > 'value': u'foogroup'} > >pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin'])) >{'completed': 1, > 'failed': {'member': {'group': (), 'user': ()}}, > 'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', > 'gidnumber': (u'4800015',), > 'member_user': (u'admin',)}} > >pprint(api.Command['group_show'](u'foogroup')) >{'result': {'cn': (u'foogroup',), > 'description': (u'foo group',), > 'dn': >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c om', > 'gidnumber': (u'4800015',), > 'member_user': (u'admin',)}, > 'summary': None, > 'value': u'foogroup'} > >> >> ISSUE #3 >> The third and final issue is that the I get traceback from what >> appears to be the validation in the batch command. How can I correct that? >> >> Traceback (most recent call last): >> File "./u1.py", line 35, in <module> >> result = api.Command['batch'](*add_cmds) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", >> line 443, in __call__ >> self.validate_output(ret) >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", >> line 903, in validate_output >> nice, o.name, o.type, type(value), value) >> TypeError: batch.validate_output(): >> output['results']: need <type 'list'>; got <type 'tuple'>: Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012. >You may just have found a bug. Batch command is not normally executed >from XML-RPC, there may be an issue. We will investigate it. Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it is fixed already. -- / Alexander Bokovoy _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
