[Freeipa-users] How can I change my password from a python script?

Alexander Bokovoy abokovoy at redhat.com
Fri Jun 29 07:30:57 UTC 2012


On Fri, 29 Jun 2012, Martin Kosek wrote:
>On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
>> Hi Petr:
>>
>> I implemented what you suggested and everything worked pretty well but I
>> ran into three issues that you might be able to help me with.
>>
>> ISSUE #1
>> The first issue (and the most important) is that the password is only
>> temporary. I am prompted to reset it the first time that I login. My
>> goal is to setup a working system quickly to test different
>> configurations in a batch fashion but having to reset the password for
>> each user makes that challenging. How can I disable the reset
>> requirement for my test environment?
>>
>>     ssh user5 at cuthbert
>>     user5 at cuthbert's password:
>>     Password expired. Change your password now.
>>     Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
>>     WARNING: Your password has expired.
>>     You must change your password now and login again!
>>     Changing password for user user5.
>>     Current Password:
>>     New password:
>>     Retype new password:
>>     passwd: all authentication tokens updated successfully.
>>     Connection to cuthbert closed.
>
>Hi Joe,
>
>This is a security measure, somebody else may correct me, but I don't
>think this can be turned off. You can use an attached Python function
>which can be used to change (reset) user password via web interface.
>Normally, this backend is used by Web UI users with expired password to
>be able to reset it. You could you is it for the same purpose from the
>script (function) I attached.
What you can do is to change the same password as a user -- given that
these are test configurations, you can:
0. Change minimum acceptable password lifetime to 0
    ipa pwpolicy-mod  --minlife=0
1. Add all users, note their passwords
2. For each user:
2.1. kinit <user>
2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd 
2.3  kdestroy

This way you'll get passwords set back as those users. Or use the script
that Martin provided.


>>
>> ISSUE #2
>> The second issue is really more of a question. I need to add these users
>> to groups. My guess is that I need to setup a similar call using the
>> 'group_add' command. Is that right? If so, do you have an example that I
>> could follow?
>
>You can try this one:
>
>pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
>{'result': {'cn': (u'foogroup',),
>            'description': (u'foo group',),
>            'dn':
>u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
>            'gidnumber': (u'4800015',),
>            'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
>            'objectclass': (u'top',
>                            u'groupofnames',
>                            u'nestedgroup',
>                            u'ipausergroup',
>                            u'ipaobject',
>                            u'posixgroup')},
> 'summary': u'Added group "foogroup"',
> 'value': u'foogroup'}
>
>pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
>{'completed': 1,
> 'failed': {'member': {'group': (), 'user': ()}},
> 'result': {'cn': (u'foogroup',),
>            'description': (u'foo group',),
>            'dn':
>u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
>            'gidnumber': (u'4800015',),
>            'member_user': (u'admin',)}}
>
>pprint(api.Command['group_show'](u'foogroup'))
>{'result': {'cn': (u'foogroup',),
>            'description': (u'foo group',),
>            'dn':
>u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com',
>            'gidnumber': (u'4800015',),
>            'member_user': (u'admin',)},
> 'summary': None,
> 'value': u'foogroup'}
>
>>
>> ISSUE #3
>> The third and final issue is that the I get traceback from what appears
>> to be the validation in the batch command. How can I correct that?
>>
>>     Traceback (most recent call last):
>>       File "./u1.py", line 35, in <module>
>>         result = api.Command['batch'](*add_cmds)
>>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
>> 443, in __call__
>>         self.validate_output(ret)
>>       File "/usr/lib/python2.6/site-packages/ipalib/frontend.py", line
>> 903, in validate_output
>>         nice, o.name, o.type, type(value), value)
>>     TypeError: batch.validate_output():
>>       output['results']: need <type 'list'>; got <type 'tuple'>:
Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed
in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012.

>You may just have found a bug. Batch command is not normally executed
>from XML-RPC, there may be an issue. We will investigate it.
Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it
is fixed already.


-- 
/ Alexander Bokovoy




More information about the Freeipa-users mailing list