[Freeipa-users] How can I change my password from a python script?
Martin Kosek
mkosek at redhat.com
Fri Jun 29 07:37:47 UTC 2012
IMHO, 2.1.3 -> 2.2 upgrade should be safe, although I don't know if
something was changed in CentOS compared to RHEL where this should just
work.
Btw there is one thing I just realized, you will probably have to go
with Alexander's approach as the password expiration backend is
available in GIT in master branch only, i.e. in future IPA 3.0.
Martin
On Fri, 2012-06-29 at 00:33 -0700, Joe Linoff wrote:
> Hi Alexander:
>
> Thank you. I appreciate the feedback. Is it safe to upgrade to 2.2 on a
> CentOS 6.2 system? I used 2.1.3 because it was in the rpm distribution.
>
> Regards,
>
> Joe
>
> -----Original Message-----
> From: Alexander Bokovoy [mailto:abokovoy at redhat.com]
> Sent: Friday, June 29, 2012 12:31 AM
> To: Martin Kosek
> Cc: Joe Linoff; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] How can I change my password from a python
> script?
>
> On Fri, 29 Jun 2012, Martin Kosek wrote:
> >On Thu, 2012-06-28 at 16:42 -0700, Joe Linoff wrote:
> >> Hi Petr:
> >>
> >> I implemented what you suggested and everything worked pretty well
> >> but I ran into three issues that you might be able to help me with.
> >>
> >> ISSUE #1
> >> The first issue (and the most important) is that the password is only
>
> >> temporary. I am prompted to reset it the first time that I login. My
> >> goal is to setup a working system quickly to test different
> >> configurations in a batch fashion but having to reset the password
> >> for each user makes that challenging. How can I disable the reset
> >> requirement for my test environment?
> >>
> >> ssh user5 at cuthbert
> >> user5 at cuthbert's password:
> >> Password expired. Change your password now.
> >> Last login: Thu Jun 28 16:29:32 2012 from cuthbert.example.com
> >> WARNING: Your password has expired.
> >> You must change your password now and login again!
> >> Changing password for user user5.
> >> Current Password:
> >> New password:
> >> Retype new password:
> >> passwd: all authentication tokens updated successfully.
> >> Connection to cuthbert closed.
> >
> >Hi Joe,
> >
> >This is a security measure, somebody else may correct me, but I don't
> >think this can be turned off. You can use an attached Python function
> >which can be used to change (reset) user password via web interface.
> >Normally, this backend is used by Web UI users with expired password to
>
> >be able to reset it. You could you is it for the same purpose from the
> >script (function) I attached.
> What you can do is to change the same password as a user -- given that
> these are test configurations, you can:
> 0. Change minimum acceptable password lifetime to 0
> ipa pwpolicy-mod --minlife=0
> 1. Add all users, note their passwords
> 2. For each user:
> 2.1. kinit <user>
> 2.2. echo -e "$PASSWORD\n$PASSWORD\$PASSWORD" | ipa passwd
> 2.3 kdestroy
>
> This way you'll get passwords set back as those users. Or use the script
> that Martin provided.
>
>
> >>
> >> ISSUE #2
> >> The second issue is really more of a question. I need to add these
> >> users to groups. My guess is that I need to setup a similar call
> >> using the 'group_add' command. Is that right? If so, do you have an
> >> example that I could follow?
> >
> >You can try this one:
> >
> >pprint(api.Command['group_add'](u'foogroup', description=u'foo group'))
> >{'result': {'cn': (u'foogroup',),
> > 'description': (u'foo group',),
> > 'dn':
> >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
> om',
> > 'gidnumber': (u'4800015',),
> > 'ipauniqueid': (u'54ac6eba-c1b8-11e1-9695-001a4a104e23',),
> > 'objectclass': (u'top',
> > u'groupofnames',
> > u'nestedgroup',
> > u'ipausergroup',
> > u'ipaobject',
> > u'posixgroup')},
> > 'summary': u'Added group "foogroup"',
> > 'value': u'foogroup'}
> >
> >pprint(api.Command['group_add_member'](u'foogroup', user=[u'admin']))
> >{'completed': 1,
> > 'failed': {'member': {'group': (), 'user': ()}},
> > 'result': {'cn': (u'foogroup',),
> > 'description': (u'foo group',),
> > 'dn':
> >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
> om',
> > 'gidnumber': (u'4800015',),
> > 'member_user': (u'admin',)}}
> >
> >pprint(api.Command['group_show'](u'foogroup'))
> >{'result': {'cn': (u'foogroup',),
> > 'description': (u'foo group',),
> > 'dn':
> >u'cn=foogroup,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=c
> om',
> > 'gidnumber': (u'4800015',),
> > 'member_user': (u'admin',)},
> > 'summary': None,
> > 'value': u'foogroup'}
> >
> >>
> >> ISSUE #3
> >> The third and final issue is that the I get traceback from what
> >> appears to be the validation in the batch command. How can I correct
> that?
> >>
> >> Traceback (most recent call last):
> >> File "./u1.py", line 35, in <module>
> >> result = api.Command['batch'](*add_cmds)
> >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py",
> >> line 443, in __call__
> >> self.validate_output(ret)
> >> File "/usr/lib/python2.6/site-packages/ipalib/frontend.py",
> >> line 903, in validate_output
> >> nice, o.name, o.type, type(value), value)
> >> TypeError: batch.validate_output():
> >> output['results']: need <type 'list'>; got <type 'tuple'>:
> Looks like you are running FreeIPA 2.1.3 as 2.2 should have this fixed
> in commit 2b077f7b0d68a758ae15a73eeef74591bac84360 in March 2012.
>
> >You may just have found a bug. Batch command is not normally executed
> >from XML-RPC, there may be an issue. We will investigate it.
> Martin, look at 2b077f7b0d68a758ae15a73eeef74591bac84360, I believe it
> is fixed already.
>
>
> --
> / Alexander Bokovoy
More information about the Freeipa-users
mailing list