I totally understand where you're coming from. You guys have always been
great and extremely helpful, and I appreciate that. I have adjusted the
playbook to look at the first 5 users, and the anonymized output is below.
Thanks,
Harry
TASK [Show user info]
**************************************************************************************************************************************************************************************
ok: [localhost] => {
"msg": [
{
"pwdchg": null,
"uid": "user1"
},
{
"pwdchg": "20240124144409Z",
"uid": "user2"
},
{
"pwdchg": "20231212115535Z",
"uid": "user3"
},
{
"pwdchg": null,
"uid": "user4"
},
{
"pwdchg": "20240115133407Z",
"uid": "user5"
}
]
}
On Monday, February 26, 2024 at 2:14:15 PM UTC-5 Todd Lewis wrote:
> Normally I would change
>
> krblastpwdchange[0].__datetime__
>
> to
>
> krblastpwdchange[0].__datetime__ | default('0')
>
> but your expression is part of json_query(). Perhaps there's an
> equivalent of Jinja's default() in json_query(); I just don't know.
>
> Without standing up an IPA instance and experimenting, I don't see a way
> to derive what your user_show data looks like. (I did that a year or two
> ago to answer a similar question, but I'm a bit swamped at the moment.)
> Perhaps if you could give us the first couple of records from your
> registered user_show data — the first one that's throwing the error and
> another one or two that has what you expect, anonymized as appropriate of
> course — that would give us enough information about your data's structure
> to suggest some expressions to try.
>
> Including the playbook helps a whole lot; alas, without sample data or an
> IPA instance to play with it's not sufficient to give you a definitive
> answer. Well, at least I can't.
>
> I know this sort of problem can be extremely frustrating, and you've been
> patient in asking. We really do want to help, honestly. But the IPA thing
> is one level of niche, and very few people are versed in json_query() so
> that adds yet another level of niche. But if you can provide the sample
> data I mentioned before I think we can make some progress.
> --
> Todd
>
>
> On 2/26/24 9:43 AM, lift...@gmail.com wrote:
>
> I'm including the playbook below. I'm still unable to find a way to
> ignore any user that does not have the krblastpwdchange property set. When
> I run the playbook, I still get the following error:
>
> TASK [Find users who's password will expire in the next 10 days]
> *******************************************************************************************************************************************
> fatal: [localhost]: FAILED! => {"msg": "Unexpected templating type error
> occurred on ({{ user_show.results |
> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'defined') |
> selectattr('pwdchg', '<', expire_date) | list }}): '<' not supported
> between instances of 'NoneType' and 'AnsibleUnsafeText'. '<' not supported
> between instances of 'NoneType' and 'AnsibleUnsafeText'"}
>
> Playbook:
>
> ---
> - name: Gather User Password Expiration information from IDM server
> hosts: localhost
> gather_facts: no
>
> pre_tasks:
> - setup:
> filter: 'ansible_date_time'
>
> vars_files:
> - /etc/ansible/vault.yml
>
> vars:
> idmfqdn: idmserver
> binduser: 'admin'
> bindpasswd: '{{ secure_ipa_pass }}'
> warning_days: 10
>
> tasks:
>
> - name: Set list of users to ignore
> ansible.builtin.set_fact:
> ignore_users:
> - "root"
> - "some.user"
> - "some.c-ctr.user"
> - "test.redhat"
> - "admin"
>
> - name: Login to IDM use returned cookie to access the API in later tasks
> ansible.builtin.uri:
> url: "https://{{idmfqdn}}/ipa/session/login_password";
> <https://%7B%7Bidmfqdn%7D%7D/ipa/session/login_password>
> method: POST
> headers:
> Referer: "https://{{idmfqdn}}/ipa";
> <https://%7B%7Bidmfqdn%7D%7D/ipa>
> Content-Type: "application/x-www-form-urlencoded"
> Accept: "text/plain"
> body_format: form-urlencoded
> body:
> user: "{{binduser}}"
> password: "{{bindpasswd}}"
> status_code: 200
> follow_redirects: all
> register: login
>
> - name: Get IDM API version using previously stored session cookie
> ansible.builtin.uri:
> url: "https://{{idmfqdn}}/ipa/session/json";
> <https://%7B%7Bidmfqdn%7D%7D/ipa/session/json>
> method: POST
> headers:
> Cookie: "{{ login.set_cookie }}"
> Referer: "https://{{idmfqdn}}/ipa";
> <https://%7B%7Bidmfqdn%7D%7D/ipa>
> Content-Type: "application/json"
> Accept: "application/json"
> body_format: json
> body: '{"method": "ping","params": [[],{}]}'
> register: api_vers_out
>
> - name: Set fact for api version
> ansible.builtin.set_fact:
> api_vers: "{{
> api_vers_out.json.result.messages|json_query('[*].data.server_version')|join()
>
> }}"
>
> - name: Run user_find from IDM API using previously stored session cookie
> ansible.builtin.uri:
> url: "https://{{idmfqdn}}/ipa/session/json";
> <https://%7B%7Bidmfqdn%7D%7D/ipa/session/json>
> method: POST
> headers:
> Cookie: "{{ login.set_cookie }}"
> Referer: "https://{{idmfqdn}}/ipa";
> <https://%7B%7Bidmfqdn%7D%7D/ipa>
> Content-Type: "application/json"
> Accept: "application/json"
> body_format: json
> body: "{\"method\": \"user_find/1\",\"params\": [[],{\"version\":
> \"{{ api_vers }}\"}]}"
> no_log: true
> register: user_find
>
> - name: Set users fact
> ansible.builtin.set_fact:
> uid: "{{
> user_find.json.result.result|map(attribute='uid')|flatten|difference(ignore_users)
>
> }}"
>
> - name: Run user_show from IDM API using previously stored session cookie
> ansible.builtin.uri:
> url: "https://{{idmfqdn}}/ipa/session/json";
> <https://%7B%7Bidmfqdn%7D%7D/ipa/session/json>
> method: POST
> headers:
> Cookie: "{{ login.set_cookie }}"
> Referer: "https://{{idmfqdn}}/ipa";
> <https://%7B%7Bidmfqdn%7D%7D/ipa>
> Content-Type: "application/json"
> Accept: "application/json"
> body_format: json
> body: "{\"method\": \"user_show\",\"params\": [[ \"{{ item
> }}\"],{\"all\": true,\"version\": \"{{ api_vers }}\"}]}"
> register: user_show
> loop: "{{ uid | json_query('[:1]') }}"
>
>
> - name: Set expire date
> ansible.builtin.set_fact:
> expire_date: '{{ lookup(''pipe'', ''date -u --date="today + {{
> warning_days }} days" +%Y%m%d000000Z'') }}'
>
> - name: Show expire date
> ansible.builtin.debug:
> msg: "{{ expire_date }}"
>
> - name: Show user info
> debug:
> msg: "{{ user_show.results |
> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
> krblastpwdchange[0].__datetime__}') }}"
>
> - name: Find users who's password will expire in the next {{
> warning_days }} days
> ansible.builtin.set_fact:
> pwd_expire_soon: "{{ user_show.results |
> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'defined') |
> selectattr('pwdchg', '<', expire_date) | list }}"
>
> - name: Show accounts that are due to expire in the next {{ warning_days
> }} days
> ansible.builtin.debug:
> msg: "{{ pwd_expire_soon }}"
>
> Thanks,
> Harry
> On Friday, February 23, 2024 at 2:54:06 PM UTC-5 lift...@gmail.com wrote:
>
>> So it looks like the VERY 1st user in our system has never logged in, so
>> the krblaspwdchange property has never gotten set. Is there a way to
>> ignore when that field doesn't exist or is null?
>>
>> Thanks,
>> Harry
>>
>> On Friday, February 23, 2024 at 2:46:07 PM UTC-5 Todd Lewis wrote:
>>
>>> The original problem is you're comparing 'NoneType' and 'str'. So, for
>>> at least one of your principals there's no krblastpwdchange. You need to
>>> work on the subset of data relevant to the comparison.
>>>
>>>
>>> On 2/23/24 2:09 PM, lift...@gmail.com wrote:
>>>
>>> I'm not including the entire playbook, but the URI module call where
>>> user_show gets registered, then the debug statements:
>>>
>>> - name: Run user_show from IDM API using previously stored session
>>> cookie
>>> ansible.builtin.uri:
>>> url: "https://{{idmfqdn}}/ipa/session/json";
>>> <https://%7B%7Bidmfqdn%7D%7D/ipa/session/json>
>>> method: POST
>>> headers:
>>> Cookie: "{{ login.set_cookie }}"
>>> Referer: "https://{{idmfqdn}}/ipa";
>>> <https://%7B%7Bidmfqdn%7D%7D/ipa>
>>> Content-Type: "application/json"
>>> Accept: "application/json"
>>> body_format: json
>>> body: "{\"method\": \"user_show\",\"params\": [[ \"{{ item
>>> }}\"],{\"all\": true,\"version\": \"{{ api_vers }}\"}]}"
>>> register: user_show
>>> loop: "{{ uid | json_query('[:10]') }}"
>>>
>>>
>>> - name: Set expire date
>>> ansible.builtin.set_fact:
>>> expire_date: '{{ lookup(''pipe'', ''date -u --date="today + 10
>>> days" +%Y%m%d000000Z'') }}'
>>>
>>> - name: Show expire date
>>> ansible.builtin.debug:
>>> msg: "{{ expire_date }}"
>>>
>>> - name: Show user info
>>> debug:
>>> msg: "{{ user_show.results |
>>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>>> krblastpwdchange[0].__datetime__}') }}"
>>>
>>> Thanks,
>>> Harry
>>> On Friday, February 23, 2024 at 1:58:04 PM UTC-5 Todd Lewis wrote:
>>>
>>>> Without showing us the expression you used in your debug's "msg:", this
>>>> doesn't tell us anything.
>>>>
>>>>
>>>> On 2/23/24 1:05 PM, lift...@gmail.com wrote:
>>>>
>>>> Looks OK to me:
>>>>
>>>> TASK [Show user info]
>>>> **************************************************************************************************************************************************************************************
>>>> ok: [localhost] => {
>>>> "msg": [
>>>> {
>>>> "pwdchg": "20210416141027Z",
>>>> "uid": "user1"
>>>> }
>>>> ]
>>>> }
>>>>
>>>>
>>>> Thanks,
>>>> Harry
>>>> On Friday, February 23, 2024 at 12:13:07 PM UTC-5 Rowe, Walter P. (Fed)
>>>> wrote:
>>>>
>>>>> {{ user_show.results | json_query('[*].json.result.result.{uid:
>>>>> uid[0], pwdchg: krblastpwdchange[0].__datetime__}') }}
>>>>>
>>>>> I would display this info in a debug to see what the resulting data
>>>>> stream looks like. Maybe the selectattr('pwdchg') is in inaccurate
>>>>> reference to pwdchg?
>>>>>
>>>>>
>>>>> Walter
>>>>> --
>>>>> Walter Rowe, Division Chief
>>>>> Infrastructure Services Division
>>>>> Mobile: 202.355.4123 <(202)%20355-4123>
>>>>>
>>>>> On Feb 23, 2024, at 12:09 PM, lift...@gmail.com <lift...@gmail.com>
>>>>> wrote:
>>>>>
>>>>> Just pull out those fields from the returned user information. I use
>>>>> that in 2 or 3 other playbooks so I know that it works.
>>>>>
>>>>> Thanks,
>>>>> Harry
>>>>>
>>>>> On Friday, February 23, 2024 at 11:53:04 AM UTC-5 Rowe, Walter P.
>>>>> (Fed) wrote:
>>>>>
>>>>>> pwd_expire_soon: "{{ user_show.results |
>>>>>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>>>>>> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg',
>>>>>> 'lessthan', 'expire_date') | list }}"
>>>>>>
>>>>>> What are you expecting this red portion to do? I don't think it is
>>>>>> valid in json_query.
>>>>>>
>>>>>> Walter
>>>>>> --
>>>>>> Walter Rowe, Division Chief
>>>>>> Infrastructure Services Division
>>>>>> Mobile: 202.355.4123 <(202)%20355-4123>
>>>>>>
>>>>>> On Feb 23, 2024, at 11:30 AM, lift...@gmail.com <lift...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>> I am trying to determine when user's password's are going to expire
>>>>>> in the next 10 days. After I traverse my FreeIPA users and store those
>>>>>> users into a variable, I try to set a fact like so:
>>>>>> - name: Find users who's password will expire in the next 10 days
>>>>>> set_fact:
>>>>>> pwd_expire_soon: "{{ user_show.results |
>>>>>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>>>>>> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'lessthan',
>>>>>> 'expire_date') | list }}"
>>>>>>
>>>>>> When I run my playbook, I get the following error:
>>>>>>
>>>>>> fatal: [localhost]: FAILED! => {"msg": "Unexpected templating type
>>>>>> error occurred on ({{ user_show.results |
>>>>>> json_query('[*].json.result.result.{uid: uid[0], pwdchg:
>>>>>> krblastpwdchange[0].__datetime__}') | selectattr('pwdchg', 'lessthan',
>>>>>> 'expire_date') | list }}): '<' not supported between instances of
>>>>>> 'NoneType' and 'str'. '<' not supported between instances of 'NoneType'
>>>>>> and
>>>>>> 'str'"}
>>>>>>
>>>>>> I can't seem to find what the issue is. I originally had '<'
>>>>>> instead of 'lessthan' but got the same error. Any ideas?
>>>>>>
>>>>>> Thanks,
>>>>>> Harry
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Ansible Project" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to ansible-proje...@googlegroups.com.
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/d/msgid/ansible-project/a1131cb0-bc23-46bb-afbf-ca9ad6f4ce34n%40googlegroups.com
>>>>>>
>>>>>> <https://groups.google.com/d/msgid/ansible-project/a1131cb0-bc23-46bb-afbf-ca9ad6f4ce34n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>>
>>>>>>
>>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google
>>>>> Groups "Ansible Project" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>>> an email to ansible-proje...@googlegroups.com.
>>>>>
>>>>> To view this discussion on the web visit
>>>>> https://groups.google.com/d/msgid/ansible-project/c0b4de3d-50e2-4fff-85b1-0437076137dcn%40googlegroups.com
>>>>>
>>>>> <https://groups.google.com/d/msgid/ansible-project/c0b4de3d-50e2-4fff-85b1-0437076137dcn%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>> .
>>>>>
>>>>>
>>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Ansible Project" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to ansible-proje...@googlegroups.com.
>>>>
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/ansible-project/f76c158f-1107-4d10-8977-12638128d056n%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/ansible-project/f76c158f-1107-4d10-8977-12638128d056n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>>
>>>> --
>>>> Todd
>>>>
>>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to ansible-proje...@googlegroups.com.
>>>
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/6c29210e-e854-414c-9007-13c37edb3265n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/ansible-project/6c29210e-e854-414c-9007-13c37edb3265n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>>
>>> --
>>> Todd
>>>
>>> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/ansible-project/11a5adb1-a9ff-4e30-93ec-ab7b44488c04n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/ansible-project/11a5adb1-a9ff-4e30-93ec-ab7b44488c04n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
> --
> Todd
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/58fda1ea-1fe7-4608-a7e8-a8c2e1a5001fn%40googlegroups.com.
