[Freeipa-users] Re: FreeIPA-users Digest, Vol 23, Issue 8
Hello Anthony,
I don't know if there is an official tool for that, but since I once
wrote a similar script, you might be happy with that. It requires that
your Python 3 installation has got the IPA libraries installed and you
have got a valid Kerberos ticket. I have tested it only on Fedora so far.
I hope it's useful for you and you can modify it to your needs.
Regards,
Julian
On 09/03/2019 05.03, freeipa-users-requ...@lists.fedorahosted.org wrote:
Date: Fri, 8 Mar 2019 11:50:55 -0500
From: Anthony Jarvis-Clark
Subject: [Freeipa-users] list all users and their password expiration
date?
To: FreeIPA users list
Message-ID:
Content-Type: multipart/alternative;
boundary="6d0281058398074b"
--6d0281058398074b
Content-Type: text/plain; charset="UTF-8"
Hello Everyone,
Is there a command line method to get a list of users and their password
expiration date?
Thanks!
-Anthony
--6d0281058398074b
Content-Type: text/html; charset="UTF-8"
Hello Everyone,Is there a command line method to get a list of users and their password expiration
date?Thanks!-Anthony
--6d0281058398074b--
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Export the IPA users in the YAML format.
You need to have a valid Kerberos ticket (e. g. `kinit -f ad...@example.com`)
:Authors: Julian Gethmann
:Contact: free...@gethmann.org
"""
from ipalib import api, cli
import datetime
# https://www.redhat.com/archives/freeipa-users/2012-June/msg00334.html +
# https://www.redhat.com/archives/freeipa-devel/2015-June/msg00478.html +
# https://www.redhat.com/archives/freeipa-users/2016-May/msg00141.html
# use the API overview in the web based backend and use `bash $ ipa console`
#
# mailing list:
# $ ipa console
# (Custom IPA interactive Python console)
# >>> len(api.Command.user_find()['result'][0])
# 11
# >>> len(api.Command.user_find(all=True)['result'][0])
#
def bootstrap():
"""
Bootstrap the script.
I hope that all of this stuff is re-entrant.
Also, api is defined in __init__.py.
"""
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
def main():
bootstrap()
api.Command.user_show(u'admin')
users = api.Command.user_find()['result']
print('\n'.join((
''' - firstname: {fname}
name: {name}
uid: {uid}
state: {state}
expiration: {expire}
'''.format(
name=user['uid'][0],
fname=user.get('givenname', '-')[0],
uid=user['uidnumber'][0],
# This is the line you are interested in
expire=api.Command.user_show(user['uid'][0], all=True)["result"].get("krbpasswordexpiration",
(datetime.datetime(1970, 1, 1),))[0],
state={False: 'enabled', True: 'disabled'}[user['nsaccountlock']]
) for user in users))
)
if __name__ == "__main__":
import sys
if len(sys.argv) > 1:
print(__doc__)
sys.exit(0)
main()
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: HTTPD does not start when NSS enabled
On 08/14/2017 09:51 PM, Rob Crittenden wrote: Julian Gethmann wrote: On 08/14/2017 05:46 PM, Rob Crittenden wrote: Julian Gethmann wrote: Hallo, On 08/14/2017 04:21 PM, Rob Crittenden wrote: Julian Gethmann via FreeIPA-users wrote: Hallo, Unfortunately I don't know when this problem occurred first, but it may have occurred after an update. The httpd does not start and aborts with the error [:info] [pid 15383] Using nickname Server-Cert. [...] [:error] [pid 15383] Certificate not found: 'Server-Cert' when I want to start FreeIPA via "systemctl start ipa" or "ipactl start" or "systemctl start httpd" If I turn the NSSEngine off it starts of cause. In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n Server-Cert" does find a certificate, if I get the output [1] right. ipa-getcert shows certs that are tracked by certmonger but doesn't guarantee that those certificates actually exist in the filesystem (they did at the time tracking was started). You need to look at the Apache NSS database: # certutil -L -d /etc/httpd/alias Ok, I also did this, but it seems to be there # certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert Pu,u,u EXAMPLE.COM IPA CA CT,C,C I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache 0640 ok, the db were "root:apache 0660", but they were readable at least and making them 0640 did not help either. If that checks out, look for SELinux issues by starting httpd then running: ausearch -m AVC -ts recent I disabled SELinux for testing it, but that did not work. Now I also tested: # ausearch -m AVC -ts recent As a last resort perhaps the NSS database is corrupted. You can exercise it with: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f /etc/httpd/alias/pwdfile.txt You should get: certutil: certificate is valid I do get it: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f /etc/httpd/alias/pwdfile.txt certutil: certificate is valid If I just want to start httpd and not via IPA or with --force I get a different error, which I think might be because the services started before httpd in the IPA start-up-phase aren't running since the start of IPA aborted: -- Unit httpd.service has begun starting up. Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa : ERRORUnknown error while retrieving setting from ldap Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: Traceback (most recent call last): Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.con.do_bind(timeout=self.time_limit) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.do_external_bind(pw_name, timeout=timeout) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.__bind_with_wait(self.external_bind, timeout, user_name) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.__wait_for_connection(timeout) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: wait_for_open_socket(lurl.hostport, timeout) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 13 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: raise e Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: error: [Errno 111] Connection refused Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa : ERRORUnknown error while retrieving setting from ldap Aug 14 19:05:14 ipa_server.example.com systemd[1]: httpd.service: Control process exited, code=exited status=1 Aug 14 19:05:14 ipa_server.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s Aug 14 19:05:14 ipa_server.example.com systemd[1]: Failed to start The Apache HTTP Server. The KDC proxy needs to tal
[Freeipa-users] Re: HTTPD does not start when NSS enabled
On 08/14/2017 05:46 PM, Rob Crittenden wrote: Julian Gethmann wrote: Hallo, On 08/14/2017 04:21 PM, Rob Crittenden wrote: Julian Gethmann via FreeIPA-users wrote: Hallo, Unfortunately I don't know when this problem occurred first, but it may have occurred after an update. The httpd does not start and aborts with the error [:info] [pid 15383] Using nickname Server-Cert. [...] [:error] [pid 15383] Certificate not found: 'Server-Cert' when I want to start FreeIPA via "systemctl start ipa" or "ipactl start" or "systemctl start httpd" If I turn the NSSEngine off it starts of cause. In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n Server-Cert" does find a certificate, if I get the output [1] right. ipa-getcert shows certs that are tracked by certmonger but doesn't guarantee that those certificates actually exist in the filesystem (they did at the time tracking was started). You need to look at the Apache NSS database: # certutil -L -d /etc/httpd/alias Ok, I also did this, but it seems to be there # certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert Pu,u,u EXAMPLE.COM IPA CA CT,C,C I'd check FS permissions. /etc/httpd/alias/*.db should be root:apache 0640 ok, the db were "root:apache 0660", but they were readable at least and making them 0640 did not help either. If that checks out, look for SELinux issues by starting httpd then running: ausearch -m AVC -ts recent I disabled SELinux for testing it, but that did not work. Now I also tested: # ausearch -m AVC -ts recent As a last resort perhaps the NSS database is corrupted. You can exercise it with: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f /etc/httpd/alias/pwdfile.txt You should get: certutil: certificate is valid I do get it: # certutil -V -u V -n Server-Cert -d /etc/httpd/alias -e -f /etc/httpd/alias/pwdfile.txt certutil: certificate is valid rob If I just want to start httpd and not via IPA or with --force I get a different error, which I think might be because the services started before httpd in the IPA start-up-phase aren't running since the start of IPA aborted: -- Unit httpd.service has begun starting up. Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa : ERRORUnknown error while retrieving setting from ldap Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: Traceback (most recent call last): Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/libexec/ipa/ipa-httpd-kdcproxy", line 84, in _ldap_con Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.con.do_bind(timeout=self.time_limit) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.do_external_bind(pw_name, timeout=timeout) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.__bind_with_wait(self.external_bind, timeout, user_name) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: self.__wait_for_connection(timeout) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 16 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: wait_for_open_socket(lurl.hostport, timeout) Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: File "/usr/lib/python2.7/site-packages/ipapython/ipautil.py", line 13 Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: raise e Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: error: [Errno 111] Connection refused Aug 14 19:05:14 ipa_server.example.com ipa-httpd-kdcproxy[22551]: ipa : ERRORUnknown error while retrieving setting from ldap Aug 14 19:05:14 ipa_server.example.com systemd[1]: httpd.service: Control process exited, code=exited status=1 Aug 14 19:05:14 ipa_server.example.com audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s Aug 14 19:05:14 ipa_server.example.com systemd[1]: Failed to start The Apache HTTP Server. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: HTTPD does not start when NSS enabled
Hallo, On 08/14/2017 04:21 PM, Rob Crittenden wrote: Julian Gethmann via FreeIPA-users wrote: Hallo, Unfortunately I don't know when this problem occurred first, but it may have occurred after an update. The httpd does not start and aborts with the error [:info] [pid 15383] Using nickname Server-Cert. [...] [:error] [pid 15383] Certificate not found: 'Server-Cert' when I want to start FreeIPA via "systemctl start ipa" or "ipactl start" or "systemctl start httpd" If I turn the NSSEngine off it starts of cause. In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n Server-Cert" does find a certificate, if I get the output [1] right. ipa-getcert shows certs that are tracked by certmonger but doesn't guarantee that those certificates actually exist in the filesystem (they did at the time tracking was started). You need to look at the Apache NSS database: # certutil -L -d /etc/httpd/alias Ok, I also did this, but it seems to be there # certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Signing-Cert u,u,u ipaCert u,u,u Server-Cert Pu,u,u EXAMPLE.COM IPA CA CT,C,C Thanks, Julian rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] HTTPD does not start when NSS enabled
Hallo, Unfortunately I don't know when this problem occurred first, but it may have occurred after an update. The httpd does not start and aborts with the error [:info] [pid 15383] Using nickname Server-Cert. [...] [:error] [pid 15383] Certificate not found: 'Server-Cert' when I want to start FreeIPA via "systemctl start ipa" or "ipactl start" or "systemctl start httpd" If I turn the NSSEngine off it starts of cause. In contrast to this message "ipa-getcert list -d /etc/httpd/alias/ -n Server-Cert" does find a certificate, if I get the output [1] right. ipa-server-upgrade also complained about the HTTPD not starting, so I tried to run it with "NSSEnigne off" which made the upgrade run through, but did not fix the problem with the HTTPd My System: (After running "ipa-server-upgrade" with out any failures, but with "NSSEngine off") # ipa --version VERSION: 4.4.4, API_VERSION: 2.215 on Fedora Server 26 CA-Server at main IPA-Server (which is failing now) /etc/hosts has got the fqdn in the first line and DNS is not installed. [1] # ipa-getcert list -d /etc/httpd/alias/ -n Server-Cert Number of certificates and requests being tracked: 8. Request ID '20160718102648': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=ipa_server.example.com,O=EXAMPLE.COM expires: 2018-03-24 14:33:00 CET key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Many thanks in advance, Julian ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
