[Freeipa-users] Re: FreeIPA-users Digest, Vol 23, Issue 8

2019-03-11 Thread Rob Crittenden via FreeIPA-users 
Julian Gethmann via FreeIPA-users wrote:
> Hello Anthony,
> 
> I don't know if there is an official tool for that, but since I once
> wrote a similar script, you might be happy with that. It requires that
> your Python 3 installation has got the IPA libraries installed and you
> have got a valid Kerberos ticket. I have tested it only on Fedora so far.
> 
> I hope it's useful for you and you can modify it to your needs.

It is probably easier to just do an ldapsearch for this.

% kinit someuser
% ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=com
uid krbpasswordexpiration

Note that IPA imposes a set of search and time limits on searches which
is lower than the 389-ds default limits. If you have a lot of users
you'll bump into this.

rob

> 
> Regards,
> Julian
> 
> On 09/03/2019 05.03, freeipa-users-requ...@lists.fedorahosted.org wrote:
>> Date: Fri, 8 Mar 2019 11:50:55 -0500
>> From: Anthony Jarvis-Clark
>> Subject: [Freeipa-users] list all users and their password expiration
>> date?
>> To: FreeIPA users list
>> Message-ID:
>> 
>> Content-Type: multipart/alternative;
>> boundary="6d0281058398074b"
>>
>> --6d0281058398074b
>> Content-Type: text/plain; charset="UTF-8"
>>
>> Hello Everyone,
>>
>> Is there a command line method to get a list of users and their password
>> expiration date?
>>
>> Thanks!
>>
>> -Anthony
>>
>> --6d0281058398074b
>> Content-Type: text/html; charset="UTF-8"
>>
>> Hello Everyone,Is there a command
>> line method to get a list of users and their password expiration
>> date?Thanks!-Anthony
>>
>>
>> --6d0281058398074b--
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: FreeIPA-users Digest, Vol 23, Issue 8

2019-03-11 Thread Julian Gethmann via FreeIPA-users 

Hello Anthony,

I don't know if there is an official tool for that, but since I once 
wrote a similar script, you might be happy with that. It requires that 
your Python 3 installation has got the IPA libraries installed and you 
have got a valid Kerberos ticket. I have tested it only on Fedora so far.


I hope it's useful for you and you can modify it to your needs.

Regards,
Julian

On 09/03/2019 05.03, freeipa-users-requ...@lists.fedorahosted.org wrote:

Date: Fri, 8 Mar 2019 11:50:55 -0500
From: Anthony Jarvis-Clark
Subject: [Freeipa-users] list all users and their password expiration
date?
To: FreeIPA users list
Message-ID:

Content-Type: multipart/alternative;
boundary="6d0281058398074b"

--6d0281058398074b
Content-Type: text/plain; charset="UTF-8"

Hello Everyone,

Is there a command line method to get a list of users and their password
expiration date?

Thanks!

-Anthony

--6d0281058398074b
Content-Type: text/html; charset="UTF-8"

Hello Everyone,Is there a command line method to get a list of users and their password expiration 
date?Thanks!-Anthony

--6d0281058398074b--
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

"""
   Export the IPA users in the YAML format.

   You need to have a valid Kerberos ticket (e. g. `kinit -f ad...@example.com`)

   :Authors: Julian Gethmann
   :Contact: free...@gethmann.org
"""
from ipalib import api, cli
import datetime

# https://www.redhat.com/archives/freeipa-users/2012-June/msg00334.html +
# https://www.redhat.com/archives/freeipa-devel/2015-June/msg00478.html +
# https://www.redhat.com/archives/freeipa-users/2016-May/msg00141.html
# use the API overview in the web based backend and use `bash $ ipa console`
#
# mailing list:
# $ ipa console
# (Custom IPA interactive Python console)
# >>> len(api.Command.user_find()['result'][0])
# 11
# >>> len(api.Command.user_find(all=True)['result'][0])
#
def bootstrap():
 """
 Bootstrap the script.
 I hope that all of this stuff is re-entrant.
 Also, api is defined in __init__.py.
 """
 api.bootstrap_with_global_options(context='cli')
 api.finalize()
 api.Backend.rpcclient.connect()

def main():
bootstrap()
api.Command.user_show(u'admin')
users = api.Command.user_find()['result']
print('\n'.join((
'''  - firstname: {fname}
name: {name}
uid: {uid}
state: {state}
expiration: {expire}
'''.format(
name=user['uid'][0],
fname=user.get('givenname', '-')[0],
uid=user['uidnumber'][0],
# This is the line you are interested in
expire=api.Command.user_show(user['uid'][0], all=True)["result"].get("krbpasswordexpiration",
(datetime.datetime(1970, 1, 1),))[0],
state={False: 'enabled', True: 'disabled'}[user['nsaccountlock']]
) for user in users))
)

if __name__ == "__main__":
import sys
if len(sys.argv) > 1:
print(__doc__)
sys.exit(0)
main()
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org