[Freeipa-users] scripting ipa commands
Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] scripting ipa commands
If you don't find an answer for doing it -minus- a ticket, here is what I would suggest. Create a service user who's only role permissions give them the ability to delete users. Then perform a getkeytab for the user: ipa-getkeytab -s ipa.example.com -p user name to export@EXAMPLE.COM -k /path/to/username.keytab Then associate the following along with your cron. I would also recommend a kdestroy -after- the task is run. #!/bin/bash ### # Auto Kinit /usr/kerberos/bin/klist -s EXITCODE=$? if [ $EXITCODE != 0 ] ; then /usr/kerberos/bin/kdestroy /dev/null 21 /usr/kerberos/bin/kinit -F usern...@example.com -k -t /path/to/username.keytab fi On Mar 6, 2014, at 8:48 AM, KodaK sako...@gmail.com wrote: Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] scripting ipa commands [solved]
That's pretty much exactly what I was looking for. Thanks JR. --Jason On Thu, Mar 6, 2014 at 11:23 AM, JR Aquino jr.aqu...@citrix.com wrote: If you don't find an answer for doing it -minus- a ticket, here is what I would suggest. Create a service user who's only role permissions give them the ability to delete users. Then perform a getkeytab for the user: ipa-getkeytab -s ipa.example.com -p user name to export@EXAMPLE.COM -k /path/to/username.keytab Then associate the following along with your cron. I would also recommend a kdestroy -after- the task is run. #!/bin/bash ### # Auto Kinit /usr/kerberos/bin/klist -s EXITCODE=$? if [ $EXITCODE != 0 ] ; then /usr/kerberos/bin/kdestroy /dev/null 21 /usr/kerberos/bin/kinit -F usern...@example.com -k -t /path/to/username.keytab fi On Mar 6, 2014, at 8:48 AM, KodaK sako...@gmail.com wrote: Once again, I'm probably missing something that's well documented. I promise I searched. We have a daily termination list that needs to be enforced at 5:00 PM every day. I can script it up just fine, but sometimes I like to sneak out early. I tried to use at, but since I'm logged out when the job runs there's no ticket and the ipa commands fail. ex: echo sh terminate | at 5:00 PM Friday works if I'm logged in with a ticket (terminate contains the ipa command to disable / delete users.) Is there some way to automate this? I can leave a terminal open on a VM as a work-around, but I'd like to be cleaner if I can. --Jason ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- The government is going to read our mail anyway, might as well make it tough for them. GPG Public key ID: B6A1A7C6 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
