Commit 4e703dd2 authored by julian.gethmann's avatar julian.gethmann

Add script to expand users password lifetime

* set_ipa_pwpolicies.py reads the group_vars/all/vault.yml and expands
the password liftime of all activated users to five years in the future.
parent 8b2b7764
...@@ -12,12 +12,15 @@ ...@@ -12,12 +12,15 @@
For general IPA usage see get_ipa_users.py For general IPA usage see get_ipa_users.py
""" """
import ipalib from contextlib import suppress
from ipalib import api, cli from ipalib import api, cli
from pprint import pprint from pprint import pprint
from subprocess import run, PIPE
from typing import Dict
import ansible.utils
import datetime import datetime
import ipalib
import yaml import yaml
from contextlib import suppress
def bootstrap(): def bootstrap():
""" """
...@@ -29,9 +32,12 @@ def bootstrap(): ...@@ -29,9 +32,12 @@ def bootstrap():
api.finalize() api.finalize()
api.Backend.rpcclient.connect() api.Backend.rpcclient.connect()
def decrypt(filename: str) -> Dict[str, str]:
return yaml.load(run(["ansible-vault", "view", filename], stdout=PIPE).stdout)
def main(): def main():
EXPIRE = 5 * 52 # weeks EXPIRE = 5 * 52 # weeks
IPA_USER_CONFIG = "./group_vars/ipa" IPA_USER_CONFIG = "./group_vars/all/vault.yml"
bootstrap() bootstrap()
pw = api.Command.pwpolicy_find(u"global_policy")["result"] pw = api.Command.pwpolicy_find(u"global_policy")["result"]
...@@ -43,11 +49,12 @@ def main(): ...@@ -43,11 +49,12 @@ def main():
print("Set password expiration time for all users") print("Set password expiration time for all users")
new_expiretime = datetime.datetime.now() + datetime.timedelta(weeks=EXPIRE) new_expiretime = datetime.datetime.now() + datetime.timedelta(weeks=EXPIRE)
# This may be modified when using ansible vault! # TODO: This NEEDS TO BE modified when using ansible vault!
with open(IPA_USER_CONFIG, "r") as fobj: # with open(IPA_USER_CONFIG, "r") as fobj:
ipa_config = yaml.load(fobj) # ipa_config = yaml.load(fobj)
ipa_config = decrypt(IPA_USER_CONFIG)
for user in ipa_config["ipa_users"]: for user in ipa_config["vault_ipa_users"]:
if user["state"] not in ("enabled",): if user["state"] not in ("enabled",):
continue continue
user = user["name"] user = user["name"]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment