Commit 4e703dd2 authored by julian.gethmann's avatar julian.gethmann

Add script to expand users password lifetime

* set_ipa_pwpolicies.py reads the group_vars/all/vault.yml and expands
the password liftime of all activated users to five years in the future.
parent 8b2b7764
......@@ -12,12 +12,15 @@
For general IPA usage see get_ipa_users.py
"""
import ipalib
from contextlib import suppress
from ipalib import api, cli
from pprint import pprint
from subprocess import run, PIPE
from typing import Dict
import ansible.utils
import datetime
import ipalib
import yaml
from contextlib import suppress
def bootstrap():
"""
......@@ -29,9 +32,12 @@ def bootstrap():
api.finalize()
api.Backend.rpcclient.connect()
def decrypt(filename: str) -> Dict[str, str]:
return yaml.load(run(["ansible-vault", "view", filename], stdout=PIPE).stdout)
def main():
EXPIRE = 5 * 52 # weeks
IPA_USER_CONFIG = "./group_vars/ipa"
IPA_USER_CONFIG = "./group_vars/all/vault.yml"
bootstrap()
pw = api.Command.pwpolicy_find(u"global_policy")["result"]
......@@ -43,11 +49,12 @@ def main():
print("Set password expiration time for all users")
new_expiretime = datetime.datetime.now() + datetime.timedelta(weeks=EXPIRE)
# This may be modified when using ansible vault!
with open(IPA_USER_CONFIG, "r") as fobj:
ipa_config = yaml.load(fobj)
# TODO: This NEEDS TO BE modified when using ansible vault!
# with open(IPA_USER_CONFIG, "r") as fobj:
# ipa_config = yaml.load(fobj)
ipa_config = decrypt(IPA_USER_CONFIG)
for user in ipa_config["ipa_users"]:
for user in ipa_config["vault_ipa_users"]:
if user["state"] not in ("enabled",):
continue
user = user["name"]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment