Commit aeb890af authored by julian.gethmann's avatar julian.gethmann

Add script to adjust the expiration dates

parent a01a127a
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Set the password expiration dates to a (very relaxed) value set via the
global variable `EXPIRE`.
:Authors: Julian Gethmann
:Contact: phd@gethmann.org
:Date: 2018-01-08
:Version: 0.1
For general IPA usage see get_ipa_users.py
"""
import ipalib
from ipalib import api, cli
from pprint import pprint
import datetime
import yaml
from contextlib import suppress
def bootstrap():
"""
Bootstrap the script.
I hope that all of this stuff is re-entrant.
Also, api is defined in __init__.py.
"""
api.bootstrap_with_global_options(context='cli')
api.finalize()
api.Backend.rpcclient.connect()
def main():
EXPIRE = 5 * 52 # weeks
IPA_USER_CONFIG = "./group_vars/ipa"
bootstrap()
pw = api.Command.pwpolicy_find(u"global_policy")["result"]
prev_lifetime = int(pw[0]["krbmaxpwdlife"][0])
print("Set new default password expiration time")
with suppress(ipalib.errors.EmptyModlist):
api.Command.pwpolicy_mod(u"global_policy", krbmaxpwdlife="0")
print("Set password expiration time for all users")
new_expiretime = datetime.datetime.now() + datetime.timedelta(weeks=EXPIRE)
# This may be modified when using ansible vault!
with open(IPA_USER_CONFIG, "r") as fobj:
ipa_config = yaml.load(fobj)
for user in ipa_config["ipa_users"]:
if user["state"] not in ("enabled",):
continue
user = user["name"]
prev_expire = api.Command.user_show(user, all=True)["result"].get("krbpasswordexpiration",
(datetime.datetime(1970, 1, 1),))[0]
print(f"Set password expiration time for {user} from {prev_expire:%Y%m%d%H%M%S} to {new_expiretime:%Y-%m-%d}")
with suppress(ipalib.errors.EmptyModlist):
api.Command.user_mod(
user,
setattr=f"krbPasswordExpiration={new_expiretime:%Y%m%d%H%M%S}Z",
)
if __name__ == "__main__":
import sys
if len(sys.argv) > 1:
print(__doc__)
sys.exit(0)
main()
# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment