cagdasbas / ipa-notify Goto Github PK

Hi,

installed the script but ipa-notify wrapper is failing (wrong main maybe, I'm not a python programmer).
Somehow works if module/script called directly.
Please check/see below out.
Are you aware of any other issues with freeipa 4.6?
Our freeipa server is calling other servers which are connected to it when receiving an ipa query on API, but it could be also related to our older freeipa install/upgrades which might have some bad legacy freeipa configs.

ipa-notify
Traceback (most recent call last):
File "/usr/local/bin/ipa-notify", line 11, in
load_entry_point('ipa-notify==0.2.1', 'console_scripts', 'ipa-notify')()
TypeError: main() missing 3 required positional arguments: 'args', 'client', and 'notifier'

thank you

I have added an argument named "--no-expiry-check" and an if statement in main.py (on our local install) so we can disable script expiry checks on demand and allow to run only account lock checks
This is useful when you need to run account locks checks more often than 24h, that way notifying only admins about locked accounts and limiting notifications to user password expiry to 1/day by running two different cron jobs.

It looks we can get notified of krbpasswordexpiration but what about krbprincipalexpiration?

Having a ipa group which contains user with only key based authentication will fail as they do not have password and password expiry.
A try would be nice around this issue:

                        try:
                                email = user['mail'][0]
...
...
                                                except ValueError:
                                                        logging.error("email send error, aborting...")
                                                        break
                        except KeyError as err:
                                logging.error("no expiration or mail for %s", user['uid'][0])
                                continue

Detailed instructions
Please tell us in more detail what needs to be done halfway through point 4.
What command should be executed in NOOP and how to do it?
What script should you create?
When and where to download files from the repository?

I beg your pardon for my stupidity, this is the first time I do this

You may consider below as possible features

• option to disable notification of users with expired password - if they are not disabled will receive emails every day until someone notice they are not active and disable their account
• add user/full name as variable in mail templates for addressing people

thank you

We have freeipa multi-master setup.
When gathering account lock status it seems python-freeipa module query all masters and it is using only first value, not the same with the queried server in our case, so our test cases failed.
python-freeipa(https://python-freeipa.readthedocs.io/en/latest/):
user_status(a_useruid, o_all=True, o_raw=False)
Lockout status of a user account
This connects to each IPA master and displays the lockout status on each one.
code:
<------>if int(user_status['result'][0]['krbloginfailedcount'][0]) >= ....
krbLoginFailedCount is not replicated to all masters being treated only locally on the master which was used when authentication failed.
Would be nice to have reports with login locks and associated freeipa master server name/fqdn since we need to unlock the user on that specific master.

Email security none is not working. It is trying to auth by user/pass.
None should be an option to use the host's local relay/local email service which do not require user/password.
Avoid below when security set to none:

                                smtp_conn.login(self.user, self.password)
                                logging.debug("smtp login successful")