waldur / python-freeipa Goto Github PK

It seems that currently this python-freeipa client needs a username/password combo to connect to the api.
Using https://github.com/requests/requests-kerberos you can enable kerberos support in the python requests library.
see https://gist.github.com/JensTimmerman/c123d5f6291e4cd542473241ce7bf4c9 for a working example of using kerberos with the freeipa api and python-requests.

Hey,

could you please draw a new release, containing the dns_lookup change?

Kind Regards

Any plans to add hbacrule_show and hbacrule_find as options?

Version 1.0.2 seems to have been released on GitHub but PyPI is still at version 1.0.1. Please upload 1.0.2.

Hello,

it could be that I'm using your software wrong but when I try to use your API to communicate with the FreeIPA Server. I seem to get an authenticated Session but can't use any of the functions.

from python_freeipa import Client
client = Client('XXX', version='2.215')
client.login('admin', 'XXX')
user = client.user_add('test3', 'John', 'Doe', 'John Doe', preferred_language='EN')
print(user)

I get the following message back

AttributeError: 'Client' object has no attribute 'user_add'

I would appreciate your guidance if i did simply misuse your software.

When adding a user/group using sudorule_add_runasuser and "RunAsGroup" set to category=all ("Any Group" in the UI), library throws exception:
python_freeipa.exceptions.BadRequest: users cannot be added when runs user or runAs group category='all'

The inverse is also occurs; when RunAsUser is set to "Anyone" (category=all) and you try to add a RunAsGroup.

This is a valid configuration in the IPA UI.

Installation info

Library

python-freeipa installed from pip - version 1.0.6

Client

ipa-client installed from packages - version 4.6.5, API_version 2.231
os - CentOS 7.7

Server

ipa-server - 4.6.8
os - CentOS 7.7

This is my work configuration, I can test on my home deployment which is a bit newer.

Right now there are several functions which call parse_hostgroup_management_error and parse_group_management_error to raise a ValidationError when a (host)group can't be modified for some reason.

These parsing functions set up an exception but they make the message a dict instead of a str.

So the exception that gets shown is rather unhelpful: python_freeipa.exceptions.ValidationError: <unprintable ValidationError object>

and when the exception gets printed (or converted to str for displaying elsewhere), another exception gets raised: TypeError: __str__ returned non-string (type dict).

I'm happy to send a PR to fix this, but I'm not sure of the best way forward, there are a few options:

• We can just have FreeIPAError#__str__ call str before it returns. Then when a ValidationError gets thrown, the message that gets shown is the raw dict which is ugly but probably better than what happens right now. It also affords backwards compatibility and shouldn't break people who have worked around this issue already.
• We can have the parsing functions parse out the string(s) that contain(s) the actual error(s), which I think might have been the original intent here, but this gets gnarly when dealing with the case where multiple errors are returned at the same time:

# omitted: some hacks to dump out the dict
>>> client.group_add_member('cool-people', ['relrod', 'asdfasdf'])
python_freeipa.exceptions.ValidationError: {'member': {'user': [['relrod', 'This entry is already a member'], ['asdfasdf', 'no matching entry found']], 'group': [], 'service': []}}

• We can keep things as-is and tell users to just catch the exception and accept that #message is a dict and that the stack trace itself will never show a meaningful error from IPA until the user calls #message and processes the dict themselves.

• ... other ideas here ...

Thoughts?

If I make a call to freeipa(4.9.11) like the following:

ipa_conn.dnszone_add(a_idnsname="foo.bar.com.", o_idnssoaserial=1234, o_idnssoarname="hostmaster", o_idnssoamname="myipa.bar.com.")

I get back an error message from freeipa saying:

invalid 'serial': this option is deprecated

It looks like, at some point, freeipa switched over to managing the serial number more directly, making it immutable from the user perspective. However, o_idnssoaserial is a required positional argument for the function, so I can't not supply it to the function call. A workaround is to pass in None for this required argument.

From releases prior to 1.0.0, there was the ability to provide functions with kwargs, but since that upgrade, there are no longer any kwargs in the generated client. It seems to me that the object at https://github.com/opennode/python-freeipa/blob/develop/contrib/py_ipa_api_recreate#L348 is malformed from what was expected.

Recreation of MetaClient

It is possible to manually recreate the “ClientMeta” class. This might be needed if the IPA/IdM Server you are using
is not matching the on (? TYPO ? one) that has been used to build the packaged version.

My server is made from CentOS/RedHat RPM's, so is this necessary ?

Example Request - Connecting to a server with Kerberos rather than Password

The example in Issue#2 (support kerberos) is Python 2 and using requests-kerberos rather than requests-gssapi

Hello Team,

I am trying to automate user creation in my ORG.

I would like to request sudorule-add-user to be included in the module. Currently from my Python script we need to call "ipa sudorule-add-user --users=test.test <sudo_rule>". This requires IPA to be installed on the server where this scrip is being executed.

I would be great if we can have the feature in this module.

Regards,
Shivam Kumar Gupta

Hi,

Could you please update the documentation site (https://python-freeipa.readthedocs.io/en/latest/) with the details for 1.0.0?

I have been using 0.2.5 and making calls like "Client.user_show" which no longer exist in 1.0.0, I need to change all my calls (by the looks of it) to "ClientLegacy.user_show" (I discovered this when my integration tools all failed) or maybe there is some new syntax/call to use instead?

-- Sean

Hi
On new version of FreeIPA when I try to use client.service_add(a_krbcanonicalname='HTTP/'+fqdn) I recieve error:

  File "./ipa-certs.py", line 48, in AddCert
    client.service_add(a_krbcanonicalname='HTTP/'+fqdn)
  File "/Users/rus/Library/Python/3.7/lib/python/site-packages/python_freeipa/client_meta.py", line 19190, in service_add
    return self._request(method, _args, _params)
  File "/Users/rus/Library/Python/3.7/lib/python/site-packages/python_freeipa/client.py", line 335, in _request
    parse_error(error)
  File "/Users/rus/Library/Python/3.7/lib/python/site-packages/python_freeipa/exceptions.py", line 117, in parse_error
    raise exception_class(message, code)
python_freeipa.exceptions.UnknownOption: Unknown option: skip_host_check

python-freeipa ver: 1.0.5
FreeIPA, version: 4.6.5
Python 3.7.3

Hi,

I've implemented my own little freeIPA management script to simplify frequent tasks (e.g. adding new users). I'm currently trying to extend it to also set o_krbprincipalexpiration, however, I receive an error message when trying to pass the DateTime object to user_add:

Traceback (most recent call last):
  File "/home/user/bin/ipa_manage.py", line 53, in <module>
    user = client.user_add(username, firstname, lastname, fullname, displayname, o_initials=initials, o_homedirectory=homedirectory, o_gecos=gecos, o_loginshell=loginshell, o_title=title, o_krbprincipalname=krbprincipalname, o_krbprincipalexpiration=krbprincipalexpiration, o_mail=email, o_userpassword=password)
  File "/home/user/.local/lib/python3.8/site-packages/python_freeipa/client_meta.py", line 25504, in user_add
    return self._request(method, _args, _params)
  File "/home/user/.local/lib/python3.8/site-packages/python_freeipa/client.py", line 323, in _request
    session_url, headers=headers, data=json.dumps(data), verify=self._verify_ssl
  File "/usr/lib/python3.8/json/__init__.py", line 231, in dumps
    return _default_encoder.encode(obj)
  File "/usr/lib/python3.8/json/encoder.py", line 199, in encode
    chunks = self.iterencode(o, _one_shot=True)
  File "/usr/lib/python3.8/json/encoder.py", line 257, in iterencode
    return _iterencode(o, 0)
  File "/usr/lib/python3.8/json/encoder.py", line 179, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type datetime is not JSON serializable

Code that fills krbprincipalexpiration:

from datetime import date
from datetime import datetime
[...]
expiry = input("Account expiry date (YYYY-MM-DD): ")
krbprincipalexpiration = datetime.combine(datetime.fromisoformat(expiry), datetime.min.time())

Does anyone have a tip for how to make this work? Or is this a bug given that the official documentation suggests that DateTime is the correct type?

Hello,

I was wondering where I can find documentation on how python-freeipa work in the backend? Does it communicate securely? Does it send request to the FreeIPA API? If so how and is it secure?

Using below example & getting below error. Is the IPA API v2.228 ok?

Example from documentation:
from python_freeipa import Client
client = Client('ipaserver.domain.com', version='2.228')
client.login('admin', 'password123')
user = client.user_add('Welcome123', 'John', 'Doe', 'John Doe', preferred_language='EN')
print user

Below error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='ipaserver.domain.com', port=443): Max retries exceeded with url: /ipa/session/login_password (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))

Thx for your time!

Since Python 2 is EOL in January 2020, is there any plans to support Python 3?

Using python_freeipa v1.0.6 trying to login/authenticate against FreeIPA/IdM v4.9.2, I just get an Error 400 Bad Request every time. Rebuilt the MetaClient, same thing.

It you set up a freeipa-python Client object to communicate with a directory server and use the all=True and/or the raw=True options it provides the same output regardless if they're set to true or false or omitted.

Given configured client object:

len(client.user_find()['result'][0])

and

len(client.user_find(all=True)['result'][0])

These two codes give identical outputs with 20 attributes (I'm not pasting the raw output with personal information keys and codes).

Using the ipa console:

(Custom IPA interactive Python console)
>>> len(api.Command.user_find()['result'][0])
12
>>> len(api.Command.user_find(all=True)['result'][0])
23
>>>

Clearly freeipa-python is not provided the expected extra attributes.

Hi,

while I was assisting @abompard with a problem in Fedora Account System, I noticed that python-freeipa's Kerberos login is inefficient. It requires two HTTP roundtrips to authenticate and uses cookie sessions, which are less efficient. The official IPA client library uses opportunistic authentication without sessions.

To make python-freeipa faster:

• use opportunistic authentication
• allow passing of GSS-API credentials
• don't call login_kerberos
• drop session_logout for GSS-API auth

try:
    import requests_gssapi
    import gssapi
    import gssapi.exceptions
except ImportError as e:
    # Will raise if the user tries to login via Kerberos.
    requests_gssapi = gssapi = e

in Client.__init__:

        self._session.verify = verify_ssl

    def login_gssapi(self, creds=None)
        if creds is None:
            try:
                creds = gssapi.Credentials(usage="initiate")
            except gssapi.exceptions.GSSError as e:
                raise Unauthorized(e)
        self._session.auth = requests_gssapi.HTTPSPNEGOAuth(
            opportunistic_auth=True, creds=creds
        )
        # optional check to get a 401 early
        self._request("ping")