python-freeipa is lightweight FreeIPA client. API documentation: https://python-freeipa.readthedocs.io/
waldur / python-freeipa Goto Github PK
View Code? Open in Web Editor NEWpython-freeipa is lightweight FreeIPA client.
License: MIT License
python-freeipa is lightweight FreeIPA client.
License: MIT License
python-freeipa is lightweight FreeIPA client. API documentation: https://python-freeipa.readthedocs.io/
It seems that currently this python-freeipa client needs a username/password combo to connect to the api.
Using https://github.com/requests/requests-kerberos you can enable kerberos support in the python requests library.
see https://gist.github.com/JensTimmerman/c123d5f6291e4cd542473241ce7bf4c9 for a working example of using kerberos with the freeipa api and python-requests.
Hey,
could you please draw a new release, containing the dns_lookup change?
Kind Regards
Any plans to add hbacrule_show and hbacrule_find as options?
Version 1.0.2 seems to have been released on GitHub but PyPI is still at version 1.0.1. Please upload 1.0.2.
Hello,
it could be that I'm using your software wrong but when I try to use your API to communicate with the FreeIPA Server. I seem to get an authenticated Session but can't use any of the functions.
from python_freeipa import Client
client = Client('XXX', version='2.215')
client.login('admin', 'XXX')
user = client.user_add('test3', 'John', 'Doe', 'John Doe', preferred_language='EN')
print(user)
I get the following message back
AttributeError: 'Client' object has no attribute 'user_add'
I would appreciate your guidance if i did simply misuse your software.
When adding a user/group using sudorule_add_runasuser
and "RunAsGroup" set to category=all
("Any Group" in the UI), library throws exception:
python_freeipa.exceptions.BadRequest: users cannot be added when runs user or runAs group category='all'
The inverse is also occurs; when RunAsUser is set to "Anyone" (category=all
) and you try to add a RunAsGroup.
This is a valid configuration in the IPA UI.
python-freeipa
installed from pip - version 1.0.6
ipa-client
installed from packages - version 4.6.5, API_version 2.231
os
- CentOS 7.7
ipa-server
- 4.6.8
os
- CentOS 7.7
This is my work configuration, I can test on my home deployment which is a bit newer.
Right now there are several functions which call parse_hostgroup_management_error
and parse_group_management_error
to raise a ValidationError
when a (host)group can't be modified for some reason.
These parsing functions set up an exception but they make the message
a dict
instead of a str
.
So the exception that gets shown is rather unhelpful: python_freeipa.exceptions.ValidationError: <unprintable ValidationError object>
and when the exception gets printed (or converted to str
for displaying elsewhere), another exception gets raised: TypeError: __str__ returned non-string (type dict)
.
I'm happy to send a PR to fix this, but I'm not sure of the best way forward, there are a few options:
FreeIPAError#__str__
call str
before it returns. Then when a ValidationError
gets thrown, the message that gets shown is the raw dict
which is ugly but probably better than what happens right now. It also affords backwards compatibility and shouldn't break people who have worked around this issue already.# omitted: some hacks to dump out the dict
>>> client.group_add_member('cool-people', ['relrod', 'asdfasdf'])
python_freeipa.exceptions.ValidationError: {'member': {'user': [['relrod', 'This entry is already a member'], ['asdfasdf', 'no matching entry found']], 'group': [], 'service': []}}
We can keep things as-is and tell users to just catch the exception and accept that #message
is a dict and that the stack trace itself will never show a meaningful error from IPA until the user calls #message
and processes the dict themselves.
... other ideas here ...
Thoughts?
If I make a call to freeipa(4.9.11) like the following:
ipa_conn.dnszone_add(a_idnsname="foo.bar.com.", o_idnssoaserial=1234, o_idnssoarname="hostmaster", o_idnssoamname="myipa.bar.com.")
I get back an error message from freeipa saying:
invalid 'serial': this option is deprecated
It looks like, at some point, freeipa switched over to managing the serial number more directly, making it immutable from the user perspective. However, o_idnssoaserial
is a required positional argument for the function, so I can't not supply it to the function call. A workaround is to pass in None
for this required argument.
From releases prior to 1.0.0, there was the ability to provide functions with kwargs, but since that upgrade, there are no longer any kwargs in the generated client. It seems to me that the object at https://github.com/opennode/python-freeipa/blob/develop/contrib/py_ipa_api_recreate#L348 is malformed from what was expected.
It is possible to manually recreate the “ClientMeta” class. This might be needed if the IPA/IdM Server you are using
is not matching the on (? TYPO ? one) that has been used to build the packaged version.
My server is made from CentOS/RedHat RPM's, so is this necessary ?
The example in Issue#2 (support kerberos) is Python 2 and using requests-kerberos rather than requests-gssapi
Hello Team,
I am trying to automate user creation in my ORG.
I would like to request sudorule-add-user to be included in the module. Currently from my Python script we need to call "ipa sudorule-add-user --users=test.test <sudo_rule>". This requires IPA to be installed on the server where this scrip is being executed.
I would be great if we can have the feature in this module.
Regards,
Shivam Kumar Gupta
Hi,
Could you please update the documentation site (https://python-freeipa.readthedocs.io/en/latest/) with the details for 1.0.0?
I have been using 0.2.5 and making calls like "Client.user_show" which no longer exist in 1.0.0, I need to change all my calls (by the looks of it) to "ClientLegacy.user_show" (I discovered this when my integration tools all failed) or maybe there is some new syntax/call to use instead?
-- Sean
Hi
On new version of FreeIPA when I try to use client.service_add(a_krbcanonicalname='HTTP/'+fqdn) I recieve error:
File "./ipa-certs.py", line 48, in AddCert
client.service_add(a_krbcanonicalname='HTTP/'+fqdn)
File "/Users/rus/Library/Python/3.7/lib/python/site-packages/python_freeipa/client_meta.py", line 19190, in service_add
return self._request(method, _args, _params)
File "/Users/rus/Library/Python/3.7/lib/python/site-packages/python_freeipa/client.py", line 335, in _request
parse_error(error)
File "/Users/rus/Library/Python/3.7/lib/python/site-packages/python_freeipa/exceptions.py", line 117, in parse_error
raise exception_class(message, code)
python_freeipa.exceptions.UnknownOption: Unknown option: skip_host_check
python-freeipa ver: 1.0.5
FreeIPA, version: 4.6.5
Python 3.7.3
Hi,
I've implemented my own little freeIPA management script to simplify frequent tasks (e.g. adding new users). I'm currently trying to extend it to also set o_krbprincipalexpiration
, however, I receive an error message when trying to pass the DateTime object to user_add
:
Traceback (most recent call last):
File "/home/user/bin/ipa_manage.py", line 53, in <module>
user = client.user_add(username, firstname, lastname, fullname, displayname, o_initials=initials, o_homedirectory=homedirectory, o_gecos=gecos, o_loginshell=loginshell, o_title=title, o_krbprincipalname=krbprincipalname, o_krbprincipalexpiration=krbprincipalexpiration, o_mail=email, o_userpassword=password)
File "/home/user/.local/lib/python3.8/site-packages/python_freeipa/client_meta.py", line 25504, in user_add
return self._request(method, _args, _params)
File "/home/user/.local/lib/python3.8/site-packages/python_freeipa/client.py", line 323, in _request
session_url, headers=headers, data=json.dumps(data), verify=self._verify_ssl
File "/usr/lib/python3.8/json/__init__.py", line 231, in dumps
return _default_encoder.encode(obj)
File "/usr/lib/python3.8/json/encoder.py", line 199, in encode
chunks = self.iterencode(o, _one_shot=True)
File "/usr/lib/python3.8/json/encoder.py", line 257, in iterencode
return _iterencode(o, 0)
File "/usr/lib/python3.8/json/encoder.py", line 179, in default
raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type datetime is not JSON serializable
Code that fills krbprincipalexpiration
:
from datetime import date
from datetime import datetime
[...]
expiry = input("Account expiry date (YYYY-MM-DD): ")
krbprincipalexpiration = datetime.combine(datetime.fromisoformat(expiry), datetime.min.time())
Does anyone have a tip for how to make this work? Or is this a bug given that the official documentation suggests that DateTime is the correct type?
Hello,
I was wondering where I can find documentation on how python-freeipa work in the backend? Does it communicate securely? Does it send request to the FreeIPA API? If so how and is it secure?
Using below example & getting below error. Is the IPA API v2.228 ok?
Example from documentation:
from python_freeipa import Client
client = Client('ipaserver.domain.com', version='2.228')
client.login('admin', 'password123')
user = client.user_add('Welcome123', 'John', 'Doe', 'John Doe', preferred_language='EN')
print user
Below error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='ipaserver.domain.com', port=443): Max retries exceeded with url: /ipa/session/login_password (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579)'),))
Thx for your time!
Since Python 2 is EOL in January 2020, is there any plans to support Python 3?
It you set up a freeipa-python Client object to communicate with a directory server and use the all=True
and/or the raw=True
options it provides the same output regardless if they're set to true or false or omitted.
Given configured client object:
len(client.user_find()['result'][0])
and
len(client.user_find(all=True)['result'][0])
These two codes give identical outputs with 20 attributes (I'm not pasting the raw output with personal information keys and codes).
Using the ipa console:
(Custom IPA interactive Python console)
>>> len(api.Command.user_find()['result'][0])
12
>>> len(api.Command.user_find(all=True)['result'][0])
23
>>>
Clearly freeipa-python is not provided the expected extra attributes.
Hi,
while I was assisting @abompard with a problem in Fedora Account System, I noticed that python-freeipa's Kerberos login is inefficient. It requires two HTTP roundtrips to authenticate and uses cookie sessions, which are less efficient. The official IPA client library uses opportunistic authentication without sessions.
To make python-freeipa faster:
login_kerberos
session_logout
for GSS-API authtry:
import requests_gssapi
import gssapi
import gssapi.exceptions
except ImportError as e:
# Will raise if the user tries to login via Kerberos.
requests_gssapi = gssapi = e
in Client.__init__
:
self._session.verify = verify_ssl
def login_gssapi(self, creds=None)
if creds is None:
try:
creds = gssapi.Credentials(usage="initiate")
except gssapi.exceptions.GSSError as e:
raise Unauthorized(e)
self._session.auth = requests_gssapi.HTTPSPNEGOAuth(
opportunistic_auth=True, creds=creds
)
# optional check to get a 401 early
self._request("ping")
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.