ansemjo/ipa-sysaccount.py

## ipa-sysaccount.py
#!/usr/bin/env python

from argparse import ArgumentParser
from random import SystemRandom
from string import ascii_letters, digits
from subprocess import Popen as subprocess, PIPE
from shlex import split as sh

ap = ArgumentParser()
ap.add_argument('action', help='add, delete or change password', choices=('add', 'delete', 'passwd'))
ap.add_argument('uid', help='system account uid')
arguments = ap.parse_args()

# generate a random password
def random (padlength=4, padcount=8, chars=(ascii_letters + digits)):
  return '-'.join(''.join(SystemRandom().choice(chars) for _ in range(padlength)) for _ in range(padcount));

# execute a subprocess
def run (command, stdin=None, stderr=None):
  return subprocess(sh(command), stdin=PIPE, stdout=PIPE, stderr=stderr).communicate(stdin)[0]

# variables
basedn = run('sed -n \'s/^basedn = //p\' /etc/ipa/default.conf').strip();
passwd = random();
account = arguments.uid;

# check for sudo
if (account == 'sudo'):
  print('Refuse to edit sudo account!');
  exit(1);

# build strings
update_dn         = "dn: uid={},cn=sysaccounts,cn=etc,{}".format(account, basedn);
update_userpass   = "only:userPassword:{}".format(passwd);
update_attributes = """add:objectclass:account
add:objectclass:simplesecurityobject
add:uid:{}
add:passwordExpirationTime:20380119031407Z
add:nsIdleTimeout:0""".format(account);

# build target command
update = update_dn + '\n';
if (arguments.action == 'add'):
  update += update_attributes + '\n';
if (arguments.action != 'delete'):
  update += update_userpass + '\n';
if (arguments.action == 'delete'):
  update += 'deleteentry:\n';
update = update.strip();

# echo and execute
print('====== running update: ======\n{}\n============================='.format(update));
run('ipa-ldap-updater /dev/stdin', update);

## ipa-sysaccount.sh
#!/usr/bin/env bash

genpasswd() {
  r() { tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c$1; }
  echo "$(r 6)-$(r 6)-$(r 6)-$(r 6)";
}

account="${1:?Specify account name as argument.}"
basedn=$(sed -n 's/^basedn = //p' /etc/ipa/default.conf)
passwd=$(genpasswd)

read -d '' ldif <<LDIF
dn: uid=${account},cn=sysaccounts,cn=etc,${basedn}
add:objectclass:account
add:objectclass:simplesecurityobject
add:uid:${account}
only:userPassword:${passwd}
add:passwordExpirationTime:20380119031407Z
add:nsIdleTimeout:0
LDIF

printf '**********************\n%s\n**********************\n' "$ldif";
printf '%s\n' "$ldif" | ipa-ldap-updater /dev/stdin

## makefile
STYLE  := py
PREFIX := /usr/local
SCRIPT := ipa-sysaccount
INSTALL := $(PREFIX)/bin/$(SCRIPT)

help :
	@echo 'use `make install` to install in $(PREFIX)/bin/'
	@echo 'choose python or bash with `make install STYLE={py,sh}`'

install : $(INSTALL)

$(INSTALL) : $(SCRIPT).$(STYLE)
	install -m 755 -o root -g root $< $@
	#!/usr/bin/env python

	from argparse import ArgumentParser
	from random import SystemRandom
	from string import ascii_letters, digits
	from subprocess import Popen as subprocess, PIPE
	from shlex import split as sh

	ap = ArgumentParser()
	ap.add_argument('action', help='add, delete or change password', choices=('add', 'delete', 'passwd'))
	ap.add_argument('uid', help='system account uid')
	arguments = ap.parse_args()

	# generate a random password
	def random (padlength=4, padcount=8, chars=(ascii_letters + digits)):
	return '-'.join(''.join(SystemRandom().choice(chars) for _ in range(padlength)) for _ in range(padcount));

	# execute a subprocess
	def run (command, stdin=None, stderr=None):
	return subprocess(sh(command), stdin=PIPE, stdout=PIPE, stderr=stderr).communicate(stdin)[0]

	# variables
	basedn = run('sed -n \'s/^basedn = //p\' /etc/ipa/default.conf').strip();
	passwd = random();
	account = arguments.uid;

	# check for sudo
	if (account == 'sudo'):
	print('Refuse to edit sudo account!');
	exit(1);

	# build strings
	update_dn = "dn: uid={},cn=sysaccounts,cn=etc,{}".format(account, basedn);
	update_userpass = "only:userPassword:{}".format(passwd);
	update_attributes = """add:objectclass:account
	add:objectclass:simplesecurityobject
	add:uid:{}
	add:passwordExpirationTime:20380119031407Z
	add:nsIdleTimeout:0""".format(account);

	# build target command
	update = update_dn + '\n';
	if (arguments.action == 'add'):
	update += update_attributes + '\n';
	if (arguments.action != 'delete'):
	update += update_userpass + '\n';
	if (arguments.action == 'delete'):
	update += 'deleteentry:\n';
	update = update.strip();

	# echo and execute
	print('====== running update: ======\n{}\n============================='.format(update));
	run('ipa-ldap-updater /dev/stdin', update);
	#!/usr/bin/env bash

	genpasswd() {
	r() { tr -dc 'a-zA-Z0-9' < /dev/urandom \| head -c$1; }
	echo "$(r 6)-$(r 6)-$(r 6)-$(r 6)";
	}

	account="${1:?Specify account name as argument.}"
	basedn=$(sed -n 's/^basedn = //p' /etc/ipa/default.conf)
	passwd=$(genpasswd)

	read -d '' ldif <<LDIF
	dn: uid=${account},cn=sysaccounts,cn=etc,${basedn}
	add:objectclass:account
	add:objectclass:simplesecurityobject
	add:uid:${account}
	only:userPassword:${passwd}
	add:passwordExpirationTime:20380119031407Z
	add:nsIdleTimeout:0
	LDIF

	printf '********************\n%s\n********************\n' "$ldif";
	printf '%s\n' "$ldif" \| ipa-ldap-updater /dev/stdin
	STYLE := py
	PREFIX := /usr/local
	SCRIPT := ipa-sysaccount
	INSTALL := $(PREFIX)/bin/$(SCRIPT)

	help :
	@echo 'use `make install` to install in $(PREFIX)/bin/'
	@echo 'choose python or bash with `make install STYLE={py,sh}`'

	install : $(INSTALL)

	$(INSTALL) : $(SCRIPT).$(STYLE)
	install -m 755 -o root -g root $< $@