ansemjo · June 28, 2024 11:18
diff --git a/ipa-sysaccount.py b/ipa-sysaccount.py
 #!/usr/bin/env python

 from argparse import ArgumentParser
 from random import SystemRandom
 from string import ascii_letters, digits
 from subprocess import Popen as subprocess, PIPE
 from shlex import split as sh

 ap = ArgumentParser()
 ap.add_argument('action', help='add, delete or change password', choices=('add', 'delete', 'passwd'))
 ap.add_argument('uid', help='system account uid')
 arguments = ap.parse_args()

 # generate a random password
 def random (padlength=4, padcount=8, chars=(ascii_letters + digits)):
  return '-'.join(''.join(SystemRandom().choice(chars) for _ in range(padlength)) for _ in range(padcount));

 # execute a subprocess
 def run (command, stdin=None, stderr=None):
  return subprocess(sh(command), stdin=PIPE, stdout=PIPE, stderr=stderr).communicate(stdin)[0]

 # variables
 basedn = run('sed -n \'s/^basedn = //p\' /etc/ipa/default.conf').strip();
 passwd = random();
 account = arguments.uid;

 # check for sudo
 if (account == 'sudo'):
  print('Refuse to edit sudo account!');
  exit(1);

 # build strings
 update_dn         = "dn: uid={},cn=sysaccounts,cn=etc,{}".format(account, basedn);
 update_userpass   = "only:userPassword:{}".format(passwd);
 update_attributes = """add:objectclass:account
 add:objectclass:simplesecurityobject
 add:uid:{}
 add:passwordExpirationTime:20380119031407Z
 add:nsIdleTimeout:0""".format(account);

 # build target command
 update = update_dn + '\n';
 if (arguments.action == 'add'):
  update += update_attributes + '\n';
 if (arguments.action != 'delete'):
  update += update_userpass + '\n';
 if (arguments.action == 'delete'):
  update += 'deleteentry:\n';
 update = update.strip();

 # echo and execute
 print('====== running update: ======\n{}\n============================='.format(update));
 run('ipa-ldap-updater /dev/stdin', update);
diff --git a/ipa-sysaccount.sh b/ipa-sysaccount.sh
 #!/usr/bin/env bash

 genpasswd() {
  r() { tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c$1; }
  echo "$(r 6)-$(r 6)-$(r 6)-$(r 6)";
 }

 account="${1:?Specify account name as argument.}"
 basedn=$(sed -n 's/^basedn = //p' /etc/ipa/default.conf)
 passwd=$(genpasswd)

 read -d '' ldif <<LDIF
 dn: uid=${account},cn=sysaccounts,cn=etc,${basedn}
 add:objectclass:account
 add:objectclass:simplesecurityobject
 add:uid:${account}
 only:userPassword:${passwd}
 add:passwordExpirationTime:20380119031407Z
 add:nsIdleTimeout:0
 LDIF

 printf '**********************\n%s\n**********************\n' "$ldif";
 printf '%s\n' "$ldif" | ipa-ldap-updater /dev/stdin
diff --git a/makefile b/makefile
 STYLE  := py
 PREFIX := /usr/local
 SCRIPT := ipa-sysaccount
 INSTALL := $(PREFIX)/bin/$(SCRIPT)

 help :
 	@echo 'use `make install` to install in $(PREFIX)/bin/'
 	@echo 'choose python or bash with `make install STYLE={py,sh}`'

 install : $(INSTALL)

 $(INSTALL) : $(SCRIPT).$(STYLE)
 	install -m 755 -o root -g root $< $@
	#!/usr/bin/env python

	from argparse import ArgumentParser
	from random import SystemRandom
	from string import ascii_letters, digits
	from subprocess import Popen as subprocess, PIPE
	from shlex import split as sh

	ap = ArgumentParser()
	ap.add_argument('action', help='add, delete or change password', choices=('add', 'delete', 'passwd'))
	ap.add_argument('uid', help='system account uid')
	arguments = ap.parse_args()

	# generate a random password
	def random (padlength=4, padcount=8, chars=(ascii_letters + digits)):
	return '-'.join(''.join(SystemRandom().choice(chars) for _ in range(padlength)) for _ in range(padcount));

	# execute a subprocess
	def run (command, stdin=None, stderr=None):
	return subprocess(sh(command), stdin=PIPE, stdout=PIPE, stderr=stderr).communicate(stdin)[0]

	# variables
	basedn = run('sed -n \'s/^basedn = //p\' /etc/ipa/default.conf').strip();
	passwd = random();
	account = arguments.uid;

	# check for sudo
	if (account == 'sudo'):
	print('Refuse to edit sudo account!');
	exit(1);

	# build strings
	update_dn = "dn: uid={},cn=sysaccounts,cn=etc,{}".format(account, basedn);
	update_userpass = "only:userPassword:{}".format(passwd);
	update_attributes = """add:objectclass:account
	add:objectclass:simplesecurityobject
	add:uid:{}
	add:passwordExpirationTime:20380119031407Z
	add:nsIdleTimeout:0""".format(account);

	# build target command
	update = update_dn + '\n';
	if (arguments.action == 'add'):
	update += update_attributes + '\n';
	if (arguments.action != 'delete'):
	update += update_userpass + '\n';
	if (arguments.action == 'delete'):
	update += 'deleteentry:\n';
	update = update.strip();

	# echo and execute
	print('====== running update: ======\n{}\n============================='.format(update));
	run('ipa-ldap-updater /dev/stdin', update);
	#!/usr/bin/env bash

	genpasswd() {
	r() { tr -dc 'a-zA-Z0-9' < /dev/urandom \| head -c$1; }
	echo "$(r 6)-$(r 6)-$(r 6)-$(r 6)";
	}

	account="${1:?Specify account name as argument.}"
	basedn=$(sed -n 's/^basedn = //p' /etc/ipa/default.conf)
	passwd=$(genpasswd)

	read -d '' ldif <<LDIF
	dn: uid=${account},cn=sysaccounts,cn=etc,${basedn}
	add:objectclass:account
	add:objectclass:simplesecurityobject
	add:uid:${account}
	only:userPassword:${passwd}
	add:passwordExpirationTime:20380119031407Z
	add:nsIdleTimeout:0
	LDIF

	printf '********************\n%s\n********************\n' "$ldif";
	printf '%s\n' "$ldif" \| ipa-ldap-updater /dev/stdin
	STYLE := py
	PREFIX := /usr/local
	SCRIPT := ipa-sysaccount
	INSTALL := $(PREFIX)/bin/$(SCRIPT)

	help :
	@echo 'use `make install` to install in $(PREFIX)/bin/'
	@echo 'choose python or bash with `make install STYLE={py,sh}`'

	install : $(INSTALL)

	$(INSTALL) : $(SCRIPT).$(STYLE)
	install -m 755 -o root -g root $< $@