search

ocf / ocflib

Python libraries for account and server management
https://pypi.python.org/pypi/ocflib
Other
15 stars 32 forks source link

Allow LDAP changes without a keytab #148

Closed jvperrin closed 5 years ago

jvperrin commented 5 years ago

This then allows these functions to be used in user-facing scripts where they have potentially already authenticated with their password and have an existing Kerberos ticket. (like in update-email and chsh, the two remaining python2 scripts we have)

I also did a pretty major refactor to use subprocess instead of pexpect for changing LDAP since ldapmodify can just accept input from stdin instead of needing it to be passed in interactively. I also removed a celery task for modifying LDAP attributes that isn't used anywhere outside of ocflib as far as I could tell with sourcegraph.

I tested this manually with ./tests-manual/infra/create-ldap-keytab and that worked fine, along with manually testing in a console that I could change my loginShell and mail attributes without a keytab being passed in.

fawaf commented 5 years ago

i'm curious, is there no python library thingy that can manipulate ldap than writing a bunch of custom modify ldap stuffs?

jvperrin commented 5 years ago

There is, but I haven't found anything that works with Python 3, LDAP, and Heimdal Kerberos all in one package. Plus we already do this for account creation, so I figured using it elsewhere would make sense.

fawaf commented 5 years ago

ah, bummer :(