Three fixes:
1. gql() default vars '${2:-{}}' — bash parsed first '}' as closing the
parameter expansion, appending a stray '}' to every caller's vars.
Fixed by storing '{}' in a local variable first.
2. make_vars() — add VAR_INT_KEYS support so groupId is emitted as a
JSON integer (Int!) rather than a string, matching LLDAP's schema.
3. Password setting — LLDAP has no GraphQL mutation for admin password
reset. Replace the broken resetUserPasswordFromAdmin mutation with
an RFC 3062 LDAP Password Modify operation via kubectl port-forward
to the in-cluster LLDAP service, using ldap3.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
--test derives the password from the display name (spaces → hyphens, append -Pwd),
e.g. "Test User" → "Test-User-Pwd". Skips the interactive prompt.
Useful for provisioning test accounts in a non-interactive flow.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Pass GraphQL query/variables and group names via environment variables
to python3 instead of shell argument interpolation. Prevents breakage
when display names, emails, or passwords contain quotes or spaces.
Also adds --admin flag support and interactive password prompt.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Creates a user in LLDAP via GraphQL, adds them to net-kingdom-users,
optionally net-kingdom-admins (--admin flag), and sets a password interactively.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
