[Freeipa-users] check host password age

[Petr Spacek]

On 12.3.2013 14:41, Stijn De Weirdt wrote:
> hi all,
>
> (i'm new to freeipa, so it's possible i missed some docs here and there ;)
>
> i'm looking to add hosts with some secret password to ipa, then during
> kickstart install they use this password to run ipa-client-install.

You need to add host account beforehand:
$ ipa host-add hostname.example.com --password=secret # or --random

Computer accounts created this way do not have Kerberos attributes present in 
LDAP:

$ ldapsearch -Y GSSAPI -b 
'fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com' 
'(objectclass=*)' krbLastPwdChange krbLastSuccessfulAuth modifyTimestamp

# hostname.example.com, computers, accounts, r.test
dn: fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com
modifyTimestamp: 20130313083220Z


Kerberos attributes should be created during host enrolment process, so you 
can query krbLastPwdChange attribute:
$ ldapsearch -Y GSSAPI -b 
'fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com' 
'(objectclass=*)' krbLastPwdChange krbLastSuccessfulAuth modifyTimestamp
krbLastPwdChange: 20130313084141Z
krbLastSuccessfulAuth: 20130313084143Z
modifyTimestamp: 20130313084146Z

> what i would like to do, is to check for all hosts which have a password that
> is older then a certain age. for those i will assume that something has gone
> wrong and i would like to close the installation window. (and i would do so by
> assigning another random password to that host)
I would recommend
$ ipa host-disable hostname.example.com

> i guess the timestamps are somehwere in the ldap schema, i would like to know
> where or how i can find them.
> and if possible, how to do that using the ipalib python api.
 >
> btw, is it correct for me to assume that when has_keytab=True that the host
> password is useless or even better unusable with that host?
Sorry, I have to defer this question to more competent people :-)

> i'm running 3.0.0-25 on a sl6 machine.

-- 
Petr^2 Spacek