[Freeipa-users] check host password age
Stijn De Weirdt
stijn.deweirdt at ugent.be
Wed Mar 13 09:35:49 UTC 2013
i'll get back to the previous part later, wehn i can test it (thanks petr!)
>>> i guess the timestamps are somehwere in the ldap schema, i would like to know
>>> where or how i can find them.
>>> and if possible, how to do that using the ipalib python api.
>>>
>>> btw, is it correct for me to assume that when has_keytab=True that the host
>>> password is useless or even better unusable with that host?
>> Sorry, I have to defer this question to more competent people :-)
>
> I think you could rather check that has_password=False. This effectively means
> that the principal has no userPassword attribute which could be used for
> authentication.
>
> has_keytab=True means that keys/keytab was generated, i.e. krbPrincipalKey is
> present.
>
the flow as i see it is the following:
a .new host, with random password : has_password=True, has_keytab=False
b after succesful ipa-client-install : has_keytab=True, has_password=?
c. no succesful ipa-client-install: has_password=True, has_keytab=False
suppose i want to check which hosts have an old password, is should just
check all nodes with has_password=True and fetch the date through ldap.
but if in case b the password is still set (has_password=True), how can
i disable password access? or should i not worry about passwords when
has_keytab=True?
stijn
More information about the Freeipa-users
mailing list