[Freeipa-users] check host password age

Dmitri Pal dpal at redhat.com
Sat Mar 16 01:41:33 UTC 2013 

On 03/13/2013 05:35 AM, Stijn De Weirdt wrote:
> i'll get back to the previous part later, wehn i can test it (thanks
> petr!)
>
>
>>>> i guess the timestamps are somehwere in the ldap schema, i would
>>>> like to know
>>>> where or how i can find them.
>>>> and if possible, how to do that using the ipalib python api.
>>>>
>>>> btw, is it correct for me to assume that when has_keytab=True that
>>>> the host
>>>> password is useless or even better unusable with that host?
>>> Sorry, I have to defer this question to more competent people :-)
>>
>> I think you could rather check that has_password=False. This
>> effectively means
>> that the principal has no userPassword attribute which could be used for
>> authentication.
>>
>> has_keytab=True means  that keys/keytab was generated, i.e.
>> krbPrincipalKey is
>> present.
>>
>
> the flow as i see it is the following:
> a .new host, with random password : has_password=True, has_keytab=False
> b after succesful ipa-client-install : has_keytab=True, has_password=?
> c. no succesful ipa-client-install: has_password=True, has_keytab=False
>
> suppose i want to check which hosts have an old password, is should
> just check all nodes with has_password=True and fetch the date through
> ldap.
> but if in case b the password is still set (has_password=True), how
> can i disable password access? or should i not worry about passwords
> when has_keytab=True?

The password is used to enroll the host it can't be used for anything else .
Enrolling the host means you provision a keytab for it.
AFAIU after succesful ipa-client-install : has_keytab=True,
has_password=False
because the password is always one time password used for enrollment

Now the question what are you trying to check.
I think you want to run a query on has_password=True, has_keytab=False
and modifyTimestamp is X time units in the past
This however would not be the exact test as the timestamp can be
adjusted due to different changes and does not reflect the creation of
the password.

I also opened a ticket to help with this situation in future:
https://fedorahosted.org/freeipa/ticket/3516


>
>
> stijn
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list