[Freeipa-users] change min and max lifetime of random password
Stijn De Weirdt
stijn.deweirdt at ugent.be
Thu Mar 27 21:39:15 UTC 2014
hi alexander,
>> ity would be good anyway to have a script that checks all hosts that
>> have not enrolled yet how old the issued password is (even after
>> expiration). very useful to spot the state of ongoing deployments and
>> to spot problems. how can one obtain the creation time of the
>> password? fetch the timestamp from LDAP or is there a nice ipa API for
>> it?
> Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
> and krbLastPwdChange attributes.
>
> ipa host-show host.name --all --raw
>
> will give you their values.
>
> # ipa host-show `hostname` --all --raw |grep krbLast
> krbLastPwdChange: 20140213123016Z
> krbLastSuccessfulAuth: 20140325073031Z
>
>
this does not seem to work on a host that has the random password set
(or set a few times), but no keytab was created or other form of
authentication:
> ipa host-show test.test --all --raw |grep -E 'krb|has_'
> has_password: True
> has_keytab: False
> krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB
> krbPrincipalName: host/test.test at TEST
> objectClass: krbprincipalaux
> objectClass: krbprincipal
(this is freeipa 3.3.3 on rhel7 beta)
stijn
More information about the Freeipa-users
mailing list