[Freeipa-users] change min and max lifetime of random password
Rob Crittenden
rcritten at redhat.com
Fri Mar 28 01:28:18 UTC 2014
Stijn De Weirdt wrote:
> hi alexander,
>
>>> ity would be good anyway to have a script that checks all hosts that
>>> have not enrolled yet how old the issued password is (even after
>>> expiration). very useful to spot the state of ongoing deployments and
>>> to spot problems. how can one obtain the creation time of the
>>> password? fetch the timestamp from LDAP or is there a nice ipa API for
>>> it?
>> Since host object is a Kerberos principal, it has krbLastSuccessfulAuth
>> and krbLastPwdChange attributes.
>>
>> ipa host-show host.name --all --raw
>>
>> will give you their values.
>>
>> # ipa host-show `hostname` --all --raw |grep krbLast
>> krbLastPwdChange: 20140213123016Z
>> krbLastSuccessfulAuth: 20140325073031Z
>>
>>
> this does not seem to work on a host that has the random password set
> (or set a few times), but no keytab was created or other form of
> authentication:
>> ipa host-show test.test --all --raw |grep -E 'krb|has_'
>> has_password: True
>> has_keytab: False
>> krbExtraData: AAI3mDRTcm9vdC9hZG1pbkB
>> krbPrincipalName: host/test.test at TEST
>> objectClass: krbprincipalaux
>> objectClass: krbprincipal
>
> (this is freeipa 3.3.3 on rhel7 beta)
Right, because it doesn't have Kerberos credentials yet, just a
password. We apparently don't set any dates when setting only the host
password. Which also means password policy probably wouldn't apply
correctly even if you were able to set one. And I guess the question is,
should we?
If so we'd need to always add the krbPrincipalAux objectclass and set
this value in the password plugin.
rob
More information about the Freeipa-users
mailing list