Re: [Freeipa-users] check host password age

Wed, 13 Mar 2013 01:58:00 -0700 

On 12.3.2013 14:41, Stijn De Weirdt wrote:

hi all,

(i'm new to freeipa, so it's possible i missed some docs here and there ;)

i'm looking to add hosts with some secret password to ipa, then during
kickstart install they use this password to run ipa-client-install.


You need to add host account beforehand:
$ ipa host-add hostname.example.com --password=secret # or --random
Computer accounts created this way do not have Kerberos attributes present in LDAP:
$ ldapsearch -Y GSSAPI -b 'fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com' '(objectclass=*)' krbLastPwdChange krbLastSuccessfulAuth modifyTimestamp 

# hostname.example.com, computers, accounts, r.test
dn: fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com
modifyTimestamp: 20130313083220Z
Kerberos attributes should be created during host enrolment process, so you can query krbLastPwdChange attribute: $ ldapsearch -Y GSSAPI -b 'fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com' '(objectclass=*)' krbLastPwdChange krbLastSuccessfulAuth modifyTimestamp 
krbLastPwdChange: 20130313084141Z
krbLastSuccessfulAuth: 20130313084143Z
modifyTimestamp: 20130313084146Z


what i would like to do, is to check for all hosts which have a password that
is older then a certain age. for those i will assume that something has gone
wrong and i would like to close the installation window. (and i would do so by
assigning another random password to that host)

I would recommend
$ ipa host-disable hostname.example.com


i guess the timestamps are somehwere in the ldap schema, i would like to know
where or how i can find them.
and if possible, how to do that using the ipalib python api.

>

btw, is it correct for me to assume that when has_keytab=True that the host
password is useless or even better unusable with that host?

Sorry, I have to defer this question to more competent people :-)


i'm running 3.0.0-25 on a sl6 machine.


--
Petr^2 Spacek

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to