On 05/12/2014 06:07 PM, James wrote:
On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
Is there any other attribute to look at?
For example the timestamp when it was last set and base the update on
that rather than on matching password values?
There are some other solutions, but they are less elegant or don't work
consistently. (Eg: bad hacks)
I would argue that comparing hashes is the worst hack ever.
Can you create a file once you set a password to indicate that password
is set?
Bottom line - I do not like the approach you are trying to implement and
I do not want you to find a way to solve this problem by comparing
hashes. It is not a good security hygiene. I would rather suggest
patches to puppet to address the issue properly than aid you on this path.
Sorry ;-)
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
