----- Original Message -----
> On Mon, 2014-05-12 at 17:56 -0400, Dmitri Pal wrote:
> > Is there any other attribute to look at?
> > For example the timestamp when it was last set and base the update on
> > that rather than on matching password values?
> There are some other solutions, but they are less elegant or don't work
> consistently. (Eg: bad hacks)
Reading userPassword is a bad hack, that will stop working as soon as we decide
to change the default hash type.
Do yourself a favor, use a simple bind to check the user password.
If the bind succedes you have the right password, and you stop.
If it fails you just override the password with whatever you have in puppet.
Simo Sorce * Red Hat, Inc. * New York
Freeipa-devel mailing list