On 12.3.2013 14:41, Stijn De Weirdt wrote:
hi all,

(i'm new to freeipa, so it's possible i missed some docs here and there ;)

i'm looking to add hosts with some secret password to ipa, then during
kickstart install they use this password to run ipa-client-install.

You need to add host account beforehand:
$ ipa host-add hostname.example.com --password=secret # or --random

Computer accounts created this way do not have Kerberos attributes present in LDAP:

$ ldapsearch -Y GSSAPI -b 'fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com' '(objectclass=*)' krbLastPwdChange krbLastSuccessfulAuth modifyTimestamp

# hostname.example.com, computers, accounts, r.test
dn: fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com
modifyTimestamp: 20130313083220Z

Kerberos attributes should be created during host enrolment process, so you can query krbLastPwdChange attribute: $ ldapsearch -Y GSSAPI -b 'fqdn=hostname.example.com,cn=computers,cn=accounts,dc=example,dc=com' '(objectclass=*)' krbLastPwdChange krbLastSuccessfulAuth modifyTimestamp
krbLastPwdChange: 20130313084141Z
krbLastSuccessfulAuth: 20130313084143Z
modifyTimestamp: 20130313084146Z

what i would like to do, is to check for all hosts which have a password that
is older then a certain age. for those i will assume that something has gone
wrong and i would like to close the installation window. (and i would do so by
assigning another random password to that host)
I would recommend
$ ipa host-disable hostname.example.com

i guess the timestamps are somehwere in the ldap schema, i would like to know
where or how i can find them.
and if possible, how to do that using the ipalib python api.
btw, is it correct for me to assume that when has_keytab=True that the host
password is useless or even better unusable with that host?
Sorry, I have to defer this question to more competent people :-)

i'm running 3.0.0-25 on a sl6 machine.

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to