i'll get back to the previous part later, wehn i can test it (thanks petr!)

i guess the timestamps are somehwere in the ldap schema, i would like to know
where or how i can find them.
and if possible, how to do that using the ipalib python api.

btw, is it correct for me to assume that when has_keytab=True that the host
password is useless or even better unusable with that host?
Sorry, I have to defer this question to more competent people :-)

I think you could rather check that has_password=False. This effectively means
that the principal has no userPassword attribute which could be used for

has_keytab=True means  that keys/keytab was generated, i.e. krbPrincipalKey is

the flow as i see it is the following:
a .new host, with random password : has_password=True, has_keytab=False
b after succesful ipa-client-install : has_keytab=True, has_password=?
c. no succesful ipa-client-install: has_password=True, has_keytab=False

suppose i want to check which hosts have an old password, is should just check all nodes with has_password=True and fetch the date through ldap. but if in case b the password is still set (has_password=True), how can i disable password access? or should i not worry about passwords when has_keytab=True?


Freeipa-users mailing list

Reply via email to