i'll get back to the previous part later, wehn i can test it (thanks petr!)
i guess the timestamps are somehwere in the ldap schema, i would like to know
where or how i can find them.
and if possible, how to do that using the ipalib python api.
btw, is it correct for me to assume that when has_keytab=True that the host
password is useless or even better unusable with that host?
Sorry, I have to defer this question to more competent people :-)
I think you could rather check that has_password=False. This effectively means
that the principal has no userPassword attribute which could be used for
has_keytab=True means that keys/keytab was generated, i.e. krbPrincipalKey is
the flow as i see it is the following:
a .new host, with random password : has_password=True, has_keytab=False
b after succesful ipa-client-install : has_keytab=True, has_password=?
c. no succesful ipa-client-install: has_password=True, has_keytab=False
suppose i want to check which hosts have an old password, is should just
check all nodes with has_password=True and fetch the date through ldap.
but if in case b the password is still set (has_password=True), how can
i disable password access? or should i not worry about passwords when
Freeipa-users mailing list