On 03/13/2013 05:35 AM, Stijn De Weirdt wrote:
> i'll get back to the previous part later, wehn i can test it (thanks
>>>> i guess the timestamps are somehwere in the ldap schema, i would
>>>> like to know
>>>> where or how i can find them.
>>>> and if possible, how to do that using the ipalib python api.
>>>> btw, is it correct for me to assume that when has_keytab=True that
>>>> the host
>>>> password is useless or even better unusable with that host?
>>> Sorry, I have to defer this question to more competent people :-)
>> I think you could rather check that has_password=False. This
>> effectively means
>> that the principal has no userPassword attribute which could be used for
>> has_keytab=True means that keys/keytab was generated, i.e.
>> krbPrincipalKey is
> the flow as i see it is the following:
> a .new host, with random password : has_password=True, has_keytab=False
> b after succesful ipa-client-install : has_keytab=True, has_password=?
> c. no succesful ipa-client-install: has_password=True, has_keytab=False
> suppose i want to check which hosts have an old password, is should
> just check all nodes with has_password=True and fetch the date through
> but if in case b the password is still set (has_password=True), how
> can i disable password access? or should i not worry about passwords
> when has_keytab=True?
The password is used to enroll the host it can't be used for anything else .
Enrolling the host means you provision a keytab for it.
AFAIU after succesful ipa-client-install : has_keytab=True,
because the password is always one time password used for enrollment
Now the question what are you trying to check.
I think you want to run a query on has_password=True, has_keytab=False
and modifyTimestamp is X time units in the past
This however would not be the exact test as the timestamp can be
adjusted due to different changes and does not reflect the creation of
I also opened a ticket to help with this situation in future:
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list