I'm trying to find out which users do not have a password set yet. The "ipa user-find" command doesn't seem to allow filtering by "existence of password". Further, it doesn't show whether the password exists in output anyways. The user-show and user-add commands can show a "Password: False" output though. The web interface is also capable of indicating no password. Any ideas? Do I need to resort to LDAP "directory manager" queries? Can "admin" user configure Permissions/Privlidges to fix this? I couldn't find a "has_password" anywhere in the web console - just a userPassword field, which might work, but seems dangerous - I don't want to see the password (or hash of password) - I want to see if it exists or not, just like the GUI already reveals. Searching around the closest discussion found was:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Ryan Slominski via FreeIPA-users wrote:
I'm trying to find out which users do not have a password set yet. The "ipa user-find" command doesn't seem to allow filtering by "existence of password". Further, it doesn't show whether the password exists in output anyways. The user-show and user-add commands can show a "Password: False" output though. The web interface is also capable of indicating no password. Any ideas? Do I need to resort to LDAP "directory manager" queries? Can "admin" user configure Permissions/Privlidges to fix this? I couldn't find a "has_password" anywhere in the web console - just a userPassword field, which might work, but seems dangerous - I don't want to see the password (or hash of password) - I want to see if it exists or not, just like the GUI already reveals. Searching around the closest discussion found was:
It is a fake attribute that IPA generates on output.
It is expensive for user-find because it adds two additional searches per-user, one for the password and one for Kerberos credentials.
This is an existence search you can do:
$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test "(!(userpassword=*))" dn
rob
Thanks Rob.
I ended up creating a script that loops over each user via "ipa user-find" and then uses "ipa user-show" to check for password existence. I'm filtering the user-find by a specific user group, but the LDAP search could probably do that too and probably is much faster.
freeipa-users@lists.fedorahosted.org