How to determine when host last checked in? - FreeIPA-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

How to determine when host last checked in?

Anyone using FreeIPA/IdM and...

/var/log/pki/pki-tomcat/ca/debug

Master Blaster

Tuesday, 26 November 2019 Tue, 26 Nov '19

11:37 p.m.

In large orginizations, hosts can sometimes be retired without following procedures, etc, which leaves host objects in FreeIPA for hosts that no longer exist. Is there anyway to see when a host last checked in with FreeIPA? One could then delete host objects which haven't connected in say 30/60/90 days.

Reply

Show replies by date

Master Blaster

Tuesday, 10 December Tue, 10 Dec

6:06 p.m.

Nothing? No ideas? How do large organizations with 1000s of hosts handle this?

Reply

François Cami

6:10 p.m.

There is currently no way to know, but the Disable Stale Users proposal could be extended to any principal including the host ones. https://github.com/freeipa/freeipa/blob/master/doc/designs/disable-stale-... The timestamp precision would be coarse but that would clearly match the use-case. François On Tue, Dec 10, 2019 at 12:07 PM Master Blaster via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> wrote:

Nothing? No ideas? How do large organizations with 1000s of hosts handle this? _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...

Reply

Master Blaster

6:32 p.m.

Thanks for the response, François. I'm somewhat surprised there isn't a way to determine both host and user activity already. For hosts, doesn't the Kerberos ticket have to be renewed on a regular basis? Couldn't that timestamp be used?

Reply

Alexander Bokovoy

6:46 p.m.

On ti, 10 joulu 2019, Master Blaster via FreeIPA-users wrote:

Thanks for the response, François. I'm somewhat surprised there isn't a way to determine both host and user activity already. For hosts, doesn't the Kerberos ticket have to be renewed on a regular basis? Couldn't that timestamp be used?

Yes. You still need to collect that information somehow. We do not update the time stamp right now at all by default because of a replication storm concerns. Once DSU feature is implemented, a coarse time stamp will updated for each principal. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

Reply

1597

days inactive

1611

days old

freeipa-users@lists.fedorahosted.org

Manage subscription

4 comments

3 participants

tags (0)

participants (3)

Alexander Bokovoy
François Cami
Master Blaster