Ryan Slominski via FreeIPA-users wrote:
I'm trying to find out which users do not have a password set
yet. The "ipa user-find" command doesn't seem to allow filtering by
"existence of password". Further, it doesn't show whether the password
exists in output anyways. The user-show and user-add commands can show a "Password:
False" output though. The web interface is also capable of indicating no password.
Any ideas? Do I need to resort to LDAP "directory manager" queries? Can
"admin" user configure Permissions/Privlidges to fix this? I couldn't find
a "has_password" anywhere in the web console - just a userPassword field, which
might work, but seems dangerous - I don't want to see the password (or hash of
password) - I want to see if it exists or not, just like the GUI already reveals.
Searching around the closest discussion found was:
It is a fake attribute that IPA generates on output.
It is expensive for user-find because it adds two additional searches
per-user, one for the password and one for Kerberos credentials.
This is an existence search you can do:
$ ldapsearch -LLL -Y GSSAPI -b cn=users,cn=accounts,dc=example,dc=test
"(!(userpassword=*))" dn
rob