A famous non-free operating system vendor provides a Local Administrator Password Solution for its flagship OS.
Here is my attempt at a GNU/Linux client for the same thing. This tool can help store unique local admin passwords in ldap. Some Unix environments still suffer from using the same single root password for everything. Here is the fix for that.
Please note that the domain-side configuration actions are still required. This is only the client-side utility.
laps for linux
Updated 2018-12-07: Now you can just download the rpm from my copr.
This is written in shell, and designed and tested on CentOS 7. An rpm spec is provided if you want to bundle it in that format. Contributions are welcome, of any sort.
There are two main ways to use my laps4linux.
laps is the Local Administrator Password Solution for GNU/Linux.
usage: laps.sh [-duV] [-c conffile] [-t|-a] [-f] [-r [-u ] [-h ]]
-d debug Show debugging info, including parsed variables.
-- usage Show this usage block.
-V version Show script version number.
-c conf Read in this config file. Default is /etc/laps/laps.conf
-f force Skip the time check and just update the password regardless.
--noforce Do not force. Overrides environment variable LAPS_FORCE.
-t test Dry run only. Useful with debugging on.
-a apply Turn off dry run. Default.
-r read Read password; do not set it. Can only be used by a domain admin. Can only be used with -u.
-u user Connect with kerberos ticket for this user. Default is "machine" to use host keytab.
-h Read this hostname instead of $( hostname -s )
9 displays sensitive info, specifically the generated password
10 function trace
See documentation at /usr/share/doc/laps/ for full explanation.
When implementing laps in your environment, you will want to ensure the ldap connectivity is working. I particularly had trouble with the kerberos auth to the domain controllers for ldaps.
To use for the first time for a Linux client, you will want to use the -f flag, because the undefined expirationTime ldap attribute will cause an error during the time comparison.
Maybe something like this could be implemented in FreeIPA. It’s just a simple schema extension, oh, and some ACLs. I don’t know if FreeIPA has ACLs on attributes, but it sounds like a logical thing to have.