This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1881677 - [RFE] allow enrollment to Red Hat IdM (freeIPA) with an expiration date
Summary: [RFE] allow enrollment to Red Hat IdM (freeIPA) with an expiration date
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: ipa
Version: 8.3
Hardware: All
OS: All
unspecified
low
Target Milestone: rc
: 8.0
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-09-22 21:01 UTC by joel
Modified: 2023-12-15 19:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-09-18 18:43:26 UTC
Type: Story
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-7827 0 None None None 2022-02-10 12:43:28 UTC
Red Hat Issue Tracker   RHEL-4861 0 None Migrated None 2023-09-18 18:40:24 UTC

Description joel 2020-09-22 21:01:19 UTC 
Description of problem:
We have a team which runs many build jobs in AWS that provision hosts, register to RedHat IdM/freeIPA, run a task, then terminate the EC2. They do their best  to always de-register hosts before terminating, but when build jobs are aborted or fail mid-run, we often end up having to manually terminate the EC2s. The same is true in rare cases when hosts become corrupted or unreachable. If there was a way that the ephemeral hosts could enroll with a way to indicate that the hosts should expire in after a set amount of time, then it would help the admins with the regular maintenance and cleanup of expired hosts.

Version-Release number of selected component (if applicable):
8.3 beta
Comment 1 Alexander Bokovoy 2020-09-23 06:37:37 UTC 
There is already krbPrincipalExpiration attribute that defines the time after which the principal is not active anymore.

It can be modified on the host entries manually, by setting time in Zulu format (YYYYMMDDHHmmZ):

ipa host-mod foo.bar.z --setattr krbprincipalexpiration=202009290000Z

this would set host/foo.bar.z principal to expire on 00:00 of 2020/09/29 in UTC timezone

Unfortunately, IPA CLI does not allow to search by the principal expiration in host-find or service-find commands.

Since this attribute is not set by default for hosts, it can be then used in cleanup scripts with LDAP searches to match hosts with explicitly set expiration.

For example, I have a host 'client.ipa.test' to which I set krbPrincipalExpiration to 00:00 of 2020/09/29 in UTC timezone:

# ipa host-mod client.ipa.test --setattr krbprincipalexpiration=202009290000Z
-------------------------------
Modified host "client.ipa.test"
-------------------------------
  Host name: client.ipa.test
  Platform: x86_64
  Operating system: 5.7.17-200.fc32.x86_64
  Principal name: host/client.ipa.test
  Principal alias: host/client.ipa.test
  SSH public key fingerprint: SHA256:MmZwEvtbk+JmTij6kU1twCTEZKGgaijyKGNZx9+CNuk root.test-c49dc8 (ssh-dss), SHA256:wHymevFCzMOM2izMawZ+U+5enECUaxjGTuw31uWfPTs root.test-c49dc8 (ssh-rsa),
                              SHA256:qAGO0Yweyh0hxlpNyO/cUYJjiVACndL3+0gZNt9xLeo root.test-c49dc8 (ecdsa-sha2-nistp256), SHA256:I1V7/xsYjxUqeupQuD6NrWoH9hLCAAFw8AqU31yPA34 root.test-c49dc8 (ssh-ed25519)
  Password: False
  Keytab: True
  Managed by: client.ipa.test

The search below would match only those hosts that have expiration time between 00:00 of 2020/09/23 and 00:00 of 2020/10/01 in UTC timezone:

# ldapsearch -Y GSSAPI -b cn=computers,cn=accounts,dc=ipa,dc=test '(&(objectclass=ipaHost)(&(krbprincipalexpiration<=202010010000Z)(krbprincipalexpiration>=202009230000Z)))' fqdn
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=computers,cn=accounts,dc=ipa,dc=test> with scope subtree
# filter: (&(objectclass=ipaHost)(&(krbprincipalexpiration<=202010010000Z)(krbprincipalexpiration>=202009230000Z)))
# requesting: fqdn 
#

# client.ipa.test, computers, accounts, ipa.test
dn: fqdn=client.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test
fqdn: client.ipa.test

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1
Comment 2 Alexander Bokovoy 2020-09-23 06:38:29 UTC 
Let me know if this helps to define a workaround time being.
Comment 5 Dmitri Pal 2020-10-05 17:25:15 UTC 
I would assume that the hosts that belong to a specific environment can be easily put into a host group.
So then we can have a script or a system role/playbook to reset all the hosts in a specific group making all of them ready for re-enrollment. But this solves the problem of re-enrollment of the same hosts. If we are talking about dead bodies that need cleanup then yes, an attribute with time stamp and some periodic cleanup should solve the problem.

This is a regular request.
Comment 7 joel 2020-11-30 16:52:50 UTC 
Thanks for the help, cu closed the case.
Comment 9 Theodoros Apazoglou 2022-02-10 12:33:13 UTC 
[synced to jira]
Comment 13 RHEL Program Management 2023-09-18 18:38:25 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 14 RHEL Program Management 2023-09-18 18:43:26 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Note You need to log in before you can comment on or make changes to this bug.