[Freeipa-users] Bypass pre-hashed passwords verification

Sébastien Julliot julliot at ljll.math.upmc.fr
Fri Jul 22 09:42:47 UTC 2016 

Hello everyone,

I am currently trying to deploy FreeIPA as the new idm system in my
university but came across a problem I could not solve yet. I need to
bypass the pre-hashed passwords verification, not only on the user creation.

Due to several constraints, our workflow involves periodically (once a
day, currently) receiving an ldif file containing the users up-to-date
informations, (including hashed passwords) and inserting this
informations into the idm. As our goal is to unify users passwords in
the university but do not have access to the higher-level LDAP directly,
we injected this pre-hashed passwords directly into the LDAP until today.

Yet, every attempt I made to update users passwords with pre-hashed
passwords failed for now.

First I tried this (migration mode enabled):

➜  ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*********************'

/*OK*/

➜  ~ kinit testuser

kinit: Generic preauthentication failure while getting initial credentials

As expected from the documentation, it does not work :p

I then thought about trying to copy the migration plug-in, and change
the way it retrieves users (from LDIF rather than from an online LDAP
server). Since this plugin is able to  But again, event binding as
Directory Manager, the ipa ldap2 backend method add_entry refuses me (I
tested my code without the userPassword field and the users are
correctly inserted).

Here is my code :

class ldif_importer(ldif.LDIFParser):
    def __init__(self, ldap_backend):
        ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
        self.ldap = ldap_backend

    def handle(self, dn, entry):
        self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))

class my_backend(ipalib.Backend):
    '''Backend to import ldap passwords from ldif'''

    def __init__(self, api):
        ipalib.Backend.__init__(self, api)
        self.ldap = ldap2(self.api)
        self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***********')

    def parse(self):
        importer = ldif_importer(self.ldap)
        importer.parse()

class my_command(ipalib.Command):
    '''Command calling my_backend to import passwords from ldif'''

    def execute(self, **options):
        '''Implemented against my_backend'''
        self.Backend.my_backend.parse()
        return {'result': 'everything OK'}


Should one of these methods have worked, and I did it incorrectly ?
Otherwise, what would be the lower-impact solution to achieve this ?
(Yes, I understand the security concerns about sending passwords hashes
on the network but this choice does not depend on me)

Many thanks in advance,
Sebastien.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160722/41babb97/attachment.sig>

More information about the Freeipa-users mailing list