<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Looks like I spoke too fast. Using ldappasswd, no problems with
ldap queries.</p>
<p>But kinit rejects my password ..<br>
</p>
<br>
<div class="moz-cite-prefix">Le 25/07/2016 à 11:58, Sébastien
Julliot a écrit :<br>
</div>
<blockquote
cite="mid:4f41115b-964e-0668-cbd0-9ad8746684ef@ljll.math.upmc.fr"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
Hello Rob,<br>
<br>
The indicated method was unsuccessful, but I found another way to
do it :)<br>
<br>
Here is a summary of my unsuccessful tests :<br>
<pre>➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ=='
-------------------------------
Utilisateur « testuser » ajouté
-------------------------------
</pre>
<br>
Now I am able to log as <i>testuser </i>. Yet, despite having
added admin as a passSyncManagersDns to
cn=ipa_pwd_extop,cn=plugins,cn=config
<pre>➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
passsyncmanagersdns: cn=Directory Manager
passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
</pre>
I still get an error when trying to set pre-hashed passwords :<br>
<pre>➜ ~ cat change_testuser_passwd.ldif
</pre>
<pre>dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr</pre>
<pre>changetype: modify</pre>
<pre>replace: userpassword</pre>
<pre>userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0=</pre>
<pre>➜ ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif</pre>
<pre>Enter LDAP Password:</pre>
<pre>modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr"</pre>
<pre>ldap_modify: Constraint violation (19)</pre>
<pre> additional info: Pre-Encoded passwords are not valid</pre>
<br>
However, I noted that using ldappasswd does the job, <i>even
without having set passSyncManagerDNs.<br>
<br>
</i>It is not as clean as if I could have use freeipa API to
change passwords, but for lack of better, it will do the job.<br>
<br>
<div class="moz-cite-prefix">Le 22/07/2016 à 20:47, Rob Crittenden
a écrit :<br>
</div>
<blockquote cite="mid:57926A28.8050708@redhat.com" type="cite">Sébastien
Julliot wrote: <br>
<blockquote type="cite">Hi Petr, <br>
<br>
<br>
Thanks for the documentations. I already had followed the
steps from the <br>
NIS migration page, it works, but does not solve my problem,
which is to <br>
change *already existing users* passwords. <br>
<br>
When trying <br>
<br>
ipa user-mod testuser --setattr
userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' <br>
<br>
I get "Pre-Encoded passwords are not valid" <br>
</blockquote>
<br>
Look at the first link Petr sent you. There is a password sync
manager setting that should be able to insert pre-hashed
passwords. <br>
<br>
rob <br>
<br>
<blockquote type="cite"> <br>
<br>
<br>
Le 22/07/2016 à 15:08, Petr Vobornik a écrit : <br>
<blockquote type="cite">On 07/22/2016 11:42 AM, Sébastien
Julliot wrote: <br>
<blockquote type="cite">Hello everyone, <br>
<br>
I am currently trying to deploy FreeIPA as the new idm
system in my <br>
university but came across a problem I could not solve
yet. I need to <br>
bypass the pre-hashed passwords verification, not only on
the user creation. <br>
<br>
Due to several constraints, our workflow involves
periodically (once a <br>
day, currently) receiving an ldif file containing the
users up-to-date <br>
informations, (including hashed passwords) and inserting
this <br>
informations into the idm. As our goal is to unify users
passwords in <br>
the university but do not have access to the higher-level
LDAP directly, <br>
we injected this pre-hashed passwords directly into the
LDAP until today. <br>
<br>
Yet, every attempt I made to update users passwords with
pre-hashed <br>
passwords failed for now. <br>
<br>
First I tried this (migration mode enabled): <br>
<br>
➜ ~ ipa user-add testuser --first=test --last=user
--setattr userpassword='{MD5}*********************' <br>
<br>
/*OK*/ <br>
<br>
➜ ~ kinit testuser <br>
<br>
kinit: Generic preauthentication failure while getting
initial credentials <br>
<br>
As expected from the documentation, it does not work :p <br>
<br>
I then thought about trying to copy the migration plug-in,
and change <br>
the way it retrieves users (from LDIF rather than from an
online LDAP <br>
server). Since this plugin is able to But again, event
binding as <br>
Directory Manager, the ipa ldap2 backend method add_entry
refuses me (I <br>
tested my code without the userPassword field and the
users are <br>
correctly inserted). <br>
<br>
Here is my code : <br>
<br>
class ldif_importer(ldif.LDIFParser): <br>
def __init__(self, ldap_backend): <br>
ldif.LDIFParser.__init__(self, open('test.ldif',
'rb')) <br>
self.ldap = ldap_backend <br>
<br>
def handle(self, dn, entry): <br>
self.ldap.add_entry(self.ldap.make_entry(DN(dn),
entry)) <br>
<br>
class my_backend(ipalib.Backend): <br>
'''Backend to import ldap passwords from ldif''' <br>
<br>
def __init__(self, api): <br>
ipalib.Backend.__init__(self, api) <br>
self.ldap = ldap2(self.api) <br>
self.ldap.connect(bind_dn=DN('cn=Directory
Manager'), bind_pw='***********') <br>
<br>
def parse(self): <br>
importer = ldif_importer(self.ldap) <br>
importer.parse() <br>
<br>
class my_command(ipalib.Command): <br>
'''Command calling my_backend to import passwords
from ldif''' <br>
<br>
def execute(self, **options): <br>
'''Implemented against my_backend''' <br>
self.Backend.my_backend.parse() <br>
return {'result': 'everything OK'} <br>
<br>
<br>
Should one of these methods have worked, and I did it
incorrectly ? <br>
Otherwise, what would be the lower-impact solution to
achieve this ? <br>
(Yes, I understand the security concerns about sending
passwords hashes <br>
on the network but this choice does not depend on me) <br>
<br>
Many thanks in advance, <br>
Sebastien. <br>
<br>
</blockquote>
I issue might be that the user has his userPassword migrated
but he <br>
doesn't have krbPrincipalKey generated. If kerberos key is
missing then <br>
it is automatically generated on successful LDAP bind (it's
what <br>
ipa/migration page does) <br>
<br>
Additional info which might interest you: <br>
* <br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync</a>
<br>
* <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords">http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords</a>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>