<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello Rob,<br>
<br>
The indicated method was unsuccessful, but I found another way to do
it :)<br>
<br>
Here is a summary of my unsuccessful tests :<br>
<pre>
➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ=='
-------------------------------
Utilisateur « testuser » ajouté
-------------------------------
</pre>
<br>
Now I am able to log as <i>testuser </i>. Yet, despite having
added admin as a passSyncManagersDns to
cn=ipa_pwd_extop,cn=plugins,cn=config
<pre>➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
passsyncmanagersdns: cn=Directory Manager
passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
</pre>
I still get an error when trying to set pre-hashed passwords :<br>
<pre>➜ ~ cat change_testuser_passwd.ldif
</pre>
<pre>dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr</pre>
<pre>changetype: modify</pre>
<pre>replace: userpassword</pre>
<pre>userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0=</pre>
<pre>➜ ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif</pre>
<pre>Enter LDAP Password:</pre>
<pre>modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr"</pre>
<pre>ldap_modify: Constraint violation (19)</pre>
<pre> additional info: Pre-Encoded passwords are not valid</pre>
<br>
However, I noted that using ldappasswd does the job, <i>even
without having set passSyncManagerDNs.<br>
<br>
</i>It is not as clean as if I could have use freeipa API to change
passwords, but for lack of better, it will do the job.<br>
<br>
<div class="moz-cite-prefix">Le 22/07/2016 à 20:47, Rob Crittenden a
écrit :<br>
</div>
<blockquote cite="mid:57926A28.8050708@redhat.com" type="cite">Sébastien
Julliot wrote:
<br>
<blockquote type="cite">Hi Petr,
<br>
<br>
<br>
Thanks for the documentations. I already had followed the steps
from the
<br>
NIS migration page, it works, but does not solve my problem,
which is to
<br>
change *already existing users* passwords.
<br>
<br>
When trying
<br>
<br>
ipa user-mod testuser --setattr
userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='
<br>
<br>
I get "Pre-Encoded passwords are not valid"
<br>
</blockquote>
<br>
Look at the first link Petr sent you. There is a password sync
manager setting that should be able to insert pre-hashed
passwords.
<br>
<br>
rob
<br>
<br>
<blockquote type="cite">
<br>
<br>
<br>
Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
<br>
<blockquote type="cite">On 07/22/2016 11:42 AM, Sébastien
Julliot wrote:
<br>
<blockquote type="cite">Hello everyone,
<br>
<br>
I am currently trying to deploy FreeIPA as the new idm
system in my
<br>
university but came across a problem I could not solve yet.
I need to
<br>
bypass the pre-hashed passwords verification, not only on
the user creation.
<br>
<br>
Due to several constraints, our workflow involves
periodically (once a
<br>
day, currently) receiving an ldif file containing the users
up-to-date
<br>
informations, (including hashed passwords) and inserting
this
<br>
informations into the idm. As our goal is to unify users
passwords in
<br>
the university but do not have access to the higher-level
LDAP directly,
<br>
we injected this pre-hashed passwords directly into the LDAP
until today.
<br>
<br>
Yet, every attempt I made to update users passwords with
pre-hashed
<br>
passwords failed for now.
<br>
<br>
First I tried this (migration mode enabled):
<br>
<br>
➜ ~ ipa user-add testuser --first=test --last=user
--setattr userpassword='{MD5}*********************'
<br>
<br>
/*OK*/
<br>
<br>
➜ ~ kinit testuser
<br>
<br>
kinit: Generic preauthentication failure while getting
initial credentials
<br>
<br>
As expected from the documentation, it does not work :p
<br>
<br>
I then thought about trying to copy the migration plug-in,
and change
<br>
the way it retrieves users (from LDIF rather than from an
online LDAP
<br>
server). Since this plugin is able to But again, event
binding as
<br>
Directory Manager, the ipa ldap2 backend method add_entry
refuses me (I
<br>
tested my code without the userPassword field and the users
are
<br>
correctly inserted).
<br>
<br>
Here is my code :
<br>
<br>
class ldif_importer(ldif.LDIFParser):
<br>
def __init__(self, ldap_backend):
<br>
ldif.LDIFParser.__init__(self, open('test.ldif',
'rb'))
<br>
self.ldap = ldap_backend
<br>
<br>
def handle(self, dn, entry):
<br>
self.ldap.add_entry(self.ldap.make_entry(DN(dn),
entry))
<br>
<br>
class my_backend(ipalib.Backend):
<br>
'''Backend to import ldap passwords from ldif'''
<br>
<br>
def __init__(self, api):
<br>
ipalib.Backend.__init__(self, api)
<br>
self.ldap = ldap2(self.api)
<br>
self.ldap.connect(bind_dn=DN('cn=Directory
Manager'), bind_pw='***********')
<br>
<br>
def parse(self):
<br>
importer = ldif_importer(self.ldap)
<br>
importer.parse()
<br>
<br>
class my_command(ipalib.Command):
<br>
'''Command calling my_backend to import passwords from
ldif'''
<br>
<br>
def execute(self, **options):
<br>
'''Implemented against my_backend'''
<br>
self.Backend.my_backend.parse()
<br>
return {'result': 'everything OK'}
<br>
<br>
<br>
Should one of these methods have worked, and I did it
incorrectly ?
<br>
Otherwise, what would be the lower-impact solution to
achieve this ?
<br>
(Yes, I understand the security concerns about sending
passwords hashes
<br>
on the network but this choice does not depend on me)
<br>
<br>
Many thanks in advance,
<br>
Sebastien.
<br>
<br>
</blockquote>
I issue might be that the user has his userPassword migrated
but he
<br>
doesn't have krbPrincipalKey generated. If kerberos key is
missing then
<br>
it is automatically generated on successful LDAP bind (it's
what
<br>
ipa/migration page does)
<br>
<br>
Additional info which might interest you:
<br>
*
<br>
<a class="moz-txt-link-freetext" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync</a>
<br>
*
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords">http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords</a>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>