[Freeipa-users] Invalid Credentials error on migrate-ds
Rob Crittenden
rcritten at redhat.com
Mon Jan 24 21:07:40 UTC 2011
Jeff B wrote:
> The Apple Open Directory uses kerberos so they aren't readable as the
> rood dn either. the password fields all have the same token:
> KioqKioqKio=
>
> I wasn't expecting to be able to import passwords so I thought I could
> run an import as an anonymous bind.
>
> I'll try again with a bind dn and see what hapens.
Yes, any binddn should work. We intended this as a password migration
mechanism which is why we bind as the root user by default but it can
also just migrate your users I suppose. I briefly looked at the code and
we aren't explicitly requiring userPassword so I'm thinking it may just
work if you can bind.
Note that KioqKioqKio= is '********'. Someone has a sense of humor at
Apple :-)
rob
>
>
>
> On Mon, Jan 24, 2011 at 3:22 PM, Jakub Hrozek<jhrozek at redhat.com> wrote:
>> On 01/24/2011 08:57 PM, Jeff B wrote:
>>>
>>> I might of missed this yesterday, is it trying to bind to the apple
>>> as Directory Manager? I thought that was for FreeIPA but now I'm not
>>> sure. I was intending to have it do an anonymous bind to the apple.
>>>
>>> If so I guess that would explain it.
>>>
>>
>> Yes, "cn=Directory Manager" against Apple DS. Anonymous bind wouldn't work,
>> because during migration, you need to read LDAP attributes that store user
>> passwords. Those are usually not readable anonymously.
>>
>> Jakub
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list