[Freeipa-users] 4.0.0 password migration trouble

Martin Kosek mkosek at redhat.com
Mon Jul 21 10:46:54 UTC 2014


On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote:
> 
>> So if I understand the 389-ds ticket correctly, I can add pre-hashed passwords
>> via ldapmodify to the 389 server using directory manager as the bind dn? I
>> just can't use the ipa command line tool/script.
> 
> The short answer is "no". Trying to add the userPassword attribute with ldapmodify binding as "cn=directory manager" fails with operation error.
> 
> Error log attached to the ticket Rob made: https://fedorahosted.org/freeipa/ticket/4450
> 
> To summarize:
> 
> No password migration via "ipa migrate-ds"; No password migration via "ipa user-add --setattr userPassword={SHA}..."; No password migration via 'ldapmodify -D "cn=directory manager"'. Do you think a solution will be forthcoming, or is it a ways off? I can leave my old ldap directory up for a little while.

I did couple tests with a custom build of 389-ds-base and I made the migration
working after switching the new configuration option. See details and the
transcript in the ticket:

https://fedorahosted.org/freeipa/ticket/4450#comment:5

I will work with DS team to backport the switch option to Fedora 20 389-ds-base
and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP,
ideally this week.

Thanks for your patience,
Martin




More information about the Freeipa-users mailing list