[Freeipa-users] ldap modify
Atanas Bachvaroff
bachvaroff at ucc.uni-sofia.bg
Mon Jul 21 11:30:24 UTC 2014
Martin Kosek wrote:
> On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote:
>> Hello,
>>
>> I've been experiencing strange problems trying to manually modify the
>> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on
>> Fedora 20). I'm using the following script:
>>
>> ---- CUT ----
>> [nasko at ipa ~]$ cat change_pass.sh
>> #!/bin/sh
>>
>> if test -z "${1}"; then
>> echo "no dn supplied"
>> exit 1
>> fi
>>
>> if test -z "${2}"; then
>> PASS="`pwgen 10 1`"
>> else
>> PASS="${2}"
>> fi
>>
>> echo "${PASS}"
>>
>> PASS_HASH="`pwdhash ${PASS}`"
>>
>> (
>> echo "dn: ${1}"
>> echo "changetype: modify"
>> echo "replace: userPassword"
>> echo "userPassword: ${PASS_HASH}"
>> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w
>> "yyyyyyyy"
>> [nasko at ipa ~]$ ./change_pass.sh
>> 'uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg'
>> nohshohwoo
>> modifying entry "uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg"
>> ldap_modify: Operations error (1)
>>
>> [nasko at ipa ~]$
>> ---- CUT ----
>>
>> and so on and so on, ldapmodify returing the same error every time, on
>> any
>> dn. Any suggestions?
>>
>> P.S.
>> The server is in migration mode at this time.
>>
>
> Hello Atanas,
>
> This issue is already discussed in
> https://fedorahosted.org/freeipa/ticket/4450
> and thread "[Freeipa-users] 4.0.0 password migration trouble", you will
> find
> some information there. Ludwig, this issue is completely different than
> nsslapd-allow-hashed-passwords, correct?
>
> But anyway, changing password via ldapmodify and supplying pre-hashed
> password
> will not work well and you will need to run through the migration mode
> even
> after ticket 4450 is fixed.
>
> If you have a clear text available (which I assume based on "`pwdhash
> ${PASS}`
> construct)", I would rather suggest changing it via ldappasswd script so
> that
> FreeIPA can also generate all the Kerberos attributes.
>
> HTH,
> Martin
>
Unfortunately, I don't have access to the cleartext passwords ('coz I'm
migrating from existing 389 / OpenLDAP directories) and ipa migrate-ds
failed miserably with hashed passwords constraint violations, so I cloned
the 389s etc., deleted the the userPassword attributes and tried to
restore 'em with the script above, taking the PASS="${2}" branch, which
failed.
It appears that #4450 is very close to my issues.
--
Best regards, / Mit freundlichen Grüßen, / Met vriendelijke groeten,
Atanas Bachvaroff / Atanas Batschwaroff / Ätänas Batsjwärow
More information about the Freeipa-users
mailing list