[Freeipa-users] ldap modify
Martin Kosek
mkosek at redhat.com
Mon Jul 21 11:14:54 UTC 2014
On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote:
> Hello,
>
> I've been experiencing strange problems trying to manually modify the
> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on
> Fedora 20). I'm using the following script:
>
> ---- CUT ----
> [nasko at ipa ~]$ cat change_pass.sh
> #!/bin/sh
>
> if test -z "${1}"; then
> echo "no dn supplied"
> exit 1
> fi
>
> if test -z "${2}"; then
> PASS="`pwgen 10 1`"
> else
> PASS="${2}"
> fi
>
> echo "${PASS}"
>
> PASS_HASH="`pwdhash ${PASS}`"
>
> (
> echo "dn: ${1}"
> echo "changetype: modify"
> echo "replace: userPassword"
> echo "userPassword: ${PASS_HASH}"
> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w "yyyyyyyy"
> [nasko at ipa ~]$ ./change_pass.sh
> 'uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg'
> nohshohwoo
> modifying entry "uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg"
> ldap_modify: Operations error (1)
>
> [nasko at ipa ~]$
> ---- CUT ----
>
> and so on and so on, ldapmodify returing the same error every time, on any
> dn. Any suggestions?
>
> P.S.
> The server is in migration mode at this time.
>
Hello Atanas,
This issue is already discussed in
https://fedorahosted.org/freeipa/ticket/4450
and thread "[Freeipa-users] 4.0.0 password migration trouble", you will find
some information there. Ludwig, this issue is completely different than
nsslapd-allow-hashed-passwords, correct?
But anyway, changing password via ldapmodify and supplying pre-hashed password
will not work well and you will need to run through the migration mode even
after ticket 4450 is fixed.
If you have a clear text available (which I assume based on "`pwdhash ${PASS}`
construct)", I would rather suggest changing it via ldappasswd script so that
FreeIPA can also generate all the Kerberos attributes.
HTH,
Martin
More information about the Freeipa-users
mailing list