[Freeipa-users] ldap modify
Ludwig Krispenz
lkrispen at redhat.com
Mon Jul 21 11:29:23 UTC 2014
On 07/21/2014 01:14 PM, Martin Kosek wrote:
> On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote:
>> Hello,
>>
>> I've been experiencing strange problems trying to manually modify the
>> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on
>> Fedora 20). I'm using the following script:
>>
>> ---- CUT ----
>> [nasko at ipa ~]$ cat change_pass.sh
>> #!/bin/sh
>>
>> if test -z "${1}"; then
>> echo "no dn supplied"
>> exit 1
>> fi
>>
>> if test -z "${2}"; then
>> PASS="`pwgen 10 1`"
>> else
>> PASS="${2}"
>> fi
>>
>> echo "${PASS}"
>>
>> PASS_HASH="`pwdhash ${PASS}`"
>>
>> (
>> echo "dn: ${1}"
>> echo "changetype: modify"
>> echo "replace: userPassword"
>> echo "userPassword: ${PASS_HASH}"
>> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w "yyyyyyyy"
>> [nasko at ipa ~]$ ./change_pass.sh
>> 'uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg'
>> nohshohwoo
>> modifying entry "uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg"
>> ldap_modify: Operations error (1)
>>
>> [nasko at ipa ~]$
>> ---- CUT ----
>>
>> and so on and so on, ldapmodify returing the same error every time, on any
>> dn. Any suggestions?
>>
>> P.S.
>> The server is in migration mode at this time.
>>
> Hello Atanas,
>
> This issue is already discussed in
> https://fedorahosted.org/freeipa/ticket/4450
> and thread "[Freeipa-users] 4.0.0 password migration trouble", you will find
> some information there. Ludwig, this issue is completely different than
> nsslapd-allow-hashed-passwords, correct?
no, don't think so. pwdhash XXX returns {SSSH}hgjhdgjah
so it matches 389 ticket 47389
>
> But anyway, changing password via ldapmodify and supplying pre-hashed password
> will not work well and you will need to run through the migration mode even
> after ticket 4450 is fixed.
>
> If you have a clear text available (which I assume based on "`pwdhash ${PASS}`
> construct)", I would rather suggest changing it via ldappasswd script so that
> FreeIPA can also generate all the Kerberos attributes.
>
> HTH,
> Martin
More information about the Freeipa-users
mailing list