[Freeipa-users] copy encrypted password into IPA?
Rob Crittenden
rcritten at redhat.com
Mon Sep 22 19:31:37 UTC 2014
Dmitri Pal wrote:
> On 09/22/2014 02:23 PM, Ron wrote:
>> We would like to add some users that are currently in the
>> password/shadow files on some servers into IPA.
>>
>> Is there any way to copy (preferably via a script) the encrypted
>> password into IPA so that we do not have to have them reset their
>> passwords?
>>
>> Our idea is to use the "IPA user-add" command to create the user then
>> insert their encrypted password into their IPA entry.
>>
>> Regards,
>> Ron
>>
>>
>
> The most probably answer is no since the hash types would not match
> between what you have in the files and what LDAP server expects.
> If you by any chance configured your files to use other hashes than
> default it might match. You can go the other way and reconfigure the
> LDAP server but AFAIR it is not recommended.
> The user-add command would not work anyways as it does not accept hash
> as an input. Or I should say it would allow you to add users without
> passwords in a script.
> You can set a random password, send it to account owner in a script and
> make account owners to change passwords (default) on the first use.
If you put IPA into migration mode then you can set a password on
user-add via --setattr userPassword=<hash> . Note that it is important
to do it in one step and not add user, then set password. You'll then
need to migrate the password to create Kerberos credentials either by
authenticating via SSSD or on the IPA web page.
The trick is having the hash in a format acceptable to 389-ds. I know it
works with crypt, you just need to prefix it with {crypt}<hash>. For
other formats, I don't know.
rob
More information about the Freeipa-users
mailing list