[Freeipa-users] Trying to migrate, can't set hashed passwords
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 9 18:45:49 UTC 2015
On Mon, 09 Mar 2015, Ben Slusky wrote:
>Greetings FreeIPA users,
>
>I'm setting up FreeIPA service in our production environment to replace
>several different authentication methods for various systems. I'm trying to
>migrate the first wave of users now My plan was to copy their passwords
>from an old LDAP directory (one of the aforementioned several
>authentication methods) and then send them to the migration page to finish
>the job.
Even in migration mode, you can only set pre-hashed passwords when
creating the records, not when modifying them.
>
>bslusky at ipa1.aws:~$ head techteam-passwords.ldif
>dn: uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
>changeType: modify
>replace: userPassword
>userPassword:: e1NTSE[...]
>-
>
>dn: uid=user1002,cn=users,cn=accounts,dc=smartling,dc=int
>changeType: modify
>replace: userPassword
>userPassword:: e1NIQX[...]
>
>Unfortunately it isn't working:
>
>bslusky at ipa1.aws:~$ ldapmodify -x -D cn=directory\ manager -W -f
>techteam-passwords.ldif
>Enter LDAP Password:
>modifying entry "uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int"
>ldap_modify: Operations error (1)
>
>I found some possible causes of this error, and fixed them:
>
>bslusky at ipa1.aws:~$ ipa config-show |grep migration
> Enable migration mode: TRUE
>
>bslusky at ipa1.aws:~$ ldapsearch -x -D cn=directory\ manager -W -b cn=config
>|grep allow-hashed
>Enter LDAP Password:
>nsslapd-allow-hashed-passwords: on
>
>Still no soap. Any suggestions?
Works as designed. We only allow unhashed passwords in migration mode
when entry is added, not modified.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list