[Freeipa-users] Trying to migrate, can't set hashed passwords
Ben Slusky
bslusky at smartling.com
Tue Mar 10 19:25:44 UTC 2015
On Mon, Mar 9, 2015 at 2:45 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Mon, 09 Mar 2015, Ben Slusky wrote:
>
>> Greetings FreeIPA users,
>>
>> I'm setting up FreeIPA service in our production environment to replace
>> several different authentication methods for various systems. I'm trying
>> to
>> migrate the first wave of users now My plan was to copy their passwords
>> from an old LDAP directory (one of the aforementioned several
>> authentication methods) and then send them to the migration page to finish
>> the job.
>>
> Even in migration mode, you can only set pre-hashed passwords when
> creating the records, not when modifying them.
>
>
>> bslusky at ipa1.aws:~$ head techteam-passwords.ldif
>> dn: uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
>> changeType: modify
>> replace: userPassword
>> userPassword:: e1NTSE[...]
>> -
>>
>> dn: uid=user1002,cn=users,cn=accounts,dc=smartling,dc=int
>> changeType: modify
>> replace: userPassword
>> userPassword:: e1NIQX[...]
>>
>> Unfortunately it isn't working:
>>
>> bslusky at ipa1.aws:~$ ldapmodify -x -D cn=directory\ manager -W -f
>> techteam-passwords.ldif
>> Enter LDAP Password:
>> modifying entry "uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int"
>> ldap_modify: Operations error (1)
>>
>> I found some possible causes of this error, and fixed them:
>>
>> bslusky at ipa1.aws:~$ ipa config-show |grep migration
>> Enable migration mode: TRUE
>>
>> bslusky at ipa1.aws:~$ ldapsearch -x -D cn=directory\ manager -W -b
>> cn=config
>> |grep allow-hashed
>> Enter LDAP Password:
>> nsslapd-allow-hashed-passwords: on
>>
>> Still no soap. Any suggestions?
>>
> Works as designed. We only allow unhashed passwords in migration mode
> when entry is added, not modified.
>
> --
> / Alexander Bokovoy
>
Alexander: Thanks for clarifying that.
To anyone dealing with this or a similar problem who might find this in a
web search:
ipa user-add user0001 --first=User --last=0001
--setattr=userPassword='{SHA}...'
works like a charm (if migration mode is enabled).
--
*Ben Slusky*Smartling, Inc. Senior Operations Engineer
bslusky at smartling.com | smartling.com <http://www.smartling.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150310/ceb41855/attachment.htm>
More information about the Freeipa-users
mailing list