[Freeipa-users] User creation with native ldap tools
Alan Evans
alanwevans at gmail.com
Tue May 5 19:48:58 UTC 2015
Hello, I thought I saw something like this asked before but after searching
the archive it seems I can't find it.
I am using FreeIPA 3.3.3 on Cent 7 from EPEL. Is it possible using native
ldap tools, ldapadd and ldappasswd in particular, for user creation and
password management?
I am trying to use an IDM to synchronize accounts from one directory to
FreeIPA. The IDM does not have native FreeIPA support but does have LDAP
support.
I have successfully gotten some objects created but I am having problems
with their passwords.
I have tried using https://ipa/ui/migration, resetting passwords in IPA UI,
ldappasswd and the ipa-cli but when I kinit these users I get the following.
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foouser at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Password has expired
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foouser at EXAMPLE.COM for kadmin/
changepw at EXAMPLE.COM, Additional pre-authentication required
May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foouser at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foouser at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Password has expired
May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foouser at EXAMPLE.COM for kadmin/
changepw at EXAMPLE.COM, Additional pre-authentication required
May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foouser at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication required
May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foouser at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Password has expired
May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foouser at EXAMPLE.COM for kadmin/
changepw at EXAMPLE.COM, Additional pre-authentication required
May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foouser at EXAMPLE.COM for krbtgt/
EXAMPLE.COM at EXAMPLE.COM, Password has expired
May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foouser at EXAMPLE.COM for kadmin/
changepw at EXAMPLE.COM, Additional pre-authentication required
I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure I
understand what they're referring to and if they apply in this situation.
Thank you,
-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150505/2185d5e8/attachment.htm>
More information about the Freeipa-users
mailing list