[Freeipa-users] User creation with native ldap tools

Dmitri Pal dpal at redhat.com
Tue May 5 20:09:04 UTC 2015 

On 05/05/2015 03:48 PM, Alan Evans wrote:
> Hello, I thought I saw something like this asked before but after 
> searching the archive it seems I can't find it.
>
> I am using FreeIPA 3.3.3 on Cent 7 from EPEL.  Is it possible using 
> native ldap tools, ldapadd and ldappasswd in particular, for user 
> creation and password management?
>
> I am trying to use an IDM to synchronize accounts from one directory 
> to FreeIPA.  The IDM does not have native FreeIPA support but does 
> have LDAP support.
>
> I have successfully gotten some objects created but I am having 
> problems with their passwords.
>
> I have tried using https://ipa/ui/migration, resetting passwords in 
> IPA UI, ldappasswd and the ipa-cli but when I kinit these users I get 
> the following.
>
>
> May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>, 
> Password has expired
> May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional 
> pre-authentication required
> May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>, 
> Additional pre-authentication required
> May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>, 
> Password has expired
> May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional 
> pre-authentication required
> May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>, 
> Additional pre-authentication required
> May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>, 
> Password has expired
> May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional 
> pre-authentication required
> May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>, 
> Password has expired
> May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16 
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: 
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for 
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional 
> pre-authentication required
>
>
> I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure 
> I understand what they're referring to and if they apply in this 
> situation.
>
> Thank you,
> -Alan
>
>
This might be caused by the mismatch of the LDAP password hashes.
The password hashes that you had in other directory might not have the 
right hash types.

There is a way to change the hashing scheme in IPA directory so that 
hashes would become accepted but I do not recall the setting from top of 
my head.
In general this is not yet supported. We are working on the feature for 4.2.
http://www.freeipa.org/page/V4/User_Life-Cycle_Management

-- 
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150505/c292bf96/attachment.htm>

More information about the Freeipa-users mailing list