[Freeipa-users] User creation with native ldap tools
Dmitri Pal
dpal at redhat.com
Tue May 5 20:09:04 UTC 2015
On 05/05/2015 03:48 PM, Alan Evans wrote:
> Hello, I thought I saw something like this asked before but after
> searching the archive it seems I can't find it.
>
> I am using FreeIPA 3.3.3 on Cent 7 from EPEL. Is it possible using
> native ldap tools, ldapadd and ldappasswd in particular, for user
> creation and password management?
>
> I am trying to use an IDM to synchronize accounts from one directory
> to FreeIPA. The IDM does not have native FreeIPA support but does
> have LDAP support.
>
> I have successfully gotten some objects created but I am having
> problems with their passwords.
>
> I have tried using https://ipa/ui/migration, resetting passwords in
> IPA UI, ldappasswd and the ipa-cli but when I kinit these users I get
> the following.
>
>
> May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>,
> Password has expired
> May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional
> pre-authentication required
> May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>,
> Additional pre-authentication required
> May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>,
> Password has expired
> May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional
> pre-authentication required
> May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>,
> Additional pre-authentication required
> May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>,
> Password has expired
> May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional
> pre-authentication required
> May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM <mailto:EXAMPLE.COM at EXAMPLE.COM>,
> Password has expired
> May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
> foouser at EXAMPLE.COM <mailto:foouser at EXAMPLE.COM> for
> kadmin/changepw at EXAMPLE.COM <mailto:changepw at EXAMPLE.COM>, Additional
> pre-authentication required
>
>
> I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure
> I understand what they're referring to and if they apply in this
> situation.
>
> Thank you,
> -Alan
>
>
This might be caused by the mismatch of the LDAP password hashes.
The password hashes that you had in other directory might not have the
right hash types.
There is a way to change the hashing scheme in IPA directory so that
hashes would become accepted but I do not recall the setting from top of
my head.
In general this is not yet supported. We are working on the feature for 4.2.
http://www.freeipa.org/page/V4/User_Life-Cycle_Management
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150505/c292bf96/attachment.htm>
More information about the Freeipa-users
mailing list