[Freeipa-users] question about password migration from ldap

Alexander Bokovoy abokovoy at redhat.com
Thu May 28 10:31:36 UTC 2015 

On Thu, 28 May 2015, David Lin wrote:
>hum, seems like the migrated users do not have userPassword attribute.  
>Is there anyway to fix this?
Did you actually have access to the userPasssword attribute in OpenLDAP
when migrate-ds command was running? This all is described in the 'ipa
migrate-ds --help' output.

You cannot add userPassword attribute in hashed form after the object
was created in IPA. It can only be set when new user record is created
in the migration mode.

>
>Thanks!
>David
>
>On 05/28/2015 03:13 AM, Martin Kosek wrote:
>>On 05/28/2015 11:47 AM, David Lin wrote:
>>>Hi,
>>>I am try to migrate from openldap to freeipa.  Everything seems to be working
>>>except the password. I understand that when migrating from openldap, the hashed
>>>form the the passwords are migrated, but a Kerberos hash is not generated until
>>>the user logs in using sssd or through the ipa/migration web ui.  However, the
>>>users are not able to login in either form using their existing password, from
>>>the directory server log, the only weird thing I see is
>>>
>>>[28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 etime=0
>>>[28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES
>>>[28/May/2015:02:40:04 -0700] conn=112 op=1 BIND
>>>dn="uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted]"
>>>method=128 version=3
>>>[28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 etime=0
>>>[28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND
>>>[28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1
>>>
>>>What does err=48 mean?
>>>
>>>I do have
>>>ipa config-mod --enable-migration=TRUE
>>48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here:
>>http://www.zytrax.com/books/ldap/ch12/
>>
>>Do the migrated users have the userPassword attribute? You can check on the
>>user with:
>>
>># ldapsearch -D "cn=Directory Manager" -x -w Secret123 -b
>>"uid=admin,cn=users,cn=accounts,dc=f21" uid userPassword
>># extended LDIF
>>#
>># LDAPv3
>># base <uid=admin,cn=users,cn=accounts,dc=f21> with scope subtree
>># filter: (objectclass=*)
>># requesting: uid userPassword
>>#
>>
>># admin, users, accounts, f21
>>dn: uid=admin,cn=users,cn=accounts,dc=f21
>>uid: admin
>>userPassword:: e1NTSEF9K2tZ...Ib3c9PQ==
>>
>># search result
>>search: 2
>>result: 0 Success
>>
>># numResponses: 2
>># numEntries: 1
>>
>>
>>Martin
>
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list