[Freeipa-users] question about password migration from ldap
David Lin
linhai88 at stanford.edu
Thu May 28 10:59:00 UTC 2015
Thanks, that seemed to fix it.
David
On 05/28/2015 03:31 AM, Alexander Bokovoy wrote:
> On Thu, 28 May 2015, David Lin wrote:
>> hum, seems like the migrated users do not have userPassword
>> attribute. Is there anyway to fix this?
> Did you actually have access to the userPasssword attribute in OpenLDAP
> when migrate-ds command was running? This all is described in the 'ipa
> migrate-ds --help' output.
>
> You cannot add userPassword attribute in hashed form after the object
> was created in IPA. It can only be set when new user record is created
> in the migration mode.
>
>>
>> Thanks!
>> David
>>
>> On 05/28/2015 03:13 AM, Martin Kosek wrote:
>>> On 05/28/2015 11:47 AM, David Lin wrote:
>>>> Hi,
>>>> I am try to migrate from openldap to freeipa. Everything seems to
>>>> be working
>>>> except the password. I understand that when migrating from
>>>> openldap, the hashed
>>>> form the the passwords are migrated, but a Kerberos hash is not
>>>> generated until
>>>> the user logs in using sssd or through the ipa/migration web ui.
>>>> However, the
>>>> users are not able to login in either form using their existing
>>>> password, from
>>>> the directory server log, the only weird thing I see is
>>>>
>>>> [28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120
>>>> nentries=0 etime=0
>>>> [28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES
>>>> [28/May/2015:02:40:04 -0700] conn=112 op=1 BIND
>>>> dn="uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted]"
>>>>
>>>> method=128 version=3
>>>> [28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97
>>>> nentries=0 etime=0
>>>> [28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND
>>>> [28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1
>>>>
>>>> What does err=48 mean?
>>>>
>>>> I do have
>>>> ipa config-mod --enable-migration=TRUE
>>> 48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here:
>>> http://www.zytrax.com/books/ldap/ch12/
>>>
>>> Do the migrated users have the userPassword attribute? You can check
>>> on the
>>> user with:
>>>
>>> # ldapsearch -D "cn=Directory Manager" -x -w Secret123 -b
>>> "uid=admin,cn=users,cn=accounts,dc=f21" uid userPassword
>>> # extended LDIF
>>> #
>>> # LDAPv3
>>> # base <uid=admin,cn=users,cn=accounts,dc=f21> with scope subtree
>>> # filter: (objectclass=*)
>>> # requesting: uid userPassword
>>> #
>>>
>>> # admin, users, accounts, f21
>>> dn: uid=admin,cn=users,cn=accounts,dc=f21
>>> uid: admin
>>> userPassword:: e1NTSEF9K2tZ...Ib3c9PQ==
>>>
>>> # search result
>>> search: 2
>>> result: 0 Success
>>>
>>> # numResponses: 2
>>> # numEntries: 1
>>>
>>>
>>> Martin
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list