[Freeipa-users] User, keytab, password and ldap
bahan w
bahanw042014 at gmail.com
Wed Sep 23 14:32:39 UTC 2015
Hello !
I'm using IPA 3.0.0 and I have a problem with one of the user I created.
user3
I created this user with the command ipa user-add without specifying any
password.
Then I performed an ipa-getkeytab command with the -P option to have a
keytab and a password.
When I check the ldap server with the following command, I cannot find any
"userpassword" field for this user.
ldapsearch -v -x -D 'cn=Directory Manager' -W -h <IPASERVER> -p <PORT>
###
# user3, users, accounts, myrealm
dn: uid=user3,cn=users,cn=accounts,dc=myrealm
displayName: user3 user3
cn: user3 user3
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
sn: user3
gecos: user3 user3
homeDirectory: /home/user3
krbPwdPolicyReference: cn=pwp_users,cn=MYREALM,cn=kerberos,dc=myrealm
krbPrincipalName: user3 at MYREALM
givenName: user3
uid: user3
initials: uu
ipaUniqueID: 5dbc0e78-5884-11e5-a8a0-00505695d2c7
uidNumber: <UIDUSER3>
gidNumber: <GIDUSER3>
memberOf: cn=defaultgroup,cn=groups,cn=accounts,dc=myrealm
memberOf: cn=pwp_users,cn=groups,cn=accounts,dc=myrealm
mepManagedEntry: cn=user3,cn=groups,cn=accounts,dc=myrealm
krbLastPwdChange: 20150923134438Z
krbPrincipalKey:: <BLABLABLA>
krbExtraData:: AALGrAJWYV9hcHBfcmpkbUBCREZJTlQxAA==
krbLastSuccessfulAuth: 20150923120752Z
krbLastFailedAuth: 20150923132257Z
krbLoginFailedCount: 1
###
Then, with an admin ticket, I performed an ipa passwd user3 and I set a one
time password.
Then I connected with user3 and he was able to change its one time password
into something else.
And when I retried the ldapsearch command, the field userpassword was there.
But the keytab is not working anymore.
So here is my question :
How can I generate a user with a keytab, a password and the userpassword
field in the ldap ?
The ipa-getkeytab -P option allows me to have both keytab and the password,
but as the field userpassword is missing in the ldap, some other tools
using ldapbackend authentication does not work for this user.
Best regards.
Bahan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150923/797a7d6f/attachment.htm>
More information about the Freeipa-users
mailing list