[Freeipa-users] Bypass pre-hashed passwords verification
Rob Crittenden
rcritten at redhat.com
Fri Jul 22 18:47:04 UTC 2016
Sébastien Julliot wrote:
> Hi Petr,
>
>
> Thanks for the documentations. I already had followed the steps from the
> NIS migration page, it works, but does not solve my problem, which is to
> change *already existing users* passwords.
>
> When trying
>
> ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='
>
> I get "Pre-Encoded passwords are not valid"
Look at the first link Petr sent you. There is a password sync manager
setting that should be able to insert pre-hashed passwords.
rob
>
>
>
> Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
>> On 07/22/2016 11:42 AM, Sébastien Julliot wrote:
>>> Hello everyone,
>>>
>>> I am currently trying to deploy FreeIPA as the new idm system in my
>>> university but came across a problem I could not solve yet. I need to
>>> bypass the pre-hashed passwords verification, not only on the user creation.
>>>
>>> Due to several constraints, our workflow involves periodically (once a
>>> day, currently) receiving an ldif file containing the users up-to-date
>>> informations, (including hashed passwords) and inserting this
>>> informations into the idm. As our goal is to unify users passwords in
>>> the university but do not have access to the higher-level LDAP directly,
>>> we injected this pre-hashed passwords directly into the LDAP until today.
>>>
>>> Yet, every attempt I made to update users passwords with pre-hashed
>>> passwords failed for now.
>>>
>>> First I tried this (migration mode enabled):
>>>
>>> ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*********************'
>>>
>>> /*OK*/
>>>
>>> ➜ ~ kinit testuser
>>>
>>> kinit: Generic preauthentication failure while getting initial credentials
>>>
>>> As expected from the documentation, it does not work :p
>>>
>>> I then thought about trying to copy the migration plug-in, and change
>>> the way it retrieves users (from LDIF rather than from an online LDAP
>>> server). Since this plugin is able to But again, event binding as
>>> Directory Manager, the ipa ldap2 backend method add_entry refuses me (I
>>> tested my code without the userPassword field and the users are
>>> correctly inserted).
>>>
>>> Here is my code :
>>>
>>> class ldif_importer(ldif.LDIFParser):
>>> def __init__(self, ldap_backend):
>>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
>>> self.ldap = ldap_backend
>>>
>>> def handle(self, dn, entry):
>>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))
>>>
>>> class my_backend(ipalib.Backend):
>>> '''Backend to import ldap passwords from ldif'''
>>>
>>> def __init__(self, api):
>>> ipalib.Backend.__init__(self, api)
>>> self.ldap = ldap2(self.api)
>>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***********')
>>>
>>> def parse(self):
>>> importer = ldif_importer(self.ldap)
>>> importer.parse()
>>>
>>> class my_command(ipalib.Command):
>>> '''Command calling my_backend to import passwords from ldif'''
>>>
>>> def execute(self, **options):
>>> '''Implemented against my_backend'''
>>> self.Backend.my_backend.parse()
>>> return {'result': 'everything OK'}
>>>
>>>
>>> Should one of these methods have worked, and I did it incorrectly ?
>>> Otherwise, what would be the lower-impact solution to achieve this ?
>>> (Yes, I understand the security concerns about sending passwords hashes
>>> on the network but this choice does not depend on me)
>>>
>>> Many thanks in advance,
>>> Sebastien.
>>>
>> I issue might be that the user has his userPassword migrated but he
>> doesn't have krbPrincipalKey generated. If kerberos key is missing then
>> it is automatically generated on successful LDAP bind (it's what
>> ipa/migration page does)
>>
>> Additional info which might interest you:
>> *
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
>> * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>>
>
More information about the Freeipa-users
mailing list