[Freeipa-users] Bypass pre-hashed passwords verification
Sébastien Julliot
julliot at ljll.math.upmc.fr
Mon Jul 25 09:58:49 UTC 2016
Hello Rob,
The indicated method was unsuccessful, but I found another way to do it :)
Here is a summary of my unsuccessful tests :
➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ=='
-------------------------------
Utilisateur « testuser » ajouté
-------------------------------
Now I am able to log as /testuser /. Yet, despite having added admin as
a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config
➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
passsyncmanagersdns: cn=Directory Manager
passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
I still get an error when trying to set pre-hashed passwords :
➜ ~ cat change_testuser_passwd.ldif
dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
changetype: modify
replace: userpassword
userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0=
➜ ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif
Enter LDAP Password:
modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr"
ldap_modify: Constraint violation (19)
additional info: Pre-Encoded passwords are not valid
However, I noted that using ldappasswd does the job, /even without
having set passSyncManagerDNs.
/It is not as clean as if I could have use freeipa API to change
passwords, but for lack of better, it will do the job.
Le 22/07/2016 à 20:47, Rob Crittenden a écrit :
> Sébastien Julliot wrote:
>> Hi Petr,
>>
>>
>> Thanks for the documentations. I already had followed the steps from the
>> NIS migration page, it works, but does not solve my problem, which is to
>> change *already existing users* passwords.
>>
>> When trying
>>
>> ipa user-mod testuser --setattr
>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='
>>
>> I get "Pre-Encoded passwords are not valid"
>
> Look at the first link Petr sent you. There is a password sync manager
> setting that should be able to insert pre-hashed passwords.
>
> rob
>
>>
>>
>>
>> Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
>>> On 07/22/2016 11:42 AM, Sébastien Julliot wrote:
>>>> Hello everyone,
>>>>
>>>> I am currently trying to deploy FreeIPA as the new idm system in my
>>>> university but came across a problem I could not solve yet. I need to
>>>> bypass the pre-hashed passwords verification, not only on the user
>>>> creation.
>>>>
>>>> Due to several constraints, our workflow involves periodically (once a
>>>> day, currently) receiving an ldif file containing the users up-to-date
>>>> informations, (including hashed passwords) and inserting this
>>>> informations into the idm. As our goal is to unify users passwords in
>>>> the university but do not have access to the higher-level LDAP
>>>> directly,
>>>> we injected this pre-hashed passwords directly into the LDAP until
>>>> today.
>>>>
>>>> Yet, every attempt I made to update users passwords with pre-hashed
>>>> passwords failed for now.
>>>>
>>>> First I tried this (migration mode enabled):
>>>>
>>>> ➜ ~ ipa user-add testuser --first=test --last=user --setattr
>>>> userpassword='{MD5}*********************'
>>>>
>>>> /*OK*/
>>>>
>>>> ➜ ~ kinit testuser
>>>>
>>>> kinit: Generic preauthentication failure while getting initial
>>>> credentials
>>>>
>>>> As expected from the documentation, it does not work :p
>>>>
>>>> I then thought about trying to copy the migration plug-in, and change
>>>> the way it retrieves users (from LDIF rather than from an online LDAP
>>>> server). Since this plugin is able to But again, event binding as
>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses
>>>> me (I
>>>> tested my code without the userPassword field and the users are
>>>> correctly inserted).
>>>>
>>>> Here is my code :
>>>>
>>>> class ldif_importer(ldif.LDIFParser):
>>>> def __init__(self, ldap_backend):
>>>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
>>>> self.ldap = ldap_backend
>>>>
>>>> def handle(self, dn, entry):
>>>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))
>>>>
>>>> class my_backend(ipalib.Backend):
>>>> '''Backend to import ldap passwords from ldif'''
>>>>
>>>> def __init__(self, api):
>>>> ipalib.Backend.__init__(self, api)
>>>> self.ldap = ldap2(self.api)
>>>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'),
>>>> bind_pw='***********')
>>>>
>>>> def parse(self):
>>>> importer = ldif_importer(self.ldap)
>>>> importer.parse()
>>>>
>>>> class my_command(ipalib.Command):
>>>> '''Command calling my_backend to import passwords from ldif'''
>>>>
>>>> def execute(self, **options):
>>>> '''Implemented against my_backend'''
>>>> self.Backend.my_backend.parse()
>>>> return {'result': 'everything OK'}
>>>>
>>>>
>>>> Should one of these methods have worked, and I did it incorrectly ?
>>>> Otherwise, what would be the lower-impact solution to achieve this ?
>>>> (Yes, I understand the security concerns about sending passwords
>>>> hashes
>>>> on the network but this choice does not depend on me)
>>>>
>>>> Many thanks in advance,
>>>> Sebastien.
>>>>
>>> I issue might be that the user has his userPassword migrated but he
>>> doesn't have krbPrincipalKey generated. If kerberos key is missing then
>>> it is automatically generated on successful LDAP bind (it's what
>>> ipa/migration page does)
>>>
>>> Additional info which might interest you:
>>> *
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
>>>
>>> *
>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/cf16f129/attachment.htm>
More information about the Freeipa-users
mailing list