[Freeipa-users] Bypass pre-hashed passwords verification

Sébastien Julliot julliot at ljll.math.upmc.fr
Mon Jul 25 12:00:30 UTC 2016 

Looks like I spoke too fast. Using ldappasswd, no problems with ldap
queries.

But kinit rejects my password ..


Le 25/07/2016 à 11:58, Sébastien Julliot a écrit :
> Hello Rob,
>
> The indicated method was unsuccessful, but I found another way to do it :)
>
> Here is a summary of my unsuccessful tests :
> ➜  ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ=='
> -------------------------------
> Utilisateur « testuser » ajouté
> -------------------------------
>
> Now I am able to log as /testuser /. Yet, despite having added admin
> as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config
> ➜  ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> passsyncmanagersdns: cn=Directory Manager
> passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
>
>  I still get an error when trying to set pre-hashed passwords :
> ➜  ~ cat change_testuser_passwd.ldif
> dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
> changetype: modify
> replace: userpassword
> userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0=
> ➜  ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif
> Enter LDAP Password:
> modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr"
> ldap_modify: Constraint violation (19)
>     additional info: Pre-Encoded passwords are not valid
>
> However, I noted that using ldappasswd does the job, /even without
> having set passSyncManagerDNs.
>
> /It is not as clean as if I could have use freeipa API to change
> passwords, but for lack of better, it will do the job.
>
> Le 22/07/2016 à 20:47, Rob Crittenden a écrit :
>> Sébastien Julliot wrote:
>>> Hi Petr,
>>>
>>>
>>> Thanks for the documentations. I already had followed the steps from
>>> the
>>> NIS migration page, it works, but does not solve my problem, which
>>> is to
>>> change *already existing users* passwords.
>>>
>>> When trying
>>>
>>> ipa user-mod testuser --setattr
>>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='
>>>
>>> I get "Pre-Encoded passwords are not valid"
>>
>> Look at the first link Petr sent you. There is a password sync
>> manager setting that should be able to insert pre-hashed passwords.
>>
>> rob
>>
>>>
>>>
>>>
>>> Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
>>>> On 07/22/2016 11:42 AM, Sébastien Julliot wrote:
>>>>> Hello everyone,
>>>>>
>>>>> I am currently trying to deploy FreeIPA as the new idm system in my
>>>>> university but came across a problem I could not solve yet. I need to
>>>>> bypass the pre-hashed passwords verification, not only on the user
>>>>> creation.
>>>>>
>>>>> Due to several constraints, our workflow involves periodically
>>>>> (once a
>>>>> day, currently) receiving an ldif file containing the users
>>>>> up-to-date
>>>>> informations, (including hashed passwords) and inserting this
>>>>> informations into the idm. As our goal is to unify users passwords in
>>>>> the university but do not have access to the higher-level LDAP
>>>>> directly,
>>>>> we injected this pre-hashed passwords directly into the LDAP until
>>>>> today.
>>>>>
>>>>> Yet, every attempt I made to update users passwords with pre-hashed
>>>>> passwords failed for now.
>>>>>
>>>>> First I tried this (migration mode enabled):
>>>>>
>>>>> ➜  ~ ipa user-add testuser --first=test --last=user --setattr
>>>>> userpassword='{MD5}*********************'
>>>>>
>>>>> /*OK*/
>>>>>
>>>>> ➜  ~ kinit testuser
>>>>>
>>>>> kinit: Generic preauthentication failure while getting initial
>>>>> credentials
>>>>>
>>>>> As expected from the documentation, it does not work :p
>>>>>
>>>>> I then thought about trying to copy the migration plug-in, and change
>>>>> the way it retrieves users (from LDIF rather than from an online LDAP
>>>>> server). Since this plugin is able to  But again, event binding as
>>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses
>>>>> me (I
>>>>> tested my code without the userPassword field and the users are
>>>>> correctly inserted).
>>>>>
>>>>> Here is my code :
>>>>>
>>>>> class ldif_importer(ldif.LDIFParser):
>>>>>      def __init__(self, ldap_backend):
>>>>>          ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
>>>>>          self.ldap = ldap_backend
>>>>>
>>>>>      def handle(self, dn, entry):
>>>>>          self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))
>>>>>
>>>>> class my_backend(ipalib.Backend):
>>>>>      '''Backend to import ldap passwords from ldif'''
>>>>>
>>>>>      def __init__(self, api):
>>>>>          ipalib.Backend.__init__(self, api)
>>>>>          self.ldap = ldap2(self.api)
>>>>>          self.ldap.connect(bind_dn=DN('cn=Directory Manager'),
>>>>> bind_pw='***********')
>>>>>
>>>>>      def parse(self):
>>>>>          importer = ldif_importer(self.ldap)
>>>>>          importer.parse()
>>>>>
>>>>> class my_command(ipalib.Command):
>>>>>      '''Command calling my_backend to import passwords from ldif'''
>>>>>
>>>>>      def execute(self, **options):
>>>>>          '''Implemented against my_backend'''
>>>>>          self.Backend.my_backend.parse()
>>>>>          return {'result': 'everything OK'}
>>>>>
>>>>>
>>>>> Should one of these methods have worked, and I did it incorrectly ?
>>>>> Otherwise, what would be the lower-impact solution to achieve this ?
>>>>> (Yes, I understand the security concerns about sending passwords
>>>>> hashes
>>>>> on the network but this choice does not depend on me)
>>>>>
>>>>> Many thanks in advance,
>>>>> Sebastien.
>>>>>
>>>> I issue might be that the user has his userPassword migrated but he
>>>> doesn't have krbPrincipalKey generated. If kerberos key is missing
>>>> then
>>>> it is automatically generated on successful LDAP bind (it's what
>>>> ipa/migration page does)
>>>>
>>>> Additional info which might interest you:
>>>> *
>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
>>>>
>>>> *
>>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>>>>
>>>>
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160725/7d270a81/attachment.htm>

More information about the Freeipa-users mailing list