[Freeipa-users] Bypass pre-hashed passwords verification

Petr Spacek pspacek at redhat.com
Mon Jul 25 12:57:54 UTC 2016 

On 25.7.2016 14:00, Sébastien Julliot wrote:
> Looks like I spoke too fast. Using ldappasswd, no problems with ldap
> queries.
> 
> But kinit rejects my password ..

AFAIK this works only for LDAP ADD operation. Rob, do you remember?

Petr^2 Spacek

> Le 25/07/2016 à 11:58, Sébastien Julliot a écrit :
>> Hello Rob,
>>
>> The indicated method was unsuccessful, but I found another way to do it :)
>>
>> Here is a summary of my unsuccessful tests :
>> ➜  ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ=='
>> -------------------------------
>> Utilisateur « testuser » ajouté
>> -------------------------------
>>
>> Now I am able to log as /testuser /. Yet, despite having added admin
>> as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config
>> ➜  ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns
>> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
>> passsyncmanagersdns: cn=Directory Manager
>> passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
>>
>>  I still get an error when trying to set pre-hashed passwords :
>> ➜  ~ cat change_testuser_passwd.ldif
>> dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr
>> changetype: modify
>> replace: userpassword
>> userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0=
>> ➜  ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif
>> Enter LDAP Password:
>> modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr"
>> ldap_modify: Constraint violation (19)
>>     additional info: Pre-Encoded passwords are not valid
>>
>> However, I noted that using ldappasswd does the job, /even without
>> having set passSyncManagerDNs.
>>
>> /It is not as clean as if I could have use freeipa API to change
>> passwords, but for lack of better, it will do the job.
>>
>> Le 22/07/2016 à 20:47, Rob Crittenden a écrit :
>>> Sébastien Julliot wrote:
>>>> Hi Petr,
>>>>
>>>>
>>>> Thanks for the documentations. I already had followed the steps from
>>>> the
>>>> NIS migration page, it works, but does not solve my problem, which
>>>> is to
>>>> change *already existing users* passwords.
>>>>
>>>> When trying
>>>>
>>>> ipa user-mod testuser --setattr
>>>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='
>>>>
>>>> I get "Pre-Encoded passwords are not valid"
>>>
>>> Look at the first link Petr sent you. There is a password sync
>>> manager setting that should be able to insert pre-hashed passwords.
>>>
>>> rob
>>>
>>>>
>>>>
>>>>
>>>> Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
>>>>> On 07/22/2016 11:42 AM, Sébastien Julliot wrote:
>>>>>> Hello everyone,
>>>>>>
>>>>>> I am currently trying to deploy FreeIPA as the new idm system in my
>>>>>> university but came across a problem I could not solve yet. I need to
>>>>>> bypass the pre-hashed passwords verification, not only on the user
>>>>>> creation.
>>>>>>
>>>>>> Due to several constraints, our workflow involves periodically
>>>>>> (once a
>>>>>> day, currently) receiving an ldif file containing the users
>>>>>> up-to-date
>>>>>> informations, (including hashed passwords) and inserting this
>>>>>> informations into the idm. As our goal is to unify users passwords in
>>>>>> the university but do not have access to the higher-level LDAP
>>>>>> directly,
>>>>>> we injected this pre-hashed passwords directly into the LDAP until
>>>>>> today.
>>>>>>
>>>>>> Yet, every attempt I made to update users passwords with pre-hashed
>>>>>> passwords failed for now.
>>>>>>
>>>>>> First I tried this (migration mode enabled):
>>>>>>
>>>>>> ➜  ~ ipa user-add testuser --first=test --last=user --setattr
>>>>>> userpassword='{MD5}*********************'
>>>>>>
>>>>>> /*OK*/
>>>>>>
>>>>>> ➜  ~ kinit testuser
>>>>>>
>>>>>> kinit: Generic preauthentication failure while getting initial
>>>>>> credentials
>>>>>>
>>>>>> As expected from the documentation, it does not work :p
>>>>>>
>>>>>> I then thought about trying to copy the migration plug-in, and change
>>>>>> the way it retrieves users (from LDIF rather than from an online LDAP
>>>>>> server). Since this plugin is able to  But again, event binding as
>>>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses
>>>>>> me (I
>>>>>> tested my code without the userPassword field and the users are
>>>>>> correctly inserted).
>>>>>>
>>>>>> Here is my code :
>>>>>>
>>>>>> class ldif_importer(ldif.LDIFParser):
>>>>>>      def __init__(self, ldap_backend):
>>>>>>          ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
>>>>>>          self.ldap = ldap_backend
>>>>>>
>>>>>>      def handle(self, dn, entry):
>>>>>>          self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))
>>>>>>
>>>>>> class my_backend(ipalib.Backend):
>>>>>>      '''Backend to import ldap passwords from ldif'''
>>>>>>
>>>>>>      def __init__(self, api):
>>>>>>          ipalib.Backend.__init__(self, api)
>>>>>>          self.ldap = ldap2(self.api)
>>>>>>          self.ldap.connect(bind_dn=DN('cn=Directory Manager'),
>>>>>> bind_pw='***********')
>>>>>>
>>>>>>      def parse(self):
>>>>>>          importer = ldif_importer(self.ldap)
>>>>>>          importer.parse()
>>>>>>
>>>>>> class my_command(ipalib.Command):
>>>>>>      '''Command calling my_backend to import passwords from ldif'''
>>>>>>
>>>>>>      def execute(self, **options):
>>>>>>          '''Implemented against my_backend'''
>>>>>>          self.Backend.my_backend.parse()
>>>>>>          return {'result': 'everything OK'}
>>>>>>
>>>>>>
>>>>>> Should one of these methods have worked, and I did it incorrectly ?
>>>>>> Otherwise, what would be the lower-impact solution to achieve this ?
>>>>>> (Yes, I understand the security concerns about sending passwords
>>>>>> hashes
>>>>>> on the network but this choice does not depend on me)
>>>>>>
>>>>>> Many thanks in advance,
>>>>>> Sebastien.
>>>>>>
>>>>> I issue might be that the user has his userPassword migrated but he
>>>>> doesn't have krbPrincipalKey generated. If kerberos key is missing
>>>>> then
>>>>> it is automatically generated on successful LDAP bind (it's what
>>>>> ipa/migration page does)
>>>>>
>>>>> Additional info which might interest you:
>>>>> *
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
>>>>>
>>>>> *
>>>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>>>>>
>>>>>
>>>>
>>>
>>
> 
> 
> 
> 


-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list