Hello the list,

 

The next terrible bad thing our customer service model says we'd like to do
with FreeIPA is set user passwords from our customer management system. It's
not AD and it's not LDAP. It does have a store of salted hashed sha512
passwords.

 

I have set the FreeIPA directory in migration mode as per
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords

 

We are able to add new users (with add-user) and set their password with
--setattr userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong

 

The previous bit is working. The next bit is not.

 

We have a bunch of users in the directory who were created before we enabled
this feature in user creation, and another bunch who have not yet generated
a password hash. These users have no password set in FreeIPA. Our script is
capable of figuring out if an account hasPassword attribute is True or
False.

 

We'd like to set these user's passwords if they are not already set, but:

 

ipa user-mod username --setattr
userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong

ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid

 

We get the same response when we kinit as admin or a user with the System:
Change User password permission.

 

Is there a specific configuration mode option or account attribute that
allows this to work?

 

Regards,

 

Aaron Hicks

 

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to