Hello the list,


The next terrible bad thing our customer service model says we'd like to do
with FreeIPA is set user passwords from our customer management system. It's
not AD and it's not LDAP. It does have a store of salted hashed sha512


I have set the FreeIPA directory in migration mode as per


We are able to add new users (with add-user) and set their password with
--setattr userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong


The previous bit is working. The next bit is not.


We have a bunch of users in the directory who were created before we enabled
this feature in user creation, and another bunch who have not yet generated
a password hash. These users have no password set in FreeIPA. Our script is
capable of figuring out if an account hasPassword attribute is True or


We'd like to set these user's passwords if they are not already set, but:


ipa user-mod username --setattr

ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid


We get the same response when we kinit as admin or a user with the System:
Change User password permission.


Is there a specific configuration mode option or account attribute that
allows this to work?




Aaron Hicks


FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to