On ti, 07 marras 2017, Aaron Hicks via FreeIPA-users wrote:
Hello the list,

The next terrible bad thing our customer service model says we'd like to do
with FreeIPA is set user passwords from our customer management system. It's
not AD and it's not LDAP. It does have a store of salted hashed sha512
passwords.

I have set the FreeIPA directory in migration mode as per
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords

We are able to add new users (with add-user) and set their password with
--setattr userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong

The previous bit is working. The next bit is not.

We have a bunch of users in the directory who were created before we enabled
this feature in user creation, and another bunch who have not yet generated
a password hash. These users have no password set in FreeIPA. Our script is
capable of figuring out if an account hasPassword attribute is True or
False.

We'd like to set these user's passwords if they are not already set, but:

ipa user-mod username --setattr
userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong

ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid

We get the same response when we kinit as admin or a user with the System:
Change User password permission.

Is there a specific configuration mode option or account attribute that
allows this to work?
No, nothing would allow you to change pre-hashed passwords through IPA
framework.

What you could do is to set them a random non-hashed password as
administrator and thus it would force to change the password on next
login. That's all you could do. Of course, 'next login' can be simulated
too, but you cannot do this with a hashed password.



--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to