Thanks Alexander, 

This is what the source code said to me too.

I'm going to have to fall back to directly interacting with LDAP to make
this work, or set up PWM though we'd prefer an official and supported
password manager plugin for FreeIPA.



-----Original Message-----
From: Alexander Bokovoy [] 
Sent: Tuesday, 7 November 2017 7:17 PM
To: FreeIPA users list <>
Cc: Aaron Hicks <>
Subject: Re: [Freeipa-users] Using user-mod to set a hashed password

On ti, 07 marras 2017, Aaron Hicks via FreeIPA-users wrote:
>Hello the list,
>The next terrible bad thing our customer service model says we'd like 
>to do with FreeIPA is set user passwords from our customer management 
>system. It's not AD and it's not LDAP. It does have a store of salted 
>hashed sha512 passwords.
>I have set the FreeIPA directory in migration mode as per 
>We are able to add new users (with add-user) and set their password 
>with --setattr 
>The previous bit is working. The next bit is not.
>We have a bunch of users in the directory who were created before we 
>enabled this feature in user creation, and another bunch who have not 
>yet generated a password hash. These users have no password set in 
>FreeIPA. Our script is capable of figuring out if an account 
>hasPassword attribute is True or False.
>We'd like to set these user's passwords if they are not already set, but:
>ipa user-mod username --setattr
>ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid
>We get the same response when we kinit as admin or a user with the System:
>Change User password permission.
>Is there a specific configuration mode option or account attribute that 
>allows this to work?
No, nothing would allow you to change pre-hashed passwords through IPA

What you could do is to set them a random non-hashed password as
administrator and thus it would force to change the password on next login.
That's all you could do. Of course, 'next login' can be simulated too, but
you cannot do this with a hashed password.

/ Alexander Bokovoy
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to