Per Qvindesland via FreeIPA-users wrote: > Hi Alexander > > Here is the object we are trying to change the password with: > dn: uid=tes...@jisc3.ac.uk > <mailto:uid=tes...@jisc3.ac.uk>,cn=users,cn=accounts,dc=jisc,dc=ac,dc=uk > changetype: add > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: inetuser > objectClass: posixaccount > objectClass: krbprincipalaux > objectClass: krbticketpolicyaux > objectClass: krbPrincipalName > objectClass: ipaobject > objectClass: ipasshuser > objectClass: ipaSshGroupOfPubKeys > objectClass: mepOriginEntry > objectClass: eduPerson > uid: tes...@jisc3.ac.uk <mailto:tes...@jisc3.ac.uk> > givenName: NULL > sn: NULL > cn: wnQ6gpxNEbYDP4e0xSi42QvNLR4= > displayName: displayName not set > ou: Local > eduPersonAffiliation: affiliate > mail: tes...@jisc3.ac.uk <mailto:tes...@jisc3.ac.uk> > userPassword: e1NIQX1rYjBwdk45WkpLVGpmMHdiMGJqYm5LSk10Vnk7 > loginshell: /bin/sh > homedirectory: /home/tes...@jisc3.ac.uk <mailto:home/tes...@jisc3.ac.uk> > gidnumber: 1092000014 > uidnumber: 1092000014
You added krbPrincipalName as an objectclass. That doesn't exist and I'm at a loss to how you were able to add it at all. You need to add: krbPrincipalname: tester@REALM and drop the bogus objectclass. rob > > Is there anything you can suggest? > > Regards > Per > > > > >> On 11 May 2018, at 10:31, Alexander Bokovoy via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> On pe, 11 touko 2018, Per Qvindesland via FreeIPA-users wrote: >>> Hi All >>> >>> We’re getting the following entries in the error logs >>> >>> [10/May/2018:15:37:18.628665013 +0100] - ERR - >>> ipapwd_encrypt_encode_key - [file encoding.c, line 143]: no >>> krbPrincipalName present in this entry >>> [10/May/2018:15:37:18.630473873 +0100] - ERR - ipapwd_gen_hashes - >>> [file encoding.c, line 234]: key encryption/encoding failed >>> >>> Is this related to the failed binds? is there any ways of turning on >>> debug logging >> You have or are trying to add an object in LDAP that is not a Kerberos >> principal, yet somehow >> object classes imply it should be a Kerberos principal. >> You'd need to show the object or explain what are you doing. >> >>> >>> The connection string is $ds = ldap_connect($hostport, $port); then >>> we are setting some connection options: ldap_set_option($ds, >>> LDAP_OPT_PROTOCOL_VERSION, 3); >>> ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); Then binding using >>> admin credential:$result = ldap_bind($ds, $rdn, $pass) >>> >>> We can connect to freeipa but we are suspecting that we might be >>> using the wrong encryption {SHA} in plain text then results in err >>> 19 which results in operations error. >> No, this is not about connection to ldap but rather adding an LDAP >> object or attempting to modify a password on existing object. >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
