Running FreeIPS 4.8.10-6, 5.10.10-200.fc33.x86_64
I'm using the nis-users.sh script from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating-from-nis
First note that the part (inside 'Now create this entry') that has
--gecos='$gecos' actually inserts $gecos into the FreeIPA record. Also a
simple fix to insert a first and last name would be:
first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}')
last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}')
and adding in the "Now create this entry section":
--first=$first --last=$last
I'm trying to migrate the passwords from NIS so that they are merged in the
/etc/passwd file. (this is a test server). I followed Rob C's previous tips
from here
<https://freeipa-users.redhat.narkive.com/vTJsopZ5/problem-migrating-passwords-fro-nis-to-idm#post10>
and here
<https://www.redhat.com/archives/freeipa-users/2013-April/msg00058.html>.
Not sure it matters but in /etc/libuser.conf, crypt_style = sha512
In the script I added:
password1=$(echo $line | cut -f2 -d:)
and in the Now create this entry section:
--setattr "userpassword='{CRYPT}$password1'"
Here's what gets logged when debug is turned on:
[Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365]
[remote x.x.x.x:59726 <http://150.108.64.156:59726/>] ipa: INFO:
[jsonserver_session] ad...@ourdomain.edu <ad...@olddsm.dsm.fordham.edu>:
user_add/1('john', givenname='John', sn='Smith',
homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh',
uidnumber=5319, gidnumber=150,
setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",),
version='2.239'): SUCCESS
So does that appear that {CRYPT} is not being interpreted? I also added
some debug:
echo "Password hash value is $password1"
And what prints is the original hash, sans {CRYPT}.
So to test this outside of the script I added a test user:
ipa user-add --first=test --last=user --setattr userpassword='{CRYPT}
the-actual-hash-of-the-password' testuser
Then I ran the following and the password worked:
ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W
# testuser, users, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/>
dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu
givenName: test
sn: user
uid: testuser
cn: test user
displayName: test user
initials: tu
gecos: test user
krbPrincipalName: testu...@ourdomain.edu <testu...@olddsm.dsm.fordham.edu>
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: fasuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser
mail: testu...@ourdomain.edu <testu...@olddsm.dsm.fordham.edu>
krbCanonicalName: testu...@ourdomain.edu <testu...@olddsm.dsm.fordham.edu>
ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0
uidNumber: 1520800007
gidNumber: 1520800007
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu
krbLastPwdChange: 20210203034524Z
krbPasswordExpiration: 20210504034524Z
# testuser, groups, accounts, ourdomain.edu <http://olddsm.dsm.fordham.edu/>
dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: testuser
gidNumber: 1520800007
description: User private group for testuser
mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc
=edu
ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0
# search result
search: 2
result: 0 Success
Is it still possible to do this in the current versions?
Thanks,
Rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
