On 12.02.24 12:38, Christian via FreeIPA-users wrote:
On 11/02/2024 22.40, Ronald Wimmer via FreeIPA-users wrote:
Remark: If I set a new password for this particular user after the
user has been activated, it works.
We are still facing this particular problem and do not have any clue
why the initial password set by the external system does not work. Any
ideas/hints here?
Two ideas:
Are you supplying pre-hashed passwords in the correct format? 389-DS
expects hashed passwords in a specific format, e.g.
"{PBKDF2-SHA512}100000$base64data" for PKBDF2 with SHA-512 and 100,000
iterations.
IPA cannot create Kerberos keys from a pre-hashed passwords. Kerberos
does not work until the user's Kerberos key is generated from a plain
password, e.g. with a password change at
https://yourserver/ipa/migration/. SSSD can also detect the case and
generate Kerberos keys.
When you log into LDAP as "cn=Directory Manager", then you can read and
check the "userPassword" and "krbPrincipalKey" entries.
Christian
We are providing plaintext passwords. When the user is initially created
in the staging area the password does not seem to work. When the user is
activated and thus moved to the right place in the LDAP tree we can set
a different password that works immediately.
In both cases an LDAP browser reveals that the password gets hashed
immediately by 389DS. (PBKDF2_SHA256)
Cheers,
Ronald
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
