Steven Jones wrote:

So lets avoid the passwords....

Is there an automatic / scripted way to import the passwd file so I get the 
UID's, GID's etc into ipa?

We have generally left this as an exercise for the end-user because it isn't a technically difficult problem. It is more a policy and config problem.

Attached is a simple demonstration of doing this using IPA command-line. The tricky part is dealing with names. There is no universal way of getting it right. Entries without a gecos are skipped.

It worked fine on my system with 2 password entries. YYMV.



Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
New Zealand

-----Original Message-----
From: Dmitri Pal []
Sent: Friday, 24 September 2010 11:18 p.m.
To: Steven Jones
Cc: freeipa-users
Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa

Steven Jones wrote:
Is there a method to do this?

I tried to use from the 389 project and this failed....

Giving me all # = entry not added to destination (other error)

Possibly the password criteria in freeipa is "too strong"?

How can I disable this feature?

or is there another way to import?

Migration of the passwords is a tough problem.
The issue is that the passwords in the local files are hashed using
simple hash algorithm while in IPA they are hashed to create kerberos keys.
Converting from one to another without knowing clear password is not
possible. If you already have an LDAP server with password you can take
advantage of our LDAP migration schemes but if you have local files this
will be a challenge.
For migrating from LDAP case you can load your users into the IPA and
then configure SSSD to use migration mode on the client or you can
instruct users to go to a special migration web page. In both cases you
already have the password hashed in the LDAP format in the IPA so SSSD
or Migration page will capture the cleartext password and pass it to IPA
so that it can use it to generate the Kerberos hashes.

A quick search around migrating passwords from flat files to LDAP showed
that it is in some cases possible (if the hash that is used by the flat
file is supported by the DS server, but tricky).
We do not have any aid here so it is simpler to reset the password. If
this is not an option, as far as I understand you need to create user
accounts first with some password and then overwrite the password
attribute in the LDAP with the properly decorated hash take from the
password file. And after that you still need the kerberos keys for IPA
to work so you still need to use Migration page or SSSD. It might be
less trouble just to bite the bullet and reset passwords as you migrate
to IPA.



Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
New Zealand

Freeipa-users mailing list


# Import /etc/passwd entries into IPA with a uid > 500. This preserves the
# existing uid/gid.

import pwd
from ipapython.ipautil import run

entries = pwd.getpwall()

# format is: login, password, uid, gid, gecos, homedir, shell

for e in entries:
    if e.pw_uid < 500:

    if e.pw_name == 'nfsnobody':

    if e.pw_gecos == '':
        print 'Need first and last name for user "%s". Skipped' % e.pw_name

    # Pull apart gecos and assume the first name is up to first space
    # and last name is everything else.
    name = e.pw_gecos.split(None)

    args = ['/usr/bin/ipa', 'user-add',
            '--first', name[0],
            '--last', ' '.join(name[1:]),
            '--homedir', e.pw_dir,
            '--shell', e.pw_shell,
            '--setattr', 'uidnumber=%d' % e.pw_uid,
            '--setattr', 'gidnumber=%d' % e.pw_gid,

    (stdout, stderr, rc) = run(args, raiseonerr=False)
    if rc != 0:
        print 'Adding user "%s" failed: %s' % (e.pw_name, stderr)
        print 'Successfully added "%s"' % e.pw_name
Freeipa-users mailing list

Reply via email to