Steven Jones wrote:
Ok,
So lets avoid the passwords....
Is there an automatic / scripted way to import the passwd file so I get the
UID's, GID's etc into ipa?
We have generally left this as an exercise for the end-user because it
isn't a technically difficult problem. It is more a policy and config
problem.
Attached is a simple demonstration of doing this using IPA command-line.
The tricky part is dealing with names. There is no universal way of
getting it right. Entries without a gecos are skipped.
It worked fine on my system with 2 password entries. YYMV.
rob
regards
Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand
-----Original Message-----
From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Friday, 24 September 2010 11:18 p.m.
To: Steven Jones
Cc: freeipa-users
Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa
Steven Jones wrote:
Is there a method to do this?
I tried to use LdapImport.pl from the 389 project and this failed....
Giving me all # = entry not added to destination (other error)
Possibly the password criteria in freeipa is "too strong"?
How can I disable this feature?
or is there another way to import?
Migration of the passwords is a tough problem.
The issue is that the passwords in the local files are hashed using
simple hash algorithm while in IPA they are hashed to create kerberos keys.
Converting from one to another without knowing clear password is not
possible. If you already have an LDAP server with password you can take
advantage of our LDAP migration schemes but if you have local files this
will be a challenge.
For migrating from LDAP case you can load your users into the IPA and
then configure SSSD to use migration mode on the client or you can
instruct users to go to a special migration web page. In both cases you
already have the password hashed in the LDAP format in the IPA so SSSD
or Migration page will capture the cleartext password and pass it to IPA
so that it can use it to generate the Kerberos hashes.
A quick search around migrating passwords from flat files to LDAP showed
that it is in some cases possible (if the hash that is used by the flat
file is supported by the DS server, but tricky).
We do not have any aid here so it is simpler to reset the password. If
this is not an option, as far as I understand you need to create user
accounts first with some password and then overwrite the password
attribute in the LDAP with the properly decorated hash take from the
password file. And after that you still need the kerberos keys for IPA
to work so you still need to use Migration page or SSSD. It might be
less trouble just to bite the bullet and reset passwords as you migrate
to IPA.
Thanks
Dmitri
regards
Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
#!/usr/bin/python
# Import /etc/passwd entries into IPA with a uid > 500. This preserves the
# existing uid/gid.
import pwd
from ipapython.ipautil import run
entries = pwd.getpwall()
# format is: login, password, uid, gid, gecos, homedir, shell
for e in entries:
if e.pw_uid < 500:
continue
if e.pw_name == 'nfsnobody':
continue
if e.pw_gecos == '':
print 'Need first and last name for user "%s". Skipped' % e.pw_name
continue
# Pull apart gecos and assume the first name is up to first space
# and last name is everything else.
name = e.pw_gecos.split(None)
args = ['/usr/bin/ipa', 'user-add',
'--first', name[0],
'--last', ' '.join(name[1:]),
'--homedir', e.pw_dir,
'--shell', e.pw_shell,
'--setattr', 'uidnumber=%d' % e.pw_uid,
'--setattr', 'gidnumber=%d' % e.pw_gid,
e.pw_name]
(stdout, stderr, rc) = run(args, raiseonerr=False)
if rc != 0:
print 'Adding user "%s" failed: %s' % (e.pw_name, stderr)
else:
print 'Successfully added "%s"' % e.pw_name
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users