> So if I understand the 389-ds ticket correctly, I can add pre-hashed passwords > via ldapmodify to the 389 server using directory manager as the bind dn? I > just can't use the ipa command line tool/script.
The short answer is "no". Trying to add the userPassword attribute with ldapmodify binding as "cn=directory manager" fails with operation error. Error log attached to the ticket Rob made: https://fedorahosted.org/freeipa/ticket/4450 To summarize: No password migration via "ipa migrate-ds"; No password migration via "ipa user-add --setattr userPassword={SHA}..."; No password migration via 'ldapmodify -D "cn=directory manager"'. Do you think a solution will be forthcoming, or is it a ways off? I can leave my old ldap directory up for a little while. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project