On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote:
>> So if I understand the 389-ds ticket correctly, I can add pre-hashed 
>> passwords
>> via ldapmodify to the 389 server using directory manager as the bind dn? I
>> just can't use the ipa command line tool/script.
> The short answer is "no". Trying to add the userPassword attribute with 
> ldapmodify binding as "cn=directory manager" fails with operation error.
> Error log attached to the ticket Rob made: 
> https://fedorahosted.org/freeipa/ticket/4450
> To summarize:
> No password migration via "ipa migrate-ds"; No password migration via "ipa 
> user-add --setattr userPassword={SHA}..."; No password migration via 
> 'ldapmodify -D "cn=directory manager"'. Do you think a solution will be 
> forthcoming, or is it a ways off? I can leave my old ldap directory up for a 
> little while.

I did couple tests with a custom build of 389-ds-base and I made the migration
working after switching the new configuration option. See details and the
transcript in the ticket:


I will work with DS team to backport the switch option to Fedora 20 389-ds-base
and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP,
ideally this week.

Thanks for your patience,

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to