On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote:
> 
>> So if I understand the 389-ds ticket correctly, I can add pre-hashed 
>> passwords
>> via ldapmodify to the 389 server using directory manager as the bind dn? I
>> just can't use the ipa command line tool/script.
> 
> The short answer is "no". Trying to add the userPassword attribute with 
> ldapmodify binding as "cn=directory manager" fails with operation error.
> 
> Error log attached to the ticket Rob made: 
> https://fedorahosted.org/freeipa/ticket/4450
> 
> To summarize:
> 
> No password migration via "ipa migrate-ds"; No password migration via "ipa 
> user-add --setattr userPassword={SHA}..."; No password migration via 
> 'ldapmodify -D "cn=directory manager"'. Do you think a solution will be 
> forthcoming, or is it a ways off? I can leave my old ldap directory up for a 
> little while.

I did couple tests with a custom build of 389-ds-base and I made the migration
working after switching the new configuration option. See details and the
transcript in the ticket:

https://fedorahosted.org/freeipa/ticket/4450#comment:5

I will work with DS team to backport the switch option to Fedora 20 389-ds-base
and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP,
ideally this week.

Thanks for your patience,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to