On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote:
> Hello,
> 
> I've been experiencing strange problems trying to manually modify the
> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on
> Fedora 20). I'm using the following script:
> 
> ---- CUT ----
> [nasko@ipa ~]$ cat change_pass.sh
> #!/bin/sh
> 
> if test -z "${1}"; then
>       echo "no dn supplied"
>       exit 1
> fi
> 
> if test -z "${2}"; then
>       PASS="`pwgen 10 1`"
> else
>       PASS="${2}"
> fi
> 
> echo "${PASS}"
> 
> PASS_HASH="`pwdhash ${PASS}`"
> 
> (
>       echo "dn: ${1}"
>       echo "changetype: modify"
>       echo "replace: userPassword"
>       echo "userPassword: ${PASS_HASH}"
> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w "yyyyyyyy"
> [nasko@ipa ~]$ ./change_pass.sh
> 'uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg'
> nohshohwoo
> modifying entry "uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg"
> ldap_modify: Operations error (1)
> 
> [nasko@ipa ~]$
> ---- CUT ----
> 
> and so on and so on, ldapmodify returing the same error every time, on any
> dn. Any suggestions?
> 
> P.S.
> The server is in migration mode at this time.
> 

Hello Atanas,

This issue is already discussed in
https://fedorahosted.org/freeipa/ticket/4450
and thread "[Freeipa-users] 4.0.0 password migration trouble", you will find
some information there. Ludwig, this issue is completely different than
nsslapd-allow-hashed-passwords, correct?

But anyway, changing password via ldapmodify and supplying pre-hashed password
will not work well and you will need to run through the migration mode even
after ticket 4450 is fixed.

If you have a clear text available (which I assume based on "`pwdhash ${PASS}`
construct)", I would rather suggest changing it via  ldappasswd script so that
FreeIPA can also generate all the Kerberos attributes.

HTH,
Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to