On 07/21/2014 01:14 PM, Martin Kosek wrote:
On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote:

I've been experiencing strange problems trying to manually modify the
userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on
Fedora 20). I'm using the following script:

---- CUT ----
[nasko@ipa ~]$ cat change_pass.sh

if test -z "${1}"; then
        echo "no dn supplied"
        exit 1

if test -z "${2}"; then
        PASS="`pwgen 10 1`"

echo "${PASS}"

PASS_HASH="`pwdhash ${PASS}`"

        echo "dn: ${1}"
        echo "changetype: modify"
        echo "replace: userPassword"
        echo "userPassword: ${PASS_HASH}"
) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w "yyyyyyyy"
[nasko@ipa ~]$ ./change_pass.sh
modifying entry "uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg"
ldap_modify: Operations error (1)

[nasko@ipa ~]$
---- CUT ----

and so on and so on, ldapmodify returing the same error every time, on any
dn. Any suggestions?

The server is in migration mode at this time.

Hello Atanas,

This issue is already discussed in
and thread "[Freeipa-users] 4.0.0 password migration trouble", you will find
some information there. Ludwig, this issue is completely different than
nsslapd-allow-hashed-passwords, correct?
no, don't think so. pwdhash XXX returns {SSSH}hgjhdgjah
so it matches 389 ticket 47389

But anyway, changing password via ldapmodify and supplying pre-hashed password
will not work well and you will need to run through the migration mode even
after ticket 4450 is fixed.

If you have a clear text available (which I assume based on "`pwdhash ${PASS}`
construct)", I would rather suggest changing it via  ldappasswd script so that
FreeIPA can also generate all the Kerberos attributes.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to