On 07/21/2014 01:30 PM, Atanas Bachvaroff wrote:
>
> Martin Kosek wrote:
>> On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote:
>>> Hello,
>>>
>>> I've been experiencing strange problems trying to manually modify the
>>> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on
>>> Fedora 20). I'm using the following script:
>>>
>>> ---- CUT ----
>>> [nasko@ipa ~]$ cat change_pass.sh
>>> #!/bin/sh
>>>
>>> if test -z "${1}"; then
>>> echo "no dn supplied"
>>> exit 1
>>> fi
>>>
>>> if test -z "${2}"; then
>>> PASS="`pwgen 10 1`"
>>> else
>>> PASS="${2}"
>>> fi
>>>
>>> echo "${PASS}"
>>>
>>> PASS_HASH="`pwdhash ${PASS}`"
>>>
>>> (
>>> echo "dn: ${1}"
>>> echo "changetype: modify"
>>> echo "replace: userPassword"
>>> echo "userPassword: ${PASS_HASH}"
>>> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w
>>> "yyyyyyyy"
>>> [nasko@ipa ~]$ ./change_pass.sh
>>> 'uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg'
>>> nohshohwoo
>>> modifying entry "uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg"
>>> ldap_modify: Operations error (1)
>>>
>>> [nasko@ipa ~]$
>>> ---- CUT ----
>>>
>>> and so on and so on, ldapmodify returing the same error every time, on
>>> any
>>> dn. Any suggestions?
>>>
>>> P.S.
>>> The server is in migration mode at this time.
>>>
>>
>> Hello Atanas,
>>
>> This issue is already discussed in
>> https://fedorahosted.org/freeipa/ticket/4450
>> and thread "[Freeipa-users] 4.0.0 password migration trouble", you will
>> find
>> some information there. Ludwig, this issue is completely different than
>> nsslapd-allow-hashed-passwords, correct?
>>
>> But anyway, changing password via ldapmodify and supplying pre-hashed
>> password
>> will not work well and you will need to run through the migration mode
>> even
>> after ticket 4450 is fixed.
>>
>> If you have a clear text available (which I assume based on "`pwdhash
>> ${PASS}`
>> construct)", I would rather suggest changing it via ldappasswd script so
>> that
>> FreeIPA can also generate all the Kerberos attributes.
>>
>> HTH,
>> Martin
>>
>
> Unfortunately, I don't have access to the cleartext passwords ('coz I'm
> migrating from existing 389 / OpenLDAP directories) and ipa migrate-ds
> failed miserably with hashed passwords constraint violations, so I cloned
> the 389s etc., deleted the the userPassword attributes and tried to
> restore 'em with the script above, taking the PASS="${2}" branch, which
> failed.
>
> It appears that #4450 is very close to my issues.
Ok. When 4450 is fixed (I would like to get it done this week), you should be
able to just run migrate-ds and have pre-hashed user passwords stored.
Given you are running on 3.3.4 (why not the latest 3.3.5?), we should also
release fixed FreeIPA build in Fedora 20.
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
