On 07/21/2014 01:30 PM, Atanas Bachvaroff wrote: > > Martin Kosek wrote: >> On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: >>> Hello, >>> >>> I've been experiencing strange problems trying to manually modify the >>> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on >>> Fedora 20). I'm using the following script: >>> >>> ---- CUT ---- >>> [nasko@ipa ~]$ cat change_pass.sh >>> #!/bin/sh >>> >>> if test -z "${1}"; then >>> echo "no dn supplied" >>> exit 1 >>> fi >>> >>> if test -z "${2}"; then >>> PASS="`pwgen 10 1`" >>> else >>> PASS="${2}" >>> fi >>> >>> echo "${PASS}" >>> >>> PASS_HASH="`pwdhash ${PASS}`" >>> >>> ( >>> echo "dn: ${1}" >>> echo "changetype: modify" >>> echo "replace: userPassword" >>> echo "userPassword: ${PASS_HASH}" >>> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w >>> "yyyyyyyy" >>> [nasko@ipa ~]$ ./change_pass.sh >>> 'uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg' >>> nohshohwoo >>> modifying entry "uid=xxxxxxxx,cn=users,cn=accounts,dc=uni-sofia,dc=bg" >>> ldap_modify: Operations error (1) >>> >>> [nasko@ipa ~]$ >>> ---- CUT ---- >>> >>> and so on and so on, ldapmodify returing the same error every time, on >>> any >>> dn. Any suggestions? >>> >>> P.S. >>> The server is in migration mode at this time. >>> >> >> Hello Atanas, >> >> This issue is already discussed in >> https://fedorahosted.org/freeipa/ticket/4450 >> and thread "[Freeipa-users] 4.0.0 password migration trouble", you will >> find >> some information there. Ludwig, this issue is completely different than >> nsslapd-allow-hashed-passwords, correct? >> >> But anyway, changing password via ldapmodify and supplying pre-hashed >> password >> will not work well and you will need to run through the migration mode >> even >> after ticket 4450 is fixed. >> >> If you have a clear text available (which I assume based on "`pwdhash >> ${PASS}` >> construct)", I would rather suggest changing it via ldappasswd script so >> that >> FreeIPA can also generate all the Kerberos attributes. >> >> HTH, >> Martin >> > > Unfortunately, I don't have access to the cleartext passwords ('coz I'm > migrating from existing 389 / OpenLDAP directories) and ipa migrate-ds > failed miserably with hashed passwords constraint violations, so I cloned > the 389s etc., deleted the the userPassword attributes and tried to > restore 'em with the script above, taking the PASS="${2}" branch, which > failed. > > It appears that #4450 is very close to my issues.
Ok. When 4450 is fixed (I would like to get it done this week), you should be able to just run migrate-ds and have pre-hashed user passwords stored. Given you are running on 3.3.4 (why not the latest 3.3.5?), we should also release fixed FreeIPA build in Fedora 20. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project