On Mon, Mar 9, 2015 at 2:45 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Mon, 09 Mar 2015, Ben Slusky wrote:
>
>> Greetings FreeIPA users,
>>
>> I'm setting up FreeIPA service in our production environment to replace
>> several different authentication methods for various systems. I'm trying
>> to
>> migrate the first wave of users now My plan was to copy their passwords
>> from an old LDAP directory (one of the aforementioned several
>> authentication methods) and then send them to the migration page to finish
>> the job.
>>
> Even in migration mode, you can only set pre-hashed passwords when
> creating the records, not when modifying them.
>
>
>> bslu...@ipa1.aws:~$ head techteam-passwords.ldif
>> dn: uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
>> changeType: modify
>> replace: userPassword
>> userPassword:: e1NTSE[...]
>> -
>>
>> dn: uid=user1002,cn=users,cn=accounts,dc=smartling,dc=int
>> changeType: modify
>> replace: userPassword
>> userPassword:: e1NIQX[...]
>>
>> Unfortunately it isn't working:
>>
>> bslu...@ipa1.aws:~$ ldapmodify -x -D cn=directory\ manager -W -f
>> techteam-passwords.ldif
>> Enter LDAP Password:
>> modifying entry "uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int"
>> ldap_modify: Operations error (1)
>>
>> I found some possible causes of this error, and fixed them:
>>
>> bslu...@ipa1.aws:~$ ipa config-show |grep migration
>>  Enable migration mode: TRUE
>>
>> bslu...@ipa1.aws:~$ ldapsearch -x -D cn=directory\ manager -W -b
>> cn=config
>> |grep allow-hashed
>> Enter LDAP Password:
>> nsslapd-allow-hashed-passwords: on
>>
>> Still no soap. Any suggestions?
>>
> Works as designed. We only allow unhashed passwords in migration mode
> when entry is added, not modified.
>
> --
> / Alexander Bokovoy
>

Alexander: Thanks for clarifying that.

To anyone dealing with this or a similar problem who might find this in a
web search:
ipa user-add user0001 --first=User --last=0001
--setattr=userPassword='{SHA}...'
works like a charm (if migration mode is enabled).

-- 

*Ben Slusky*Smartling, Inc. Senior Operations Engineer
bslu...@smartling.com | smartling.com <http://www.smartling.com/>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to