Hello, I thought I saw something like this asked before but after searching
the archive it seems I can't find it.

I am using FreeIPA 3.3.3 on Cent 7 from EPEL.  Is it possible using native
ldap tools, ldapadd and ldappasswd in particular, for user creation and
password management?

I am trying to use an IDM to synchronize accounts from one directory to
FreeIPA.  The IDM does not have native FreeIPA support but does have LDAP
support.

I have successfully gotten some objects created but I am having problems
with their passwords.

I have tried using https://ipa/ui/migration, resetting passwords in IPA UI,
ldappasswd and the ipa-cli but when I kinit these users I get the following.


May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example....@example.com, Password has expired
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for krbtgt/
example....@example.com, Additional pre-authentication required
May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example....@example.com, Password has expired
May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for krbtgt/
example....@example.com, Additional pre-authentication required
May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example....@example.com, Password has expired
May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example....@example.com, Password has expired
May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required


I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure I
understand what they're referring to and if they apply in this situation.

Thank you,
-Alan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to