Hello, I thought I saw something like this asked before but after searching the archive it seems I can't find it.
I am using FreeIPA 3.3.3 on Cent 7 from EPEL. Is it possible using native ldap tools, ldapadd and ldappasswd in particular, for user creation and password management? I am trying to use an IDM to synchronize accounts from one directory to FreeIPA. The IDM does not have native FreeIPA support but does have LDAP support. I have successfully gotten some objects created but I am having problems with their passwords. I have tried using https://ipa/ui/migration, resetting passwords in IPA UI, ldappasswd and the ipa-cli but when I kinit these users I get the following. May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: CLIENT KEY EXPIRED: [email protected] for krbtgt/ [email protected], Password has expired May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: NEEDED_PREAUTH: [email protected] for kadmin/ [email protected], Additional pre-authentication required May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: NEEDED_PREAUTH: [email protected] for krbtgt/ [email protected], Additional pre-authentication required May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: CLIENT KEY EXPIRED: [email protected] for krbtgt/ [email protected], Password has expired May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: NEEDED_PREAUTH: [email protected] for kadmin/ [email protected], Additional pre-authentication required May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: NEEDED_PREAUTH: [email protected] for krbtgt/ [email protected], Additional pre-authentication required May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: CLIENT KEY EXPIRED: [email protected] for krbtgt/ [email protected], Password has expired May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: NEEDED_PREAUTH: [email protected] for kadmin/ [email protected], Additional pre-authentication required May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: CLIENT KEY EXPIRED: [email protected] for krbtgt/ [email protected], Password has expired May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139: NEEDED_PREAUTH: [email protected] for kadmin/ [email protected], Additional pre-authentication required I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure I understand what they're referring to and if they apply in this situation. Thank you, -Alan
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
