On 05/05/2015 03:48 PM, Alan Evans wrote:
Hello, I thought I saw something like this asked before but after searching the archive it seems I can't find it.


I am using FreeIPA 3.3.3 on Cent 7 from EPEL. Is it possible using native ldap tools, ldapadd and ldappasswd in particular, for user creation and password management?

I am trying to use an IDM to synchronize accounts from one directory to FreeIPA. The IDM does not have native FreeIPA support but does have LDAP support.

I have successfully gotten some objects created but I am having problems with their passwords.

I have tried using https://ipa/ui/migration, resetting passwords in IPA UI, ldappasswd and the ipa-cli but when I kinit these users I get the following.


May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: foou...@example.com <mailto:foou...@example.com> for krbtgt/example....@example.com <mailto:example....@example.com>, Password has expired May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: foou...@example.com <mailto:foou...@example.com> for kadmin/chang...@example.com <mailto:chang...@example.com>, Additional pre-authentication required May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: foou...@example.com <mailto:foou...@example.com> for krbtgt/example....@example.com <mailto:example....@example.com>, Additional pre-authentication required May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: foou...@example.com <mailto:foou...@example.com> for krbtgt/example....@example.com <mailto:example....@example.com>, Password has expired May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: foou...@example.com <mailto:foou...@example.com> for kadmin/chang...@example.com <mailto:chang...@example.com>, Additional pre-authentication required May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: foou...@example.com <mailto:foou...@example.com> for krbtgt/example....@example.com <mailto:example....@example.com>, Additional pre-authentication required May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: foou...@example.com <mailto:foou...@example.com> for krbtgt/example....@example.com <mailto:example....@example.com>, Password has expired May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: foou...@example.com <mailto:foou...@example.com> for kadmin/chang...@example.com <mailto:chang...@example.com>, Additional pre-authentication required May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED: foou...@example.com <mailto:foou...@example.com> for krbtgt/example....@example.com <mailto:example....@example.com>, Password has expired May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH: foou...@example.com <mailto:foou...@example.com> for kadmin/chang...@example.com <mailto:chang...@example.com>, Additional pre-authentication required


I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure I understand what they're referring to and if they apply in this situation.

Thank you,
-Alan


This might be caused by the mismatch of the LDAP password hashes.
The password hashes that you had in other directory might not have the right hash types.

There is a way to change the hashing scheme in IPA directory so that hashes would become accepted but I do not recall the setting from top of my head.
In general this is not yet supported. We are working on the feature for 4.2.
http://www.freeipa.org/page/V4/User_Life-Cycle_Management

--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to