hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this?

Thanks!
David

On 05/28/2015 03:13 AM, Martin Kosek wrote:
On 05/28/2015 11:47 AM, David Lin wrote:
Hi,
I am try to migrate from openldap to freeipa.  Everything seems to be working
except the password. I understand that when migrating from openldap, the hashed
form the the passwords are migrated, but a Kerberos hash is not generated until
the user logs in using sssd or through the ipa/migration web ui.  However, the
users are not able to login in either form using their existing password, from
the directory server log, the only weird thing I see is

[28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 
etime=0
[28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES
[28/May/2015:02:40:04 -0700] conn=112 op=1 BIND
dn="uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted]"
method=128 version=3
[28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 
etime=0
[28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND
[28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1

What does err=48 mean?

I do have
ipa config-mod --enable-migration=TRUE
48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here:
http://www.zytrax.com/books/ldap/ch12/

Do the migrated users have the userPassword attribute? You can check on the
user with:

# ldapsearch -D "cn=Directory Manager" -x -w Secret123 -b
"uid=admin,cn=users,cn=accounts,dc=f21" uid userPassword
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (objectclass=*)
# requesting: uid userPassword
#

# admin, users, accounts, f21
dn: uid=admin,cn=users,cn=accounts,dc=f21
uid: admin
userPassword:: e1NTSEF9K2tZ...Ib3c9PQ==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to