Thanks, that seemed to fix it.


On 05/28/2015 03:31 AM, Alexander Bokovoy wrote:
On Thu, 28 May 2015, David Lin wrote:
hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this?
Did you actually have access to the userPasssword attribute in OpenLDAP
when migrate-ds command was running? This all is described in the 'ipa
migrate-ds --help' output.

You cannot add userPassword attribute in hashed form after the object
was created in IPA. It can only be set when new user record is created
in the migration mode.


On 05/28/2015 03:13 AM, Martin Kosek wrote:
On 05/28/2015 11:47 AM, David Lin wrote:
I am try to migrate from openldap to freeipa. Everything seems to be working except the password. I understand that when migrating from openldap, the hashed form the the passwords are migrated, but a Kerberos hash is not generated until the user logs in using sssd or through the ipa/migration web ui. However, the users are not able to login in either form using their existing password, from
the directory server log, the only weird thing I see is

[28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES
[28/May/2015:02:40:04 -0700] conn=112 op=1 BIND
method=128 version=3
[28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 etime=0
[28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND
[28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1

What does err=48 mean?

I do have
ipa config-mod --enable-migration=TRUE
48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here:

Do the migrated users have the userPassword attribute? You can check on the
user with:

# ldapsearch -D "cn=Directory Manager" -x -w Secret123 -b
"uid=admin,cn=users,cn=accounts,dc=f21" uid userPassword
# extended LDIF
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (objectclass=*)
# requesting: uid userPassword

# admin, users, accounts, f21
dn: uid=admin,cn=users,cn=accounts,dc=f21
uid: admin
userPassword:: e1NTSEF9K2tZ...Ib3c9PQ==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to