Hi Petr,
Thanks for the documentations. I already had followed the steps from the
NIS migration page, it works, but does not solve my problem, which is to
change *already existing users* passwords.
When trying
ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='
I get "Pre-Encoded passwords are not valid"
Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
> On 07/22/2016 11:42 AM, Sébastien Julliot wrote:
>> Hello everyone,
>>
>> I am currently trying to deploy FreeIPA as the new idm system in my
>> university but came across a problem I could not solve yet. I need to
>> bypass the pre-hashed passwords verification, not only on the user creation.
>>
>> Due to several constraints, our workflow involves periodically (once a
>> day, currently) receiving an ldif file containing the users up-to-date
>> informations, (including hashed passwords) and inserting this
>> informations into the idm. As our goal is to unify users passwords in
>> the university but do not have access to the higher-level LDAP directly,
>> we injected this pre-hashed passwords directly into the LDAP until today.
>>
>> Yet, every attempt I made to update users passwords with pre-hashed
>> passwords failed for now.
>>
>> First I tried this (migration mode enabled):
>>
>> ➜ ~ ipa user-add testuser --first=test --last=user --setattr
>> userpassword='{MD5}*********************'
>>
>> /*OK*/
>>
>> ➜ ~ kinit testuser
>>
>> kinit: Generic preauthentication failure while getting initial credentials
>>
>> As expected from the documentation, it does not work :p
>>
>> I then thought about trying to copy the migration plug-in, and change
>> the way it retrieves users (from LDIF rather than from an online LDAP
>> server). Since this plugin is able to But again, event binding as
>> Directory Manager, the ipa ldap2 backend method add_entry refuses me (I
>> tested my code without the userPassword field and the users are
>> correctly inserted).
>>
>> Here is my code :
>>
>> class ldif_importer(ldif.LDIFParser):
>> def __init__(self, ldap_backend):
>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
>> self.ldap = ldap_backend
>>
>> def handle(self, dn, entry):
>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))
>>
>> class my_backend(ipalib.Backend):
>> '''Backend to import ldap passwords from ldif'''
>>
>> def __init__(self, api):
>> ipalib.Backend.__init__(self, api)
>> self.ldap = ldap2(self.api)
>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'),
>> bind_pw='***********')
>>
>> def parse(self):
>> importer = ldif_importer(self.ldap)
>> importer.parse()
>>
>> class my_command(ipalib.Command):
>> '''Command calling my_backend to import passwords from ldif'''
>>
>> def execute(self, **options):
>> '''Implemented against my_backend'''
>> self.Backend.my_backend.parse()
>> return {'result': 'everything OK'}
>>
>>
>> Should one of these methods have worked, and I did it incorrectly ?
>> Otherwise, what would be the lower-impact solution to achieve this ?
>> (Yes, I understand the security concerns about sending passwords hashes
>> on the network but this choice does not depend on me)
>>
>> Many thanks in advance,
>> Sebastien.
>>
> I issue might be that the user has his userPassword migrated but he
> doesn't have krbPrincipalKey generated. If kerberos key is missing then
> it is automatically generated on successful LDAP bind (it's what
> ipa/migration page does)
>
> Additional info which might interest you:
> *
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
> * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
