Hi Petr,

Thanks for the documentations. I already had followed the steps from the
NIS migration page, it works, but does not solve my problem, which is to
change *already existing users* passwords.

When trying

ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='

I get "Pre-Encoded passwords are not valid"

Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
> On 07/22/2016 11:42 AM, Sébastien Julliot wrote:
>> Hello everyone,
>> I am currently trying to deploy FreeIPA as the new idm system in my
>> university but came across a problem I could not solve yet. I need to
>> bypass the pre-hashed passwords verification, not only on the user creation.
>> Due to several constraints, our workflow involves periodically (once a
>> day, currently) receiving an ldif file containing the users up-to-date
>> informations, (including hashed passwords) and inserting this
>> informations into the idm. As our goal is to unify users passwords in
>> the university but do not have access to the higher-level LDAP directly,
>> we injected this pre-hashed passwords directly into the LDAP until today.
>> Yet, every attempt I made to update users passwords with pre-hashed
>> passwords failed for now.
>> First I tried this (migration mode enabled):
>> ➜  ~ ipa user-add testuser --first=test --last=user --setattr 
>> userpassword='{MD5}*********************'
>> /*OK*/
>> ➜  ~ kinit testuser
>> kinit: Generic preauthentication failure while getting initial credentials
>> As expected from the documentation, it does not work :p
>> I then thought about trying to copy the migration plug-in, and change
>> the way it retrieves users (from LDIF rather than from an online LDAP
>> server). Since this plugin is able to  But again, event binding as
>> Directory Manager, the ipa ldap2 backend method add_entry refuses me (I
>> tested my code without the userPassword field and the users are
>> correctly inserted).
>> Here is my code :
>> class ldif_importer(ldif.LDIFParser):
>>     def __init__(self, ldap_backend):
>>         ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
>>         self.ldap = ldap_backend
>>     def handle(self, dn, entry):
>>         self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))
>> class my_backend(ipalib.Backend):
>>     '''Backend to import ldap passwords from ldif'''
>>     def __init__(self, api):
>>         ipalib.Backend.__init__(self, api)
>>         self.ldap = ldap2(self.api)
>>         self.ldap.connect(bind_dn=DN('cn=Directory Manager'), 
>> bind_pw='***********')
>>     def parse(self):
>>         importer = ldif_importer(self.ldap)
>>         importer.parse()
>> class my_command(ipalib.Command):
>>     '''Command calling my_backend to import passwords from ldif'''
>>     def execute(self, **options):
>>         '''Implemented against my_backend'''
>>         self.Backend.my_backend.parse()
>>         return {'result': 'everything OK'}
>> Should one of these methods have worked, and I did it incorrectly ?
>> Otherwise, what would be the lower-impact solution to achieve this ?
>> (Yes, I understand the security concerns about sending passwords hashes
>> on the network but this choice does not depend on me)
>> Many thanks in advance,
>> Sebastien.
> I issue might be that the user has his userPassword migrated but he
> doesn't have krbPrincipalKey generated. If kerberos key is missing then
> it is automatically generated on successful LDAP bind (it's what
> ipa/migration page does)
> Additional info which might interest you:
> *
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
> * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to