Hi Petr,
Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' I get "Pre-Encoded passwords are not valid" Le 22/07/2016 à 15:08, Petr Vobornik a écrit : > On 07/22/2016 11:42 AM, Sébastien Julliot wrote: >> Hello everyone, >> >> I am currently trying to deploy FreeIPA as the new idm system in my >> university but came across a problem I could not solve yet. I need to >> bypass the pre-hashed passwords verification, not only on the user creation. >> >> Due to several constraints, our workflow involves periodically (once a >> day, currently) receiving an ldif file containing the users up-to-date >> informations, (including hashed passwords) and inserting this >> informations into the idm. As our goal is to unify users passwords in >> the university but do not have access to the higher-level LDAP directly, >> we injected this pre-hashed passwords directly into the LDAP until today. >> >> Yet, every attempt I made to update users passwords with pre-hashed >> passwords failed for now. >> >> First I tried this (migration mode enabled): >> >> ➜ ~ ipa user-add testuser --first=test --last=user --setattr >> userpassword='{MD5}*********************' >> >> /*OK*/ >> >> ➜ ~ kinit testuser >> >> kinit: Generic preauthentication failure while getting initial credentials >> >> As expected from the documentation, it does not work :p >> >> I then thought about trying to copy the migration plug-in, and change >> the way it retrieves users (from LDIF rather than from an online LDAP >> server). Since this plugin is able to But again, event binding as >> Directory Manager, the ipa ldap2 backend method add_entry refuses me (I >> tested my code without the userPassword field and the users are >> correctly inserted). >> >> Here is my code : >> >> class ldif_importer(ldif.LDIFParser): >> def __init__(self, ldap_backend): >> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >> self.ldap = ldap_backend >> >> def handle(self, dn, entry): >> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >> >> class my_backend(ipalib.Backend): >> '''Backend to import ldap passwords from ldif''' >> >> def __init__(self, api): >> ipalib.Backend.__init__(self, api) >> self.ldap = ldap2(self.api) >> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), >> bind_pw='***********') >> >> def parse(self): >> importer = ldif_importer(self.ldap) >> importer.parse() >> >> class my_command(ipalib.Command): >> '''Command calling my_backend to import passwords from ldif''' >> >> def execute(self, **options): >> '''Implemented against my_backend''' >> self.Backend.my_backend.parse() >> return {'result': 'everything OK'} >> >> >> Should one of these methods have worked, and I did it incorrectly ? >> Otherwise, what would be the lower-impact solution to achieve this ? >> (Yes, I understand the security concerns about sending passwords hashes >> on the network but this choice does not depend on me) >> >> Many thanks in advance, >> Sebastien. >> > I issue might be that the user has his userPassword migrated but he > doesn't have krbPrincipalKey generated. If kerberos key is missing then > it is automatically generated on successful LDAP bind (it's what > ipa/migration page does) > > Additional info which might interest you: > * > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync > * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project