Hello Rob,

The indicated method was unsuccessful, but I found another way to do it :)

Here is a summary of my unsuccessful tests :

➜  ~ ipa user-add testuser --first=test --last=user --setattr 
userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ=='
-------------------------------
Utilisateur « testuser » ajouté
-------------------------------


Now I am able to log as /testuser /. Yet, despite having added admin as
a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config

➜  ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b 
cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
passsyncmanagersdns: cn=Directory Manager
passsyncmanagersdns: 
uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr

 I still get an error when trying to set pre-hashed passwords :

➜  ~ cat change_testuser_passwd.ldif

dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr

changetype: modify

replace: userpassword

userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0=

➜  ~ ldapmodify -D 
"uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < 
change_testuser_passwd.ldif

Enter LDAP Password:

modifying entry 
"uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr"

ldap_modify: Constraint violation (19)

    additional info: Pre-Encoded passwords are not valid


However, I noted that using ldappasswd does the job, /even without
having set passSyncManagerDNs.

/It is not as clean as if I could have use freeipa API to change
passwords, but for lack of better, it will do the job.

Le 22/07/2016 à 20:47, Rob Crittenden a écrit :
> Sébastien Julliot wrote:
>> Hi Petr,
>>
>>
>> Thanks for the documentations. I already had followed the steps from the
>> NIS migration page, it works, but does not solve my problem, which is to
>> change *already existing users* passwords.
>>
>> When trying
>>
>> ipa user-mod testuser --setattr
>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA=='
>>
>> I get "Pre-Encoded passwords are not valid"
>
> Look at the first link Petr sent you. There is a password sync manager
> setting that should be able to insert pre-hashed passwords.
>
> rob
>
>>
>>
>>
>> Le 22/07/2016 à 15:08, Petr Vobornik a écrit :
>>> On 07/22/2016 11:42 AM, Sébastien Julliot wrote:
>>>> Hello everyone,
>>>>
>>>> I am currently trying to deploy FreeIPA as the new idm system in my
>>>> university but came across a problem I could not solve yet. I need to
>>>> bypass the pre-hashed passwords verification, not only on the user
>>>> creation.
>>>>
>>>> Due to several constraints, our workflow involves periodically (once a
>>>> day, currently) receiving an ldif file containing the users up-to-date
>>>> informations, (including hashed passwords) and inserting this
>>>> informations into the idm. As our goal is to unify users passwords in
>>>> the university but do not have access to the higher-level LDAP
>>>> directly,
>>>> we injected this pre-hashed passwords directly into the LDAP until
>>>> today.
>>>>
>>>> Yet, every attempt I made to update users passwords with pre-hashed
>>>> passwords failed for now.
>>>>
>>>> First I tried this (migration mode enabled):
>>>>
>>>> ➜  ~ ipa user-add testuser --first=test --last=user --setattr
>>>> userpassword='{MD5}*********************'
>>>>
>>>> /*OK*/
>>>>
>>>> ➜  ~ kinit testuser
>>>>
>>>> kinit: Generic preauthentication failure while getting initial
>>>> credentials
>>>>
>>>> As expected from the documentation, it does not work :p
>>>>
>>>> I then thought about trying to copy the migration plug-in, and change
>>>> the way it retrieves users (from LDIF rather than from an online LDAP
>>>> server). Since this plugin is able to  But again, event binding as
>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses
>>>> me (I
>>>> tested my code without the userPassword field and the users are
>>>> correctly inserted).
>>>>
>>>> Here is my code :
>>>>
>>>> class ldif_importer(ldif.LDIFParser):
>>>>      def __init__(self, ldap_backend):
>>>>          ldif.LDIFParser.__init__(self, open('test.ldif', 'rb'))
>>>>          self.ldap = ldap_backend
>>>>
>>>>      def handle(self, dn, entry):
>>>>          self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry))
>>>>
>>>> class my_backend(ipalib.Backend):
>>>>      '''Backend to import ldap passwords from ldif'''
>>>>
>>>>      def __init__(self, api):
>>>>          ipalib.Backend.__init__(self, api)
>>>>          self.ldap = ldap2(self.api)
>>>>          self.ldap.connect(bind_dn=DN('cn=Directory Manager'),
>>>> bind_pw='***********')
>>>>
>>>>      def parse(self):
>>>>          importer = ldif_importer(self.ldap)
>>>>          importer.parse()
>>>>
>>>> class my_command(ipalib.Command):
>>>>      '''Command calling my_backend to import passwords from ldif'''
>>>>
>>>>      def execute(self, **options):
>>>>          '''Implemented against my_backend'''
>>>>          self.Backend.my_backend.parse()
>>>>          return {'result': 'everything OK'}
>>>>
>>>>
>>>> Should one of these methods have worked, and I did it incorrectly ?
>>>> Otherwise, what would be the lower-impact solution to achieve this ?
>>>> (Yes, I understand the security concerns about sending passwords
>>>> hashes
>>>> on the network but this choice does not depend on me)
>>>>
>>>> Many thanks in advance,
>>>> Sebastien.
>>>>
>>> I issue might be that the user has his userPassword migrated but he
>>> doesn't have krbPrincipalKey generated. If kerberos key is missing then
>>> it is automatically generated on successful LDAP bind (it's what
>>> ipa/migration page does)
>>>
>>> Additional info which might interest you:
>>> *
>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync
>>>
>>> *
>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
>>>
>>
>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to