On 25.7.2016 14:00, Sébastien Julliot wrote: > Looks like I spoke too fast. Using ldappasswd, no problems with ldap > queries. > > But kinit rejects my password ..
AFAIK this works only for LDAP ADD operation. Rob, do you remember? Petr^2 Spacek > Le 25/07/2016 à 11:58, Sébastien Julliot a écrit : >> Hello Rob, >> >> The indicated method was unsuccessful, but I found another way to do it :) >> >> Here is a summary of my unsuccessful tests : >> ➜ ~ ipa user-add testuser --first=test --last=user --setattr >> userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' >> ------------------------------- >> Utilisateur « testuser » ajouté >> ------------------------------- >> >> Now I am able to log as /testuser /. Yet, despite having added admin >> as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config >> ➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b >> cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns >> dn: cn=ipa_pwd_extop,cn=plugins,cn=config >> passsyncmanagersdns: cn=Directory Manager >> passsyncmanagersdns: >> uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> >> I still get an error when trying to set pre-hashed passwords : >> ➜ ~ cat change_testuser_passwd.ldif >> dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> changetype: modify >> replace: userpassword >> userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= >> ➜ ~ ldapmodify -D >> "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < >> change_testuser_passwd.ldif >> Enter LDAP Password: >> modifying entry >> "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" >> ldap_modify: Constraint violation (19) >> additional info: Pre-Encoded passwords are not valid >> >> However, I noted that using ldappasswd does the job, /even without >> having set passSyncManagerDNs. >> >> /It is not as clean as if I could have use freeipa API to change >> passwords, but for lack of better, it will do the job. >> >> Le 22/07/2016 à 20:47, Rob Crittenden a écrit : >>> Sébastien Julliot wrote: >>>> Hi Petr, >>>> >>>> >>>> Thanks for the documentations. I already had followed the steps from >>>> the >>>> NIS migration page, it works, but does not solve my problem, which >>>> is to >>>> change *already existing users* passwords. >>>> >>>> When trying >>>> >>>> ipa user-mod testuser --setattr >>>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' >>>> >>>> I get "Pre-Encoded passwords are not valid" >>> >>> Look at the first link Petr sent you. There is a password sync >>> manager setting that should be able to insert pre-hashed passwords. >>> >>> rob >>> >>>> >>>> >>>> >>>> Le 22/07/2016 à 15:08, Petr Vobornik a écrit : >>>>> On 07/22/2016 11:42 AM, Sébastien Julliot wrote: >>>>>> Hello everyone, >>>>>> >>>>>> I am currently trying to deploy FreeIPA as the new idm system in my >>>>>> university but came across a problem I could not solve yet. I need to >>>>>> bypass the pre-hashed passwords verification, not only on the user >>>>>> creation. >>>>>> >>>>>> Due to several constraints, our workflow involves periodically >>>>>> (once a >>>>>> day, currently) receiving an ldif file containing the users >>>>>> up-to-date >>>>>> informations, (including hashed passwords) and inserting this >>>>>> informations into the idm. As our goal is to unify users passwords in >>>>>> the university but do not have access to the higher-level LDAP >>>>>> directly, >>>>>> we injected this pre-hashed passwords directly into the LDAP until >>>>>> today. >>>>>> >>>>>> Yet, every attempt I made to update users passwords with pre-hashed >>>>>> passwords failed for now. >>>>>> >>>>>> First I tried this (migration mode enabled): >>>>>> >>>>>> ➜ ~ ipa user-add testuser --first=test --last=user --setattr >>>>>> userpassword='{MD5}*********************' >>>>>> >>>>>> /*OK*/ >>>>>> >>>>>> ➜ ~ kinit testuser >>>>>> >>>>>> kinit: Generic preauthentication failure while getting initial >>>>>> credentials >>>>>> >>>>>> As expected from the documentation, it does not work :p >>>>>> >>>>>> I then thought about trying to copy the migration plug-in, and change >>>>>> the way it retrieves users (from LDIF rather than from an online LDAP >>>>>> server). Since this plugin is able to But again, event binding as >>>>>> Directory Manager, the ipa ldap2 backend method add_entry refuses >>>>>> me (I >>>>>> tested my code without the userPassword field and the users are >>>>>> correctly inserted). >>>>>> >>>>>> Here is my code : >>>>>> >>>>>> class ldif_importer(ldif.LDIFParser): >>>>>> def __init__(self, ldap_backend): >>>>>> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >>>>>> self.ldap = ldap_backend >>>>>> >>>>>> def handle(self, dn, entry): >>>>>> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >>>>>> >>>>>> class my_backend(ipalib.Backend): >>>>>> '''Backend to import ldap passwords from ldif''' >>>>>> >>>>>> def __init__(self, api): >>>>>> ipalib.Backend.__init__(self, api) >>>>>> self.ldap = ldap2(self.api) >>>>>> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), >>>>>> bind_pw='***********') >>>>>> >>>>>> def parse(self): >>>>>> importer = ldif_importer(self.ldap) >>>>>> importer.parse() >>>>>> >>>>>> class my_command(ipalib.Command): >>>>>> '''Command calling my_backend to import passwords from ldif''' >>>>>> >>>>>> def execute(self, **options): >>>>>> '''Implemented against my_backend''' >>>>>> self.Backend.my_backend.parse() >>>>>> return {'result': 'everything OK'} >>>>>> >>>>>> >>>>>> Should one of these methods have worked, and I did it incorrectly ? >>>>>> Otherwise, what would be the lower-impact solution to achieve this ? >>>>>> (Yes, I understand the security concerns about sending passwords >>>>>> hashes >>>>>> on the network but this choice does not depend on me) >>>>>> >>>>>> Many thanks in advance, >>>>>> Sebastien. >>>>>> >>>>> I issue might be that the user has his userPassword migrated but he >>>>> doesn't have krbPrincipalKey generated. If kerberos key is missing >>>>> then >>>>> it is automatically generated on successful LDAP bind (it's what >>>>> ipa/migration page does) >>>>> >>>>> Additional info which might interest you: >>>>> * >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync >>>>> >>>>> * >>>>> http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords >>>>> >>>>> >>>> >>> >> > > > > -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project