Re: [Freeipa-users] 4.0.0 password migration trouble
> Note that fixed 389-ds-base is now available in Fedora 20 updates-testing > repo: > > https://admin.fedoraproject.org/updates/FEDORA-2014-8709/389-ds-base- > 1.3.2.20-1.fc20 > > If you install that + switch cn=config's nsslapd-allow-hashed-passwords > attribute to "on", you will be able to finish the migration. FreeIPA patch to > enable that permanently was submitted. Worked like a charm! Thanks a million! Updated ticket with same. :) Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
On 07/21/2014 07:28 PM, Nordgren, Bryce L -FS wrote: > > >> I will work with DS team to backport the switch option to Fedora 20 389-ds- >> base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem >> ASAP, ideally this week. > > > Thanks much, Martin! Note that fixed 389-ds-base is now available in Fedora 20 updates-testing repo: https://admin.fedoraproject.org/updates/FEDORA-2014-8709/389-ds-base-1.3.2.20-1.fc20 If you install that + switch cn=config's nsslapd-allow-hashed-passwords attribute to "on", you will be able to finish the migration. FreeIPA patch to enable that permanently was submitted. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
> I will work with DS team to backport the switch option to Fedora 20 389-ds- > base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem > ASAP, ideally this week. Thanks much, Martin! This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote: > >> So if I understand the 389-ds ticket correctly, I can add pre-hashed >> passwords >> via ldapmodify to the 389 server using directory manager as the bind dn? I >> just can't use the ipa command line tool/script. > > The short answer is "no". Trying to add the userPassword attribute with > ldapmodify binding as "cn=directory manager" fails with operation error. > > Error log attached to the ticket Rob made: > https://fedorahosted.org/freeipa/ticket/4450 > > To summarize: > > No password migration via "ipa migrate-ds"; No password migration via "ipa > user-add --setattr userPassword={SHA}..."; No password migration via > 'ldapmodify -D "cn=directory manager"'. Do you think a solution will be > forthcoming, or is it a ways off? I can leave my old ldap directory up for a > little while. I did couple tests with a custom build of 389-ds-base and I made the migration working after switching the new configuration option. See details and the transcript in the ticket: https://fedorahosted.org/freeipa/ticket/4450#comment:5 I will work with DS team to backport the switch option to Fedora 20 389-ds-base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP, ideally this week. Thanks for your patience, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
> So if I understand the 389-ds ticket correctly, I can add pre-hashed passwords > via ldapmodify to the 389 server using directory manager as the bind dn? I > just can't use the ipa command line tool/script. The short answer is "no". Trying to add the userPassword attribute with ldapmodify binding as "cn=directory manager" fails with operation error. Error log attached to the ticket Rob made: https://fedorahosted.org/freeipa/ticket/4450 To summarize: No password migration via "ipa migrate-ds"; No password migration via "ipa user-add --setattr userPassword={SHA}..."; No password migration via 'ldapmodify -D "cn=directory manager"'. Do you think a solution will be forthcoming, or is it a ways off? I can leave my old ldap directory up for a little while. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
> > It didn't. My message to the list was the initial "is this a bug or am I > > being > dumb?" question. Until now, there was no response. > > There were two responses, from Petr and myself in the thread titled > "Migrating from a hybrid web/posix LDAP" My bad. I missed them somehow. The centos list was spewing venom last weekend and I did a lot of bulk deleting. Apparently not very carefully. So if I understand the 389-ds ticket correctly, I can add pre-hashed passwords via ldapmodify to the 389 server using directory manager as the bind dn? I just can't use the ipa command line tool/script. Excellent. Bryce PS: The one host I enrolled in my new ipa realm is running centos 7. Worked great. This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
Nordgren, Bryce L -FS wrote: > >>> That was me, but the context was 'ipa user-add' with a password hash >> rather than migrate-ds. Although it makes sense that 389 ds would act the >> same regardless of how I attempt to store the password. How can I check to >> see whether the passwords made it to freeipa? The migrate-ds script didn't >> complain, but I don't know where to look for logfiles. >> >> I don't think a bug ever got logged for that, at least I can't find one. >> Can you confirm? If not I'll get one logged. > > It didn't. My message to the list was the initial "is this a bug or am I > being dumb?" question. Until now, there was no response. There were two responses, from Petr and myself in the thread titled "Migrating from a hybrid web/posix LDAP" I opened ticket https://fedorahosted.org/freeipa/ticket/4450 . I think this is a 389-ds bug so we may need to wait until their next release, but in any case we should have caught this before pushing out IPA 4.0 IMHO. > No reported errors during migration, but a bunch of warnings: > [Thu Jul 17 11:21:37.703752 2014] [:error] [pid 4534] ipa: WARNING: GID > number 65534 of migrated user SOMEUSER does not point to a known group. Ok, that is unrelated. It just means that for some users their GID value pointed to a non-existent group. > Turns out admin and test.user have userPassword and nobody else does. So: > only accounts which were created by the server install or for which I > manually reset the password. Ok, that explains the error 48 then. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
> > That was me, but the context was 'ipa user-add' with a password hash > rather than migrate-ds. Although it makes sense that 389 ds would act the > same regardless of how I attempt to store the password. How can I check to > see whether the passwords made it to freeipa? The migrate-ds script didn't > complain, but I don't know where to look for logfiles. > > I don't think a bug ever got logged for that, at least I can't find one. > Can you confirm? If not I'll get one logged. It didn't. My message to the list was the initial "is this a bug or am I being dumb?" question. Until now, there was no response. No reported errors during migration, but a bunch of warnings: [Thu Jul 17 11:21:37.703752 2014] [:error] [pid 4534] ipa: WARNING: GID number 65534 of migrated user SOMEUSER does not point to a known group. Turns out admin and test.user have userPassword and nobody else does. So: only accounts which were created by the server install or for which I manually reset the password. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
Nordgren, Bryce L -FS wrote: > >> Someone has reported an issue with password migration where 389-ds is >> rejecting the passwords with: passwords with storage scheme are not >> allowed. That may be part of the problem. > > That was me, but the context was 'ipa user-add' with a password hash rather > than migrate-ds. Although it makes sense that 389 ds would act the same > regardless of how I attempt to store the password. How can I check to see > whether the passwords made it to freeipa? The migrate-ds script didn't > complain, but I don't know where to look for logfiles. I don't think a bug ever got logged for that, at least I can't find one. Can you confirm? If not I'll get one logged. The log file for the migration is in /var/log/httpd/error_log. To see if passwords migrated, pick a migrated user and do a search as Directory Manager for the userPassword attribute: $ ldapsearch -x -D 'cn=Directory Manager' -W -b uid=someuser,cn=users,cn=accounts,dc=example,dc=com userPassword rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
> Someone has reported an issue with password migration where 389-ds is > rejecting the passwords with: passwords with storage scheme are not > allowed. That may be part of the problem. That was me, but the context was 'ipa user-add' with a password hash rather than migrate-ds. Although it makes sense that 389 ds would act the same regardless of how I attempt to store the password. How can I check to see whether the passwords made it to freeipa? The migrate-ds script didn't complain, but I don't know where to look for logfiles. Thanks, Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
Nordgren, Bryce L -FS wrote: > DNS is fixed, 4.0.0 is installed, and my external users have been > migrated from an LDAP store via the migrate-ds script. > > > > The password migration page keeps telling me that the password or > username I entered is incorrect. (username: test.user, password: test) I > did not mistype this. I did set the minimum password length to 0, but > not until after migrating my users. > > > > IPA forced me to reset the password for test.user, then kinit > (attempting to login via sssd failed), then change the password before > sssd logins and ldap binds started working. This is not an appropriate > migration path for those users who primarily interact with web apps, so > I need that migration page to work. > > > > The LDAP interface is also important to me, as I want to use this for > web app authentication. As is, my migrated accounts are doing this: > > > > [root@fislstore ~]# ldapsearch -h ipa.usfs-i2.umt.edu -x -D > 'uid=my_peeps,cn=users,cn=accounts,dc=usfs-i2,dc=umt,dc=edu' -W > '(objectClass=posixAccount)' dn > > Enter LDAP Password: > > ldap_bind: Inappropriate authentication (48) Are you sure the entry has a password set? Someone has reported an issue with password migration where 389-ds is rejecting the passwords with: passwords with storage scheme are not allowed. That may be part of the problem. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] 4.0.0 password migration trouble
DNS is fixed, 4.0.0 is installed, and my external users have been migrated from an LDAP store via the migrate-ds script. The password migration page keeps telling me that the password or username I entered is incorrect. (username: test.user, password: test) I did not mistype this. I did set the minimum password length to 0, but not until after migrating my users. IPA forced me to reset the password for test.user, then kinit (attempting to login via sssd failed), then change the password before sssd logins and ldap binds started working. This is not an appropriate migration path for those users who primarily interact with web apps, so I need that migration page to work. The LDAP interface is also important to me, as I want to use this for web app authentication. As is, my migrated accounts are doing this: [root@fislstore ~]# ldapsearch -h ipa.usfs-i2.umt.edu -x -D 'uid=my_peeps,cn=users,cn=accounts,dc=usfs-i2,dc=umt,dc=edu' -W '(objectClass=posixAccount)' dn Enter LDAP Password: ldap_bind: Inappropriate authentication (48) This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project