Re: [Freeipa-users] Bypass pre-hashed passwords verification
Sébastien Julliot wrote: Looks like I spoke too fast. Using ldappasswd, no problems with ldap queries. But kinit rejects my password .. That is expected. You changed to a pre-hashed password (potentially) so how can IPA generate Kerberos credentials? I think ldappasswd working is a bug. IPA is designed to be the central identity source, so it needs to own passwords. You can import using an LDAP add pre-hashed passwords that can be migrated. You can't do an LDAP mod to set a pre-hashed password, even as a passsync mgr. rob Le 25/07/2016 à 11:58, Sébastien Julliot a écrit : Hello Rob, The indicated method was unsuccessful, but I found another way to do it :) Here is a summary of my unsuccessful tests : ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' --- Utilisateur « testuser » ajouté --- Now I am able to log as /testuser /. Yet, despite having added admin as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config ➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns dn: cn=ipa_pwd_extop,cn=plugins,cn=config passsyncmanagersdns: cn=Directory Manager passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr I still get an error when trying to set pre-hashed passwords : ➜ ~ cat change_testuser_passwd.ldif dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr changetype: modify replace: userpassword userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= ➜ ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif Enter LDAP Password: modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" ldap_modify: Constraint violation (19) additional info: Pre-Encoded passwords are not valid However, I noted that using ldappasswd does the job, /even without having set passSyncManagerDNs. /It is not as clean as if I could have use freeipa API to change passwords, but for lack of better, it will do the job. Le 22/07/2016 à 20:47, Rob Crittenden a écrit : Sébastien Julliot wrote: Hi Petr, Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' I get "Pre-Encoded passwords are not valid" Look at the first link Petr sent you. There is a password sync manager setting that should be able to insert pre-hashed passwords. rob Le 22/07/2016 à 15:08, Petr Vobornik a écrit : On 07/22/2016 11:42 AM, Sébastien Julliot wrote: Hello everyone, I am currently trying to deploy FreeIPA as the new idm system in my university but came across a problem I could not solve yet. I need to bypass the pre-hashed passwords verification, not only on the user creation. Due to several constraints, our workflow involves periodically (once a day, currently) receiving an ldif file containing the users up-to-date informations, (including hashed passwords) and inserting this informations into the idm. As our goal is to unify users passwords in the university but do not have access to the higher-level LDAP directly, we injected this pre-hashed passwords directly into the LDAP until today. Yet, every attempt I made to update users passwords with pre-hashed passwords failed for now. First I tried this (migration mode enabled): ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*' /*OK*/ ➜ ~ kinit testuser kinit: Generic preauthentication failure while getting initial credentials As expected from the documentation, it does not work :p I then thought about trying to copy the migration plug-in, and change the way it retrieves users (from LDIF rather than from an online LDAP server). Since this plugin is able to But again, event binding as Directory Manager, the ipa ldap2 backend method add_entry refuses me (I tested my code without the userPassword field and the users are correctly inserted). Here is my code : class ldif_importer(ldif.LDIFParser): def __init__(self, ldap_backend): ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) self.ldap = ldap_backend def handle(self, dn, entry): self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) class my_backend(ipalib.Backend): '''Backend to import ldap passwords from ldif''' def __init__(self, api): ipalib.Backend.__init__(self, api) self.ldap = ldap2(self.api) self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***') def parse(self): importer = ldif_importer(self.ldap) importer.parse() class my_command(ipalib.Command): '''Command calling my_backend to import
Re: [Freeipa-users] Bypass pre-hashed passwords verification
On 25.7.2016 14:00, Sébastien Julliot wrote: > Looks like I spoke too fast. Using ldappasswd, no problems with ldap > queries. > > But kinit rejects my password .. AFAIK this works only for LDAP ADD operation. Rob, do you remember? Petr^2 Spacek > Le 25/07/2016 à 11:58, Sébastien Julliot a écrit : >> Hello Rob, >> >> The indicated method was unsuccessful, but I found another way to do it :) >> >> Here is a summary of my unsuccessful tests : >> ➜ ~ ipa user-add testuser --first=test --last=user --setattr >> userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' >> --- >> Utilisateur « testuser » ajouté >> --- >> >> Now I am able to log as /testuser /. Yet, despite having added admin >> as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config >> ➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b >> cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns >> dn: cn=ipa_pwd_extop,cn=plugins,cn=config >> passsyncmanagersdns: cn=Directory Manager >> passsyncmanagersdns: >> uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> >> I still get an error when trying to set pre-hashed passwords : >> ➜ ~ cat change_testuser_passwd.ldif >> dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr >> changetype: modify >> replace: userpassword >> userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= >> ➜ ~ ldapmodify -D >> "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < >> change_testuser_passwd.ldif >> Enter LDAP Password: >> modifying entry >> "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" >> ldap_modify: Constraint violation (19) >> additional info: Pre-Encoded passwords are not valid >> >> However, I noted that using ldappasswd does the job, /even without >> having set passSyncManagerDNs. >> >> /It is not as clean as if I could have use freeipa API to change >> passwords, but for lack of better, it will do the job. >> >> Le 22/07/2016 à 20:47, Rob Crittenden a écrit : >>> Sébastien Julliot wrote: Hi Petr, Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' I get "Pre-Encoded passwords are not valid" >>> >>> Look at the first link Petr sent you. There is a password sync >>> manager setting that should be able to insert pre-hashed passwords. >>> >>> rob >>> Le 22/07/2016 à 15:08, Petr Vobornik a écrit : > On 07/22/2016 11:42 AM, Sébastien Julliot wrote: >> Hello everyone, >> >> I am currently trying to deploy FreeIPA as the new idm system in my >> university but came across a problem I could not solve yet. I need to >> bypass the pre-hashed passwords verification, not only on the user >> creation. >> >> Due to several constraints, our workflow involves periodically >> (once a >> day, currently) receiving an ldif file containing the users >> up-to-date >> informations, (including hashed passwords) and inserting this >> informations into the idm. As our goal is to unify users passwords in >> the university but do not have access to the higher-level LDAP >> directly, >> we injected this pre-hashed passwords directly into the LDAP until >> today. >> >> Yet, every attempt I made to update users passwords with pre-hashed >> passwords failed for now. >> >> First I tried this (migration mode enabled): >> >> ➜ ~ ipa user-add testuser --first=test --last=user --setattr >> userpassword='{MD5}*' >> >> /*OK*/ >> >> ➜ ~ kinit testuser >> >> kinit: Generic preauthentication failure while getting initial >> credentials >> >> As expected from the documentation, it does not work :p >> >> I then thought about trying to copy the migration plug-in, and change >> the way it retrieves users (from LDIF rather than from an online LDAP >> server). Since this plugin is able to But again, event binding as >> Directory Manager, the ipa ldap2 backend method add_entry refuses >> me (I >> tested my code without the userPassword field and the users are >> correctly inserted). >> >> Here is my code : >> >> class ldif_importer(ldif.LDIFParser): >> def __init__(self, ldap_backend): >> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >> self.ldap = ldap_backend >> >> def handle(self, dn, entry): >> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >> >> class my_backend(ipalib.Backend): >> '''Backend to import ldap passwords from ldif''' >> >> def __init__(self, api): >> ipal
Re: [Freeipa-users] Bypass pre-hashed passwords verification
Looks like I spoke too fast. Using ldappasswd, no problems with ldap queries. But kinit rejects my password .. Le 25/07/2016 à 11:58, Sébastien Julliot a écrit : > Hello Rob, > > The indicated method was unsuccessful, but I found another way to do it :) > > Here is a summary of my unsuccessful tests : > ➜ ~ ipa user-add testuser --first=test --last=user --setattr > userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' > --- > Utilisateur « testuser » ajouté > --- > > Now I am able to log as /testuser /. Yet, despite having added admin > as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config > ➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b > cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns > dn: cn=ipa_pwd_extop,cn=plugins,cn=config > passsyncmanagersdns: cn=Directory Manager > passsyncmanagersdns: > uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr > > I still get an error when trying to set pre-hashed passwords : > ➜ ~ cat change_testuser_passwd.ldif > dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr > changetype: modify > replace: userpassword > userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= > ➜ ~ ldapmodify -D > "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < > change_testuser_passwd.ldif > Enter LDAP Password: > modifying entry > "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" > ldap_modify: Constraint violation (19) > additional info: Pre-Encoded passwords are not valid > > However, I noted that using ldappasswd does the job, /even without > having set passSyncManagerDNs. > > /It is not as clean as if I could have use freeipa API to change > passwords, but for lack of better, it will do the job. > > Le 22/07/2016 à 20:47, Rob Crittenden a écrit : >> Sébastien Julliot wrote: >>> Hi Petr, >>> >>> >>> Thanks for the documentations. I already had followed the steps from >>> the >>> NIS migration page, it works, but does not solve my problem, which >>> is to >>> change *already existing users* passwords. >>> >>> When trying >>> >>> ipa user-mod testuser --setattr >>> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' >>> >>> I get "Pre-Encoded passwords are not valid" >> >> Look at the first link Petr sent you. There is a password sync >> manager setting that should be able to insert pre-hashed passwords. >> >> rob >> >>> >>> >>> >>> Le 22/07/2016 à 15:08, Petr Vobornik a écrit : On 07/22/2016 11:42 AM, Sébastien Julliot wrote: > Hello everyone, > > I am currently trying to deploy FreeIPA as the new idm system in my > university but came across a problem I could not solve yet. I need to > bypass the pre-hashed passwords verification, not only on the user > creation. > > Due to several constraints, our workflow involves periodically > (once a > day, currently) receiving an ldif file containing the users > up-to-date > informations, (including hashed passwords) and inserting this > informations into the idm. As our goal is to unify users passwords in > the university but do not have access to the higher-level LDAP > directly, > we injected this pre-hashed passwords directly into the LDAP until > today. > > Yet, every attempt I made to update users passwords with pre-hashed > passwords failed for now. > > First I tried this (migration mode enabled): > > ➜ ~ ipa user-add testuser --first=test --last=user --setattr > userpassword='{MD5}*' > > /*OK*/ > > ➜ ~ kinit testuser > > kinit: Generic preauthentication failure while getting initial > credentials > > As expected from the documentation, it does not work :p > > I then thought about trying to copy the migration plug-in, and change > the way it retrieves users (from LDIF rather than from an online LDAP > server). Since this plugin is able to But again, event binding as > Directory Manager, the ipa ldap2 backend method add_entry refuses > me (I > tested my code without the userPassword field and the users are > correctly inserted). > > Here is my code : > > class ldif_importer(ldif.LDIFParser): > def __init__(self, ldap_backend): > ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) > self.ldap = ldap_backend > > def handle(self, dn, entry): > self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) > > class my_backend(ipalib.Backend): > '''Backend to import ldap passwords from ldif''' > > def __init__(self, api): > ipalib.Backend.__init__(self, api) > self.ldap = ldap2(self.api) > self.ldap.connect(bind_dn=DN('cn=Directory Manager'), > bind_pw='***') > > def parse(self): > importer = ldif_importer(self.ldap) >
Re: [Freeipa-users] Bypass pre-hashed passwords verification
Hello Rob, The indicated method was unsuccessful, but I found another way to do it :) Here is a summary of my unsuccessful tests : ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}8UBIfmQu5CpHAAniVJWPrQ==' --- Utilisateur « testuser » ajouté --- Now I am able to log as /testuser /. Yet, despite having added admin as a passSyncManagersDns to cn=ipa_pwd_extop,cn=plugins,cn=config ➜ ~ ldapsearch -LLL -D "cn=Directory Manager" -W -b cn=ipa_pwd_extop,cn=plugins,cn=config -s base passsyncmanagersdns dn: cn=ipa_pwd_extop,cn=plugins,cn=config passsyncmanagersdns: cn=Directory Manager passsyncmanagersdns: uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr I still get an error when trying to set pre-hashed passwords : ➜ ~ cat change_testuser_passwd.ldif dn: uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr changetype: modify replace: userpassword userpassword:: e01ENX04VUJJZm1RdTVDcEhBQW5pVkpXUHJRPT0= ➜ ~ ldapmodify -D "uid=admin,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" -W < change_testuser_passwd.ldif Enter LDAP Password: modifying entry "uid=testuser,cn=users,cn=accounts,dc=ljll,dc=math,dc=upmc,dc=fr" ldap_modify: Constraint violation (19) additional info: Pre-Encoded passwords are not valid However, I noted that using ldappasswd does the job, /even without having set passSyncManagerDNs. /It is not as clean as if I could have use freeipa API to change passwords, but for lack of better, it will do the job. Le 22/07/2016 à 20:47, Rob Crittenden a écrit : > Sébastien Julliot wrote: >> Hi Petr, >> >> >> Thanks for the documentations. I already had followed the steps from the >> NIS migration page, it works, but does not solve my problem, which is to >> change *already existing users* passwords. >> >> When trying >> >> ipa user-mod testuser --setattr >> userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' >> >> I get "Pre-Encoded passwords are not valid" > > Look at the first link Petr sent you. There is a password sync manager > setting that should be able to insert pre-hashed passwords. > > rob > >> >> >> >> Le 22/07/2016 à 15:08, Petr Vobornik a écrit : >>> On 07/22/2016 11:42 AM, Sébastien Julliot wrote: Hello everyone, I am currently trying to deploy FreeIPA as the new idm system in my university but came across a problem I could not solve yet. I need to bypass the pre-hashed passwords verification, not only on the user creation. Due to several constraints, our workflow involves periodically (once a day, currently) receiving an ldif file containing the users up-to-date informations, (including hashed passwords) and inserting this informations into the idm. As our goal is to unify users passwords in the university but do not have access to the higher-level LDAP directly, we injected this pre-hashed passwords directly into the LDAP until today. Yet, every attempt I made to update users passwords with pre-hashed passwords failed for now. First I tried this (migration mode enabled): ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*' /*OK*/ ➜ ~ kinit testuser kinit: Generic preauthentication failure while getting initial credentials As expected from the documentation, it does not work :p I then thought about trying to copy the migration plug-in, and change the way it retrieves users (from LDIF rather than from an online LDAP server). Since this plugin is able to But again, event binding as Directory Manager, the ipa ldap2 backend method add_entry refuses me (I tested my code without the userPassword field and the users are correctly inserted). Here is my code : class ldif_importer(ldif.LDIFParser): def __init__(self, ldap_backend): ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) self.ldap = ldap_backend def handle(self, dn, entry): self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) class my_backend(ipalib.Backend): '''Backend to import ldap passwords from ldif''' def __init__(self, api): ipalib.Backend.__init__(self, api) self.ldap = ldap2(self.api) self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***') def parse(self): importer = ldif_importer(self.ldap) importer.parse() class my_command(ipalib.Command): '''Command calling my_backend to import passwords from ldif''' def execute(self, **options): '''Implemented against my_backend''' self.Backend.my_backend.parse() return {'result': 'everything OK'}
Re: [Freeipa-users] Bypass pre-hashed passwords verification
Sébastien Julliot wrote: Hi Petr, Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' I get "Pre-Encoded passwords are not valid" Look at the first link Petr sent you. There is a password sync manager setting that should be able to insert pre-hashed passwords. rob Le 22/07/2016 à 15:08, Petr Vobornik a écrit : On 07/22/2016 11:42 AM, Sébastien Julliot wrote: Hello everyone, I am currently trying to deploy FreeIPA as the new idm system in my university but came across a problem I could not solve yet. I need to bypass the pre-hashed passwords verification, not only on the user creation. Due to several constraints, our workflow involves periodically (once a day, currently) receiving an ldif file containing the users up-to-date informations, (including hashed passwords) and inserting this informations into the idm. As our goal is to unify users passwords in the university but do not have access to the higher-level LDAP directly, we injected this pre-hashed passwords directly into the LDAP until today. Yet, every attempt I made to update users passwords with pre-hashed passwords failed for now. First I tried this (migration mode enabled): ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*' /*OK*/ ➜ ~ kinit testuser kinit: Generic preauthentication failure while getting initial credentials As expected from the documentation, it does not work :p I then thought about trying to copy the migration plug-in, and change the way it retrieves users (from LDIF rather than from an online LDAP server). Since this plugin is able to But again, event binding as Directory Manager, the ipa ldap2 backend method add_entry refuses me (I tested my code without the userPassword field and the users are correctly inserted). Here is my code : class ldif_importer(ldif.LDIFParser): def __init__(self, ldap_backend): ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) self.ldap = ldap_backend def handle(self, dn, entry): self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) class my_backend(ipalib.Backend): '''Backend to import ldap passwords from ldif''' def __init__(self, api): ipalib.Backend.__init__(self, api) self.ldap = ldap2(self.api) self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***') def parse(self): importer = ldif_importer(self.ldap) importer.parse() class my_command(ipalib.Command): '''Command calling my_backend to import passwords from ldif''' def execute(self, **options): '''Implemented against my_backend''' self.Backend.my_backend.parse() return {'result': 'everything OK'} Should one of these methods have worked, and I did it incorrectly ? Otherwise, what would be the lower-impact solution to achieve this ? (Yes, I understand the security concerns about sending passwords hashes on the network but this choice does not depend on me) Many thanks in advance, Sebastien. I issue might be that the user has his userPassword migrated but he doesn't have krbPrincipalKey generated. If kerberos key is missing then it is automatically generated on successful LDAP bind (it's what ipa/migration page does) Additional info which might interest you: * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Bypass pre-hashed passwords verification
Hi Petr, Thanks for the documentations. I already had followed the steps from the NIS migration page, it works, but does not solve my problem, which is to change *already existing users* passwords. When trying ipa user-mod testuser --setattr userpassword='{MD5}G3TITOeG1vuPf/IJyhw8WA==' I get "Pre-Encoded passwords are not valid" Le 22/07/2016 à 15:08, Petr Vobornik a écrit : > On 07/22/2016 11:42 AM, Sébastien Julliot wrote: >> Hello everyone, >> >> I am currently trying to deploy FreeIPA as the new idm system in my >> university but came across a problem I could not solve yet. I need to >> bypass the pre-hashed passwords verification, not only on the user creation. >> >> Due to several constraints, our workflow involves periodically (once a >> day, currently) receiving an ldif file containing the users up-to-date >> informations, (including hashed passwords) and inserting this >> informations into the idm. As our goal is to unify users passwords in >> the university but do not have access to the higher-level LDAP directly, >> we injected this pre-hashed passwords directly into the LDAP until today. >> >> Yet, every attempt I made to update users passwords with pre-hashed >> passwords failed for now. >> >> First I tried this (migration mode enabled): >> >> ➜ ~ ipa user-add testuser --first=test --last=user --setattr >> userpassword='{MD5}*' >> >> /*OK*/ >> >> ➜ ~ kinit testuser >> >> kinit: Generic preauthentication failure while getting initial credentials >> >> As expected from the documentation, it does not work :p >> >> I then thought about trying to copy the migration plug-in, and change >> the way it retrieves users (from LDIF rather than from an online LDAP >> server). Since this plugin is able to But again, event binding as >> Directory Manager, the ipa ldap2 backend method add_entry refuses me (I >> tested my code without the userPassword field and the users are >> correctly inserted). >> >> Here is my code : >> >> class ldif_importer(ldif.LDIFParser): >> def __init__(self, ldap_backend): >> ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) >> self.ldap = ldap_backend >> >> def handle(self, dn, entry): >> self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) >> >> class my_backend(ipalib.Backend): >> '''Backend to import ldap passwords from ldif''' >> >> def __init__(self, api): >> ipalib.Backend.__init__(self, api) >> self.ldap = ldap2(self.api) >> self.ldap.connect(bind_dn=DN('cn=Directory Manager'), >> bind_pw='***') >> >> def parse(self): >> importer = ldif_importer(self.ldap) >> importer.parse() >> >> class my_command(ipalib.Command): >> '''Command calling my_backend to import passwords from ldif''' >> >> def execute(self, **options): >> '''Implemented against my_backend''' >> self.Backend.my_backend.parse() >> return {'result': 'everything OK'} >> >> >> Should one of these methods have worked, and I did it incorrectly ? >> Otherwise, what would be the lower-impact solution to achieve this ? >> (Yes, I understand the security concerns about sending passwords hashes >> on the network but this choice does not depend on me) >> >> Many thanks in advance, >> Sebastien. >> > I issue might be that the user has his userPassword migrated but he > doesn't have krbPrincipalKey generated. If kerberos key is missing then > it is automatically generated on successful LDAP bind (it's what > ipa/migration page does) > > Additional info which might interest you: > * > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync > * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Bypass pre-hashed passwords verification
On 07/22/2016 11:42 AM, Sébastien Julliot wrote: > Hello everyone, > > I am currently trying to deploy FreeIPA as the new idm system in my > university but came across a problem I could not solve yet. I need to > bypass the pre-hashed passwords verification, not only on the user creation. > > Due to several constraints, our workflow involves periodically (once a > day, currently) receiving an ldif file containing the users up-to-date > informations, (including hashed passwords) and inserting this > informations into the idm. As our goal is to unify users passwords in > the university but do not have access to the higher-level LDAP directly, > we injected this pre-hashed passwords directly into the LDAP until today. > > Yet, every attempt I made to update users passwords with pre-hashed > passwords failed for now. > > First I tried this (migration mode enabled): > > ➜ ~ ipa user-add testuser --first=test --last=user --setattr > userpassword='{MD5}*' > > /*OK*/ > > ➜ ~ kinit testuser > > kinit: Generic preauthentication failure while getting initial credentials > > As expected from the documentation, it does not work :p > > I then thought about trying to copy the migration plug-in, and change > the way it retrieves users (from LDIF rather than from an online LDAP > server). Since this plugin is able to But again, event binding as > Directory Manager, the ipa ldap2 backend method add_entry refuses me (I > tested my code without the userPassword field and the users are > correctly inserted). > > Here is my code : > > class ldif_importer(ldif.LDIFParser): > def __init__(self, ldap_backend): > ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) > self.ldap = ldap_backend > > def handle(self, dn, entry): > self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) > > class my_backend(ipalib.Backend): > '''Backend to import ldap passwords from ldif''' > > def __init__(self, api): > ipalib.Backend.__init__(self, api) > self.ldap = ldap2(self.api) > self.ldap.connect(bind_dn=DN('cn=Directory Manager'), > bind_pw='***') > > def parse(self): > importer = ldif_importer(self.ldap) > importer.parse() > > class my_command(ipalib.Command): > '''Command calling my_backend to import passwords from ldif''' > > def execute(self, **options): > '''Implemented against my_backend''' > self.Backend.my_backend.parse() > return {'result': 'everything OK'} > > > Should one of these methods have worked, and I did it incorrectly ? > Otherwise, what would be the lower-impact solution to achieve this ? > (Yes, I understand the security concerns about sending passwords hashes > on the network but this choice does not depend on me) > > Many thanks in advance, > Sebastien. > I issue might be that the user has his userPassword migrated but he doesn't have krbPrincipalKey generated. If kerberos key is missing then it is automatically generated on successful LDAP bind (it's what ipa/migration page does) Additional info which might interest you: * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/pass-sync.html#password-sync * http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Bypass pre-hashed passwords verification
Hello everyone, I am currently trying to deploy FreeIPA as the new idm system in my university but came across a problem I could not solve yet. I need to bypass the pre-hashed passwords verification, not only on the user creation. Due to several constraints, our workflow involves periodically (once a day, currently) receiving an ldif file containing the users up-to-date informations, (including hashed passwords) and inserting this informations into the idm. As our goal is to unify users passwords in the university but do not have access to the higher-level LDAP directly, we injected this pre-hashed passwords directly into the LDAP until today. Yet, every attempt I made to update users passwords with pre-hashed passwords failed for now. First I tried this (migration mode enabled): ➜ ~ ipa user-add testuser --first=test --last=user --setattr userpassword='{MD5}*' /*OK*/ ➜ ~ kinit testuser kinit: Generic preauthentication failure while getting initial credentials As expected from the documentation, it does not work :p I then thought about trying to copy the migration plug-in, and change the way it retrieves users (from LDIF rather than from an online LDAP server). Since this plugin is able to But again, event binding as Directory Manager, the ipa ldap2 backend method add_entry refuses me (I tested my code without the userPassword field and the users are correctly inserted). Here is my code : class ldif_importer(ldif.LDIFParser): def __init__(self, ldap_backend): ldif.LDIFParser.__init__(self, open('test.ldif', 'rb')) self.ldap = ldap_backend def handle(self, dn, entry): self.ldap.add_entry(self.ldap.make_entry(DN(dn), entry)) class my_backend(ipalib.Backend): '''Backend to import ldap passwords from ldif''' def __init__(self, api): ipalib.Backend.__init__(self, api) self.ldap = ldap2(self.api) self.ldap.connect(bind_dn=DN('cn=Directory Manager'), bind_pw='***') def parse(self): importer = ldif_importer(self.ldap) importer.parse() class my_command(ipalib.Command): '''Command calling my_backend to import passwords from ldif''' def execute(self, **options): '''Implemented against my_backend''' self.Backend.my_backend.parse() return {'result': 'everything OK'} Should one of these methods have worked, and I did it incorrectly ? Otherwise, what would be the lower-impact solution to achieve this ? (Yes, I understand the security concerns about sending passwords hashes on the network but this choice does not depend on me) Many thanks in advance, Sebastien. signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project