Re: [Freeipa-users] Trying to migrate, can't set hashed passwords

2015-03-10 Thread Ben Slusky
On Mon, Mar 9, 2015 at 2:45 PM, Alexander Bokovoy aboko...@redhat.com
wrote:

 On Mon, 09 Mar 2015, Ben Slusky wrote:

 Greetings FreeIPA users,

 I'm setting up FreeIPA service in our production environment to replace
 several different authentication methods for various systems. I'm trying
 to
 migrate the first wave of users now My plan was to copy their passwords
 from an old LDAP directory (one of the aforementioned several
 authentication methods) and then send them to the migration page to finish
 the job.

 Even in migration mode, you can only set pre-hashed passwords when
 creating the records, not when modifying them.


 bslu...@ipa1.aws:~$ head techteam-passwords.ldif
 dn: uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
 changeType: modify
 replace: userPassword
 userPassword:: e1NTSE[...]
 -

 dn: uid=user1002,cn=users,cn=accounts,dc=smartling,dc=int
 changeType: modify
 replace: userPassword
 userPassword:: e1NIQX[...]

 Unfortunately it isn't working:

 bslu...@ipa1.aws:~$ ldapmodify -x -D cn=directory\ manager -W -f
 techteam-passwords.ldif
 Enter LDAP Password:
 modifying entry uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
 ldap_modify: Operations error (1)

 I found some possible causes of this error, and fixed them:

 bslu...@ipa1.aws:~$ ipa config-show |grep migration
  Enable migration mode: TRUE

 bslu...@ipa1.aws:~$ ldapsearch -x -D cn=directory\ manager -W -b
 cn=config
 |grep allow-hashed
 Enter LDAP Password:
 nsslapd-allow-hashed-passwords: on

 Still no soap. Any suggestions?

 Works as designed. We only allow unhashed passwords in migration mode
 when entry is added, not modified.

 --
 / Alexander Bokovoy


Alexander: Thanks for clarifying that.

To anyone dealing with this or a similar problem who might find this in a
web search:
ipa user-add user0001 --first=User --last=0001
--setattr=userPassword='{SHA}...'
works like a charm (if migration mode is enabled).

-- 

*Ben Slusky*Smartling, Inc. Senior Operations Engineer
bslu...@smartling.com | smartling.com http://www.smartling.com/
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Trying to migrate, can't set hashed passwords

2015-03-09 Thread Alexander Bokovoy

On Mon, 09 Mar 2015, Ben Slusky wrote:

Greetings FreeIPA users,

I'm setting up FreeIPA service in our production environment to replace
several different authentication methods for various systems. I'm trying to
migrate the first wave of users now My plan was to copy their passwords
from an old LDAP directory (one of the aforementioned several
authentication methods) and then send them to the migration page to finish
the job.

Even in migration mode, you can only set pre-hashed passwords when
creating the records, not when modifying them.



bslu...@ipa1.aws:~$ head techteam-passwords.ldif
dn: uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
changeType: modify
replace: userPassword
userPassword:: e1NTSE[...]
-

dn: uid=user1002,cn=users,cn=accounts,dc=smartling,dc=int
changeType: modify
replace: userPassword
userPassword:: e1NIQX[...]

Unfortunately it isn't working:

bslu...@ipa1.aws:~$ ldapmodify -x -D cn=directory\ manager -W -f
techteam-passwords.ldif
Enter LDAP Password:
modifying entry uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
ldap_modify: Operations error (1)

I found some possible causes of this error, and fixed them:

bslu...@ipa1.aws:~$ ipa config-show |grep migration
 Enable migration mode: TRUE

bslu...@ipa1.aws:~$ ldapsearch -x -D cn=directory\ manager -W -b cn=config
|grep allow-hashed
Enter LDAP Password:
nsslapd-allow-hashed-passwords: on

Still no soap. Any suggestions?

Works as designed. We only allow unhashed passwords in migration mode
when entry is added, not modified.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project