On Mon, Mar 9, 2015 at 2:45 PM, Alexander Bokovoy aboko...@redhat.com
wrote:
On Mon, 09 Mar 2015, Ben Slusky wrote:
Greetings FreeIPA users,
I'm setting up FreeIPA service in our production environment to replace
several different authentication methods for various systems. I'm trying
to
migrate the first wave of users now My plan was to copy their passwords
from an old LDAP directory (one of the aforementioned several
authentication methods) and then send them to the migration page to finish
the job.
Even in migration mode, you can only set pre-hashed passwords when
creating the records, not when modifying them.
bslu...@ipa1.aws:~$ head techteam-passwords.ldif
dn: uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
changeType: modify
replace: userPassword
userPassword:: e1NTSE[...]
-
dn: uid=user1002,cn=users,cn=accounts,dc=smartling,dc=int
changeType: modify
replace: userPassword
userPassword:: e1NIQX[...]
Unfortunately it isn't working:
bslu...@ipa1.aws:~$ ldapmodify -x -D cn=directory\ manager -W -f
techteam-passwords.ldif
Enter LDAP Password:
modifying entry uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int
ldap_modify: Operations error (1)
I found some possible causes of this error, and fixed them:
bslu...@ipa1.aws:~$ ipa config-show |grep migration
Enable migration mode: TRUE
bslu...@ipa1.aws:~$ ldapsearch -x -D cn=directory\ manager -W -b
cn=config
|grep allow-hashed
Enter LDAP Password:
nsslapd-allow-hashed-passwords: on
Still no soap. Any suggestions?
Works as designed. We only allow unhashed passwords in migration mode
when entry is added, not modified.
--
/ Alexander Bokovoy
Alexander: Thanks for clarifying that.
To anyone dealing with this or a similar problem who might find this in a
web search:
ipa user-add user0001 --first=User --last=0001
--setattr=userPassword='{SHA}...'
works like a charm (if migration mode is enabled).
--
*Ben Slusky*Smartling, Inc. Senior Operations Engineer
bslu...@smartling.com | smartling.com http://www.smartling.com/
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project