[Freeipa-users] User creation with native ldap tools

2015-05-05 Thread Alan Evans
Hello, I thought I saw something like this asked before but after searching
the archive it seems I can't find it.

I am using FreeIPA 3.3.3 on Cent 7 from EPEL.  Is it possible using native
ldap tools, ldapadd and ldappasswd in particular, for user creation and
password management?

I am trying to use an IDM to synchronize accounts from one directory to
FreeIPA.  The IDM does not have native FreeIPA support but does have LDAP
support.

I have successfully gotten some objects created but I am having problems
with their passwords.

I have tried using https://ipa/ui/migration, resetting passwords in IPA UI,
ldappasswd and the ipa-cli but when I kinit these users I get the following.


May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example@example.com, Password has expired
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for krbtgt/
example@example.com, Additional pre-authentication required
May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example@example.com, Password has expired
May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for krbtgt/
example@example.com, Additional pre-authentication required
May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example@example.com, Password has expired
May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required
May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: CLIENT KEY EXPIRED: foou...@example.com for krbtgt/
example@example.com, Password has expired
May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16 23
25 26}) 10.131.144.139: NEEDED_PREAUTH: foou...@example.com for kadmin/
chang...@example.com, Additional pre-authentication required


I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure I
understand what they're referring to and if they apply in this situation.

Thank you,
-Alan
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] User creation with native ldap tools

2015-05-05 Thread Rob Crittenden
Alan Evans wrote:
 Hello, I thought I saw something like this asked before but after
 searching the archive it seems I can't find it.
 
 I am using FreeIPA 3.3.3 on Cent 7 from EPEL.  Is it possible using
 native ldap tools, ldapadd and ldappasswd in particular, for user
 creation and password management?

For adding users not yet, see https://fedorahosted.org/freeipa/ticket/3813

 I am trying to use an IDM to synchronize accounts from one directory to
 FreeIPA.  The IDM does not have native FreeIPA support but does have
 LDAP support.
 
 I have successfully gotten some objects created but I am having problems
 with their passwords.
 
 I have tried using https://ipa/ui/migration, resetting passwords in IPA
 UI, ldappasswd and the ipa-cli but when I kinit these users I get the
 following.

See http://www.freeipa.org/page/New_Passwords_Expired

When someone other than the user sets the password it is marked as
expired so only the user knows it.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] User creation with native ldap tools

2015-05-05 Thread Dmitri Pal

On 05/05/2015 03:48 PM, Alan Evans wrote:
Hello, I thought I saw something like this asked before but after 
searching the archive it seems I can't find it.


I am using FreeIPA 3.3.3 on Cent 7 from EPEL.  Is it possible using 
native ldap tools, ldapadd and ldappasswd in particular, for user 
creation and password management?


I am trying to use an IDM to synchronize accounts from one directory 
to FreeIPA.  The IDM does not have native FreeIPA support but does 
have LDAP support.


I have successfully gotten some objects created but I am having 
problems with their passwords.


I have tried using https://ipa/ui/migration, resetting passwords in 
IPA UI, ldappasswd and the ipa-cli but when I kinit these users I get 
the following.



May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: CLIENT KEY EXPIRED: 
foou...@example.com mailto:foou...@example.com for 
krbtgt/example@example.com mailto:example@example.com, 
Password has expired
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: NEEDED_PREAUTH: 
foou...@example.com mailto:foou...@example.com for 
kadmin/chang...@example.com mailto:chang...@example.com, Additional 
pre-authentication required
May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: NEEDED_PREAUTH: 
foou...@example.com mailto:foou...@example.com for 
krbtgt/example@example.com mailto:example@example.com, 
Additional pre-authentication required
May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: CLIENT KEY EXPIRED: 
foou...@example.com mailto:foou...@example.com for 
krbtgt/example@example.com mailto:example@example.com, 
Password has expired
May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: NEEDED_PREAUTH: 
foou...@example.com mailto:foou...@example.com for 
kadmin/chang...@example.com mailto:chang...@example.com, Additional 
pre-authentication required
May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: NEEDED_PREAUTH: 
foou...@example.com mailto:foou...@example.com for 
krbtgt/example@example.com mailto:example@example.com, 
Additional pre-authentication required
May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: CLIENT KEY EXPIRED: 
foou...@example.com mailto:foou...@example.com for 
krbtgt/example@example.com mailto:example@example.com, 
Password has expired
May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: NEEDED_PREAUTH: 
foou...@example.com mailto:foou...@example.com for 
kadmin/chang...@example.com mailto:chang...@example.com, Additional 
pre-authentication required
May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: CLIENT KEY EXPIRED: 
foou...@example.com mailto:foou...@example.com for 
krbtgt/example@example.com mailto:example@example.com, 
Password has expired
May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16 
23 25 26}) 10.131.144.139 http://10.131.144.139: NEEDED_PREAUTH: 
foou...@example.com mailto:foou...@example.com for 
kadmin/chang...@example.com mailto:chang...@example.com, Additional 
pre-authentication required



I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure 
I understand what they're referring to and if they apply in this 
situation.


Thank you,
-Alan



This might be caused by the mismatch of the LDAP password hashes.
The password hashes that you had in other directory might not have the 
right hash types.


There is a way to change the hashing scheme in IPA directory so that 
hashes would become accepted but I do not recall the setting from top of 
my head.

In general this is not yet supported. We are working on the feature for 4.2.
http://www.freeipa.org/page/V4/User_Life-Cycle_Management

--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project