Re: [Freeipa-users] ldap modify
On 07/21/2014 01:30 PM, Atanas Bachvaroff wrote: > > Martin Kosek wrote: >> On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: >>> Hello, >>> >>> I've been experiencing strange problems trying to manually modify the >>> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on >>> Fedora 20). I'm using the following script: >>> >>> CUT >>> [nasko@ipa ~]$ cat change_pass.sh >>> #!/bin/sh >>> >>> if test -z "${1}"; then >>> echo "no dn supplied" >>> exit 1 >>> fi >>> >>> if test -z "${2}"; then >>> PASS="`pwgen 10 1`" >>> else >>> PASS="${2}" >>> fi >>> >>> echo "${PASS}" >>> >>> PASS_HASH="`pwdhash ${PASS}`" >>> >>> ( >>> echo "dn: ${1}" >>> echo "changetype: modify" >>> echo "replace: userPassword" >>> echo "userPassword: ${PASS_HASH}" >>> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w >>> "" >>> [nasko@ipa ~]$ ./change_pass.sh >>> 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' >>> nohshohwoo >>> modifying entry "uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg" >>> ldap_modify: Operations error (1) >>> >>> [nasko@ipa ~]$ >>> CUT >>> >>> and so on and so on, ldapmodify returing the same error every time, on >>> any >>> dn. Any suggestions? >>> >>> P.S. >>> The server is in migration mode at this time. >>> >> >> Hello Atanas, >> >> This issue is already discussed in >> https://fedorahosted.org/freeipa/ticket/4450 >> and thread "[Freeipa-users] 4.0.0 password migration trouble", you will >> find >> some information there. Ludwig, this issue is completely different than >> nsslapd-allow-hashed-passwords, correct? >> >> But anyway, changing password via ldapmodify and supplying pre-hashed >> password >> will not work well and you will need to run through the migration mode >> even >> after ticket 4450 is fixed. >> >> If you have a clear text available (which I assume based on "`pwdhash >> ${PASS}` >> construct)", I would rather suggest changing it via ldappasswd script so >> that >> FreeIPA can also generate all the Kerberos attributes. >> >> HTH, >> Martin >> > > Unfortunately, I don't have access to the cleartext passwords ('coz I'm > migrating from existing 389 / OpenLDAP directories) and ipa migrate-ds > failed miserably with hashed passwords constraint violations, so I cloned > the 389s etc., deleted the the userPassword attributes and tried to > restore 'em with the script above, taking the PASS="${2}" branch, which > failed. > > It appears that #4450 is very close to my issues. Ok. When 4450 is fixed (I would like to get it done this week), you should be able to just run migrate-ds and have pre-hashed user passwords stored. Given you are running on 3.3.4 (why not the latest 3.3.5?), we should also release fixed FreeIPA build in Fedora 20. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldap modify
Martin Kosek wrote: > On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: >> Hello, >> >> I've been experiencing strange problems trying to manually modify the >> userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on >> Fedora 20). I'm using the following script: >> >> CUT >> [nasko@ipa ~]$ cat change_pass.sh >> #!/bin/sh >> >> if test -z "${1}"; then >> echo "no dn supplied" >> exit 1 >> fi >> >> if test -z "${2}"; then >> PASS="`pwgen 10 1`" >> else >> PASS="${2}" >> fi >> >> echo "${PASS}" >> >> PASS_HASH="`pwdhash ${PASS}`" >> >> ( >> echo "dn: ${1}" >> echo "changetype: modify" >> echo "replace: userPassword" >> echo "userPassword: ${PASS_HASH}" >> ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w >> "" >> [nasko@ipa ~]$ ./change_pass.sh >> 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' >> nohshohwoo >> modifying entry "uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg" >> ldap_modify: Operations error (1) >> >> [nasko@ipa ~]$ >> CUT >> >> and so on and so on, ldapmodify returing the same error every time, on >> any >> dn. Any suggestions? >> >> P.S. >> The server is in migration mode at this time. >> > > Hello Atanas, > > This issue is already discussed in > https://fedorahosted.org/freeipa/ticket/4450 > and thread "[Freeipa-users] 4.0.0 password migration trouble", you will > find > some information there. Ludwig, this issue is completely different than > nsslapd-allow-hashed-passwords, correct? > > But anyway, changing password via ldapmodify and supplying pre-hashed > password > will not work well and you will need to run through the migration mode > even > after ticket 4450 is fixed. > > If you have a clear text available (which I assume based on "`pwdhash > ${PASS}` > construct)", I would rather suggest changing it via ldappasswd script so > that > FreeIPA can also generate all the Kerberos attributes. > > HTH, > Martin > Unfortunately, I don't have access to the cleartext passwords ('coz I'm migrating from existing 389 / OpenLDAP directories) and ipa migrate-ds failed miserably with hashed passwords constraint violations, so I cloned the 389s etc., deleted the the userPassword attributes and tried to restore 'em with the script above, taking the PASS="${2}" branch, which failed. It appears that #4450 is very close to my issues. -- Best regards, / Mit freundlichen Grüßen, / Met vriendelijke groeten, Atanas Bachvaroff / Atanas Batschwaroff / Ätänas Batsjwärow -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldap modify
On 07/21/2014 01:14 PM, Martin Kosek wrote: On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: Hello, I've been experiencing strange problems trying to manually modify the userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on Fedora 20). I'm using the following script: CUT [nasko@ipa ~]$ cat change_pass.sh #!/bin/sh if test -z "${1}"; then echo "no dn supplied" exit 1 fi if test -z "${2}"; then PASS="`pwgen 10 1`" else PASS="${2}" fi echo "${PASS}" PASS_HASH="`pwdhash ${PASS}`" ( echo "dn: ${1}" echo "changetype: modify" echo "replace: userPassword" echo "userPassword: ${PASS_HASH}" ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w "" [nasko@ipa ~]$ ./change_pass.sh 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' nohshohwoo modifying entry "uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg" ldap_modify: Operations error (1) [nasko@ipa ~]$ CUT and so on and so on, ldapmodify returing the same error every time, on any dn. Any suggestions? P.S. The server is in migration mode at this time. Hello Atanas, This issue is already discussed in https://fedorahosted.org/freeipa/ticket/4450 and thread "[Freeipa-users] 4.0.0 password migration trouble", you will find some information there. Ludwig, this issue is completely different than nsslapd-allow-hashed-passwords, correct? no, don't think so. pwdhash XXX returns {SSSH}hgjhdgjah so it matches 389 ticket 47389 But anyway, changing password via ldapmodify and supplying pre-hashed password will not work well and you will need to run through the migration mode even after ticket 4450 is fixed. If you have a clear text available (which I assume based on "`pwdhash ${PASS}` construct)", I would rather suggest changing it via ldappasswd script so that FreeIPA can also generate all the Kerberos attributes. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] ldap modify
On 07/21/2014 01:04 PM, Atanas Bachvaroff wrote: > Hello, > > I've been experiencing strange problems trying to manually modify the > userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on > Fedora 20). I'm using the following script: > > CUT > [nasko@ipa ~]$ cat change_pass.sh > #!/bin/sh > > if test -z "${1}"; then > echo "no dn supplied" > exit 1 > fi > > if test -z "${2}"; then > PASS="`pwgen 10 1`" > else > PASS="${2}" > fi > > echo "${PASS}" > > PASS_HASH="`pwdhash ${PASS}`" > > ( > echo "dn: ${1}" > echo "changetype: modify" > echo "replace: userPassword" > echo "userPassword: ${PASS_HASH}" > ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w "" > [nasko@ipa ~]$ ./change_pass.sh > 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' > nohshohwoo > modifying entry "uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg" > ldap_modify: Operations error (1) > > [nasko@ipa ~]$ > CUT > > and so on and so on, ldapmodify returing the same error every time, on any > dn. Any suggestions? > > P.S. > The server is in migration mode at this time. > Hello Atanas, This issue is already discussed in https://fedorahosted.org/freeipa/ticket/4450 and thread "[Freeipa-users] 4.0.0 password migration trouble", you will find some information there. Ludwig, this issue is completely different than nsslapd-allow-hashed-passwords, correct? But anyway, changing password via ldapmodify and supplying pre-hashed password will not work well and you will need to run through the migration mode even after ticket 4450 is fixed. If you have a clear text available (which I assume based on "`pwdhash ${PASS}` construct)", I would rather suggest changing it via ldappasswd script so that FreeIPA can also generate all the Kerberos attributes. HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] ldap modify
Hello, I've been experiencing strange problems trying to manually modify the userPassword attributes in the FreeIPA's 389 directory (FreeIPA 3.3.4 on Fedora 20). I'm using the following script: CUT [nasko@ipa ~]$ cat change_pass.sh #!/bin/sh if test -z "${1}"; then echo "no dn supplied" exit 1 fi if test -z "${2}"; then PASS="`pwgen 10 1`" else PASS="${2}" fi echo "${PASS}" PASS_HASH="`pwdhash ${PASS}`" ( echo "dn: ${1}" echo "changetype: modify" echo "replace: userPassword" echo "userPassword: ${PASS_HASH}" ) | ldapmodify -h localhost -p 389 -D "cn=directory manager" -w "" [nasko@ipa ~]$ ./change_pass.sh 'uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg' nohshohwoo modifying entry "uid=,cn=users,cn=accounts,dc=uni-sofia,dc=bg" ldap_modify: Operations error (1) [nasko@ipa ~]$ CUT and so on and so on, ldapmodify returing the same error every time, on any dn. Any suggestions? P.S. The server is in migration mode at this time. -- Best regards, / Mit freundlichen Grüßen, / Met vriendelijke groeten, Atanas Bachvaroff / Atanas Batschwaroff / Ätänas Batsjwärow -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project