Re: [Freeipa-users] 4.0.0 password migration trouble
On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote:
So if I understand the 389-ds ticket correctly, I can add pre-hashed
passwords
via ldapmodify to the 389 server using directory manager as the bind dn? I
just can't use the ipa command line tool/script.
The short answer is no. Trying to add the userPassword attribute with
ldapmodify binding as cn=directory manager fails with operation error.
Error log attached to the ticket Rob made:
https://fedorahosted.org/freeipa/ticket/4450
To summarize:
No password migration via ipa migrate-ds; No password migration via ipa
user-add --setattr userPassword={SHA}...; No password migration via
'ldapmodify -D cn=directory manager'. Do you think a solution will be
forthcoming, or is it a ways off? I can leave my old ldap directory up for a
little while.
I did couple tests with a custom build of 389-ds-base and I made the migration
working after switching the new configuration option. See details and the
transcript in the ticket:
https://fedorahosted.org/freeipa/ticket/4450#comment:5
I will work with DS team to backport the switch option to Fedora 20 389-ds-base
and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP,
ideally this week.
Thanks for your patience,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
I will work with DS team to backport the switch option to Fedora 20 389-ds- base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP, ideally this week. Thanks much, Martin! This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
Nordgren, Bryce L -FS wrote: Someone has reported an issue with password migration where 389-ds is rejecting the passwords with: passwords with storage scheme are not allowed. That may be part of the problem. That was me, but the context was 'ipa user-add' with a password hash rather than migrate-ds. Although it makes sense that 389 ds would act the same regardless of how I attempt to store the password. How can I check to see whether the passwords made it to freeipa? The migrate-ds script didn't complain, but I don't know where to look for logfiles. I don't think a bug ever got logged for that, at least I can't find one. Can you confirm? If not I'll get one logged. The log file for the migration is in /var/log/httpd/error_log. To see if passwords migrated, pick a migrated user and do a search as Directory Manager for the userPassword attribute: $ ldapsearch -x -D 'cn=Directory Manager' -W -b uid=someuser,cn=users,cn=accounts,dc=example,dc=com userPassword rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
Nordgren, Bryce L -FS wrote: DNS is fixed, 4.0.0 is installed, and my external users have been migrated from an LDAP store via the migrate-ds script. The password migration page keeps telling me that the password or username I entered is incorrect. (username: test.user, password: test) I did not mistype this. I did set the minimum password length to 0, but not until after migrating my users. IPA forced me to reset the password for test.user, then kinit (attempting to login via sssd failed), then change the password before sssd logins and ldap binds started working. This is not an appropriate migration path for those users who primarily interact with web apps, so I need that migration page to work. The LDAP interface is also important to me, as I want to use this for web app authentication. As is, my migrated accounts are doing this: [root@fislstore ~]# ldapsearch -h ipa.usfs-i2.umt.edu -x -D 'uid=my_peeps,cn=users,cn=accounts,dc=usfs-i2,dc=umt,dc=edu' -W '(objectClass=posixAccount)' dn Enter LDAP Password: ldap_bind: Inappropriate authentication (48) Are you sure the entry has a password set? Someone has reported an issue with password migration where 389-ds is rejecting the passwords with: passwords with storage scheme are not allowed. That may be part of the problem. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] 4.0.0 password migration trouble
Someone has reported an issue with password migration where 389-ds is rejecting the passwords with: passwords with storage scheme are not allowed. That may be part of the problem. That was me, but the context was 'ipa user-add' with a password hash rather than migrate-ds. Although it makes sense that 389 ds would act the same regardless of how I attempt to store the password. How can I check to see whether the passwords made it to freeipa? The migrate-ds script didn't complain, but I don't know where to look for logfiles. Thanks, Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
