On 08/01/2014 08:23 AM, barry...@gmail.com wrote: > Hi : > > Is it possible to read clear text of password of ipa users by admin ?
No. Admin can't even read the hash # ldapsearch -Y GSSAPI -b uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid userPassword SASL/GSSAPI authentication started SASL username: ad...@idm.lab.bos.redhat.com SASL SSF: 56 SASL data security layer installed. ... # fbar, users, accounts, idm.lab.bos.redhat.com dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar ... Directory Manager can read the user password hash: # ldapsearch -D "cn=Directory Manager" -x -W -b uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid userPassword Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com> with scope subtree # filter: (objectclass=*) # requesting: uid userPassword # # fbar, users, accounts, idm.lab.bos.redhat.com dn: uid=fbar,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com uid: fbar userPassword:: e1NTSEF9Vnp6VDdBbDlQUVMrUHJTK1NsNnNlN1pNYU5oRnRxT2J2L3dtNUE9PQ= = # echo e1NTSEF9Vnp6VDdBbDlQUVMrUHJTK1NsNnNlN1pNYU5oRnRxT2J2L3dtNUE9PQ== | base64 --decode {SSHA}VzzT7Al9PQS+PrS+Sl6se7ZMaNhFtqObv/wm5A== That's all, no clear passwords - by design. > I m facing the issue of half rollout as half vol.of users changed > password already. > > And if i deploy and reset all password then it may make issue for this half > > and we dont have records which user password sent . I am not sure if I understand the question, but if your users have problems with their passwords, you can administratively reset them and send the new ones to them (they will be then forced to set their own (http://www.freeipa.org/page/New_Passwords_Expired)). Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project