Re: [Freeipa-users] copy encrypted password into IPA?
2014-09-22 21:31 GMT+02:00 Rob Crittenden : > The trick is having the hash in a format acceptable to 389-ds. I know it > works with crypt, you just need to prefix it with {crypt}. For > other formats, I don't know. {SHA} works as well - Jitse -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] copy encrypted password into IPA?
Dmitri Pal wrote: > On 09/22/2014 02:23 PM, Ron wrote: >> We would like to add some users that are currently in the >> password/shadow files on some servers into IPA. >> >> Is there any way to copy (preferably via a script) the encrypted >> password into IPA so that we do not have to have them reset their >> passwords? >> >> Our idea is to use the "IPA user-add" command to create the user then >> insert their encrypted password into their IPA entry. >> >> Regards, >> Ron >> >> > > The most probably answer is no since the hash types would not match > between what you have in the files and what LDAP server expects. > If you by any chance configured your files to use other hashes than > default it might match. You can go the other way and reconfigure the > LDAP server but AFAIR it is not recommended. > The user-add command would not work anyways as it does not accept hash > as an input. Or I should say it would allow you to add users without > passwords in a script. > You can set a random password, send it to account owner in a script and > make account owners to change passwords (default) on the first use. If you put IPA into migration mode then you can set a password on user-add via --setattr userPassword= . Note that it is important to do it in one step and not add user, then set password. You'll then need to migrate the password to create Kerberos credentials either by authenticating via SSSD or on the IPA web page. The trick is having the hash in a format acceptable to 389-ds. I know it works with crypt, you just need to prefix it with {crypt}. For other formats, I don't know. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] copy encrypted password into IPA?
On 09/22/2014 02:23 PM, Ron wrote: We would like to add some users that are currently in the password/shadow files on some servers into IPA. Is there any way to copy (preferably via a script) the encrypted password into IPA so that we do not have to have them reset their passwords? Our idea is to use the "IPA user-add" command to create the user then insert their encrypted password into their IPA entry. Regards, Ron The most probably answer is no since the hash types would not match between what you have in the files and what LDAP server expects. If you by any chance configured your files to use other hashes than default it might match. You can go the other way and reconfigure the LDAP server but AFAIR it is not recommended. The user-add command would not work anyways as it does not accept hash as an input. Or I should say it would allow you to add users without passwords in a script. You can set a random password, send it to account owner in a script and make account owners to change passwords (default) on the first use. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project