I have the system set to use CRYPT-SHA512 as password store method. For
antiquated reasons I need to generate a shadow file from data stored in freeipa.
I would greatly prefer to not have to use the cn=Directory Manager and use a
different binddn. But it seems only the DM has the ability to actually retrieve
userpasswd.
The pain point is the password entry. -y file doesn't work - ldap-bind: Invalid
credentials (49). The stored password is correct and perms are 0600 and in
/root. The DM is not in the kerberos database so I can't use a keytab and
-YGSSAPI. The only method that works is the password entered on the cli.
Ugh. That is unpleasant.
This needs to run on a systemd timer to autogenerate the shadow file (and
passwd and group files but those are easy) for a few thousand nodes that can't
fail due to a network outage with freeipa (IdM actually). This is to handle
user password changes and group membership changes in an HPC environment. I can
dump in the passwd with expect. Just wondering if there's a way to setup a
special password hash reading account with a keytab and not use the Directory
Manager and password.
--
Computers amplify human error
Super computers are really cool
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
