I don't think we created this ourselves, but it isn't too difficult to create if needed - we use this to expose the password hashes to radius. Create or look for a "Read User Password" Permission in RBAC in the web interface or command line. Create a role with that permission for your service account and assign that role to your service user.
- Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Tue, Mar 22, 2022, 7:17 PM Jim Kinney via FreeIPA-users < [email protected]> wrote: > I have the system set to use CRYPT-SHA512 as password store method. For > antiquated reasons I need to generate a shadow file from data stored in > freeipa. > I would greatly prefer to not have to use the cn=Directory Manager and use > a different binddn. But it seems only the DM has the ability to actually > retrieve userpasswd. > > The pain point is the password entry. -y file doesn't work - ldap-bind: > Invalid credentials (49). The stored password is correct and perms are 0600 > and in /root. The DM is not in the kerberos database so I can't use a > keytab and -YGSSAPI. The only method that works is the password entered on > the cli. > Ugh. That is unpleasant. > > This needs to run on a systemd timer to autogenerate the shadow file (and > passwd and group files but those are easy) for a few thousand nodes that > can't fail due to a network outage with freeipa (IdM actually). This is to > handle user password changes and group membership changes in an HPC > environment. I can dump in the passwd with expect. Just wondering if > there's a way to setup a special password hash reading account with a > keytab and not use the Directory Manager and password. > -- > Computers amplify human error > Super computers are really > cool_______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
