On 07/19/2014 01:08 AM, Nordgren, Bryce L -FS wrote: > >> So if I understand the 389-ds ticket correctly, I can add pre-hashed >> passwords >> via ldapmodify to the 389 server using directory manager as the bind dn? I >> just can't use the ipa command line tool/script. > > The short answer is "no". Trying to add the userPassword attribute with > ldapmodify binding as "cn=directory manager" fails with operation error. > > Error log attached to the ticket Rob made: > https://fedorahosted.org/freeipa/ticket/4450 > > To summarize: > > No password migration via "ipa migrate-ds"; No password migration via "ipa > user-add --setattr userPassword={SHA}..."; No password migration via > 'ldapmodify -D "cn=directory manager"'. Do you think a solution will be > forthcoming, or is it a ways off? I can leave my old ldap directory up for a > little while.
I did couple tests with a custom build of 389-ds-base and I made the migration working after switching the new configuration option. See details and the transcript in the ticket: https://fedorahosted.org/freeipa/ticket/4450#comment:5 I will work with DS team to backport the switch option to Fedora 20 389-ds-base and to release FreeIPA 4.0.1 with appropriate patch to fix this problem ASAP, ideally this week. Thanks for your patience, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
