On Mon, Mar 9, 2015 at 2:45 PM, Alexander Bokovoy <[email protected]> wrote:
> On Mon, 09 Mar 2015, Ben Slusky wrote: > >> Greetings FreeIPA users, >> >> I'm setting up FreeIPA service in our production environment to replace >> several different authentication methods for various systems. I'm trying >> to >> migrate the first wave of users now My plan was to copy their passwords >> from an old LDAP directory (one of the aforementioned several >> authentication methods) and then send them to the migration page to finish >> the job. >> > Even in migration mode, you can only set pre-hashed passwords when > creating the records, not when modifying them. > > >> [email protected]:~$ head techteam-passwords.ldif >> dn: uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int >> changeType: modify >> replace: userPassword >> userPassword:: e1NTSE[...] >> - >> >> dn: uid=user1002,cn=users,cn=accounts,dc=smartling,dc=int >> changeType: modify >> replace: userPassword >> userPassword:: e1NIQX[...] >> >> Unfortunately it isn't working: >> >> [email protected]:~$ ldapmodify -x -D cn=directory\ manager -W -f >> techteam-passwords.ldif >> Enter LDAP Password: >> modifying entry "uid=user1001,cn=users,cn=accounts,dc=smartling,dc=int" >> ldap_modify: Operations error (1) >> >> I found some possible causes of this error, and fixed them: >> >> [email protected]:~$ ipa config-show |grep migration >> Enable migration mode: TRUE >> >> [email protected]:~$ ldapsearch -x -D cn=directory\ manager -W -b >> cn=config >> |grep allow-hashed >> Enter LDAP Password: >> nsslapd-allow-hashed-passwords: on >> >> Still no soap. Any suggestions? >> > Works as designed. We only allow unhashed passwords in migration mode > when entry is added, not modified. > > -- > / Alexander Bokovoy > Alexander: Thanks for clarifying that. To anyone dealing with this or a similar problem who might find this in a web search: ipa user-add user0001 --first=User --last=0001 --setattr=userPassword='{SHA}...' works like a charm (if migration mode is enabled). -- *Ben Slusky*Smartling, Inc. Senior Operations Engineer [email protected] | smartling.com <http://www.smartling.com/>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
