On 05/28/2015 11:47 AM, David Lin wrote: > Hi, > I am try to migrate from openldap to freeipa. Everything seems to be working > except the password. I understand that when migrating from openldap, the > hashed > form the the passwords are migrated, but a Kerberos hash is not generated > until > the user logs in using sssd or through the ipa/migration web ui. However, the > users are not able to login in either form using their existing password, from > the directory server log, the only weird thing I see is > > [28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 > etime=0 > [28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES > [28/May/2015:02:40:04 -0700] conn=112 op=1 BIND > dn="uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted]" > method=128 version=3 > [28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 > etime=0 > [28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND > [28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1 > > What does err=48 mean? > > I do have > ipa config-mod --enable-migration=TRUE
48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here: http://www.zytrax.com/books/ldap/ch12/ Do the migrated users have the userPassword attribute? You can check on the user with: # ldapsearch -D "cn=Directory Manager" -x -w Secret123 -b "uid=admin,cn=users,cn=accounts,dc=f21" uid userPassword # extended LDIF # # LDAPv3 # base <uid=admin,cn=users,cn=accounts,dc=f21> with scope subtree # filter: (objectclass=*) # requesting: uid userPassword # # admin, users, accounts, f21 dn: uid=admin,cn=users,cn=accounts,dc=f21 uid: admin userPassword:: e1NTSEF9K2tZ...Ib3c9PQ== # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
