[Freeipa-users] Ipa migration, from ui cannot change password
Dmitri Pal
dpal at redhat.com
Thu Sep 20 18:30:13 UTC 2012
On 09/20/2012 01:42 PM, Rob Crittenden wrote:
> James James wrote:
>> You 're right. The request return :
>>
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
>> # filter: uid=test
>> # requesting: userPassword
>> #
>>
>> # test, users, accounts, example.com <http://example.com>
>> dn: uid=test,cn=users,cn=accounts,dc=example,dc=com
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> Can you explain me what happens ?
>>
>> Is there a solution ?
>
> When migrating you need to bind as a user that has read permission on
> the userPassword attribute in the remote LDAP server.
Rob should we check if we can read the userPassword attribute and if not
fail migration?
Should we open a ticket for this?
Also I do not think we document the expectation that you vocalized above.
>
> rob
>
>>
>>
>>
>>
>> 2012/9/20 Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>
>>
>> Dmitri Pal wrote:
>>
>> On 09/20/2012 12:50 PM, James James wrote:
>>
>> Oups .. migration mode is enable ...
>>
>>
>> The ldap (access, error) and kerberos logs from the server
>> would be
>> helpful to troubleshoot.
>> /var/log/dirsrv/...
>> krb5kdc.log
>>
>>
>> This is usually seen when there is no password in LDAP.
>>
>> You can confirm this as Directory Manager:
>>
>> $ ldapsearch -x -D 'cn=Directory Manager' -W password -b
>> cn=users,cn=accounts,dc=__example,dc=com uid=migrated_user
>> userPassword
>>
>> rob
>>
>>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list