[Freeipa-users] Ipa migration, from ui cannot change password

Dmitri Pal dpal at redhat.com
Thu Sep 20 18:30:13 UTC 2012


On 09/20/2012 01:42 PM, Rob Crittenden wrote:
> James James wrote:
>> You 're right. The request return :
>>
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <cn=users,cn=accounts,dc=example,dc=com> with scope subtree
>> # filter: uid=test
>> # requesting: userPassword
>> #
>>
>> # test, users, accounts, example.com <http://example.com>
>> dn: uid=test,cn=users,cn=accounts,dc=example,dc=com
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> Can you explain me what happens ?
>>
>> Is there a solution ?
>
> When migrating you need to bind as a user that has read permission on
> the userPassword attribute in the remote LDAP server.

Rob should we check if we can read the userPassword attribute and if not
fail migration?
Should we open a ticket for this?
Also I do not think we document the expectation that you vocalized above.


>
> rob
>
>>
>>
>>
>>
>> 2012/9/20 Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>>
>>
>>     Dmitri Pal wrote:
>>
>>         On 09/20/2012 12:50 PM, James James wrote:
>>
>>             Oups .. migration mode is enable ...
>>
>>
>>         The ldap (access, error) and kerberos logs from the server
>> would be
>>         helpful to troubleshoot.
>>         /var/log/dirsrv/...
>>         krb5kdc.log
>>
>>
>>     This is usually seen when there is no password in LDAP.
>>
>>     You can confirm this as Directory Manager:
>>
>>     $ ldapsearch -x -D 'cn=Directory Manager' -W password -b
>>     cn=users,cn=accounts,dc=__example,dc=com uid=migrated_user
>> userPassword
>>
>>     rob
>>
>>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/






More information about the Freeipa-users mailing list