[Freeipa-users] question about password migration from ldap

David Lin linhai88 at stanford.edu
Thu May 28 10:19:05 UTC 2015 

hum, seems like the migrated users do not have userPassword attribute.  
Is there anyway to fix this?

Thanks!
David

On 05/28/2015 03:13 AM, Martin Kosek wrote:
> On 05/28/2015 11:47 AM, David Lin wrote:
>> Hi,
>> I am try to migrate from openldap to freeipa.  Everything seems to be working
>> except the password. I understand that when migrating from openldap, the hashed
>> form the the passwords are migrated, but a Kerberos hash is not generated until
>> the user logs in using sssd or through the ipa/migration web ui.  However, the
>> users are not able to login in either form using their existing password, from
>> the directory server log, the only weird thing I see is
>>
>> [28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 etime=0
>> [28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES
>> [28/May/2015:02:40:04 -0700] conn=112 op=1 BIND
>> dn="uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted]"
>> method=128 version=3
>> [28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 etime=0
>> [28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND
>> [28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1
>>
>> What does err=48 mean?
>>
>> I do have
>> ipa config-mod --enable-migration=TRUE
> 48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here:
> http://www.zytrax.com/books/ldap/ch12/
>
> Do the migrated users have the userPassword attribute? You can check on the
> user with:
>
> # ldapsearch -D "cn=Directory Manager" -x -w Secret123 -b
> "uid=admin,cn=users,cn=accounts,dc=f21" uid userPassword
> # extended LDIF
> #
> # LDAPv3
> # base <uid=admin,cn=users,cn=accounts,dc=f21> with scope subtree
> # filter: (objectclass=*)
> # requesting: uid userPassword
> #
>
> # admin, users, accounts, f21
> dn: uid=admin,cn=users,cn=accounts,dc=f21
> uid: admin
> userPassword:: e1NTSEF9K2tZ...Ib3c9PQ==
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> Martin

More information about the Freeipa-users mailing list