[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] question about password migration from ldap



On Thu, 28 May 2015, David Lin wrote:
hum, seems like the migrated users do not have userPassword attribute. Is there anyway to fix this?
Did you actually have access to the userPasssword attribute in OpenLDAP
when migrate-ds command was running? This all is described in the 'ipa
migrate-ds --help' output.

You cannot add userPassword attribute in hashed form after the object
was created in IPA. It can only be set when new user record is created
in the migration mode.


Thanks!
David

On 05/28/2015 03:13 AM, Martin Kosek wrote:
On 05/28/2015 11:47 AM, David Lin wrote:
Hi,
I am try to migrate from openldap to freeipa.  Everything seems to be working
except the password. I understand that when migrating from openldap, the hashed
form the the passwords are migrated, but a Kerberos hash is not generated until
the user logs in using sssd or through the ipa/migration web ui.  However, the
users are not able to login in either form using their existing password, from
the directory server log, the only weird thing I see is

[28/May/2015:02:40:04 -0700] conn=112 op=0 RESULT err=0 tag=120 nentries=0 etime=0
[28/May/2015:02:40:04 -0700] conn=112 TLS1.0 128-bit AES
[28/May/2015:02:40:04 -0700] conn=112 op=1 BIND
dn="uid=[user_name_here],cn=users,cn=accounts,dc=[omitted],dc=[omitted],dc=[omitted]"
method=128 version=3
[28/May/2015:02:40:04 -0700] conn=112 op=1 RESULT err=48 tag=97 nentries=0 etime=0
[28/May/2015:02:40:04 -0700] conn=112 op=2 UNBIND
[28/May/2015:02:40:04 -0700] conn=112 op=2 fd=90 closed - U1

What does err=48 mean?

I do have
ipa config-mod --enable-migration=TRUE
48 is LDAP_INAPPROPRIATE_AUTH. I see more information for example here:
http://www.zytrax.com/books/ldap/ch12/

Do the migrated users have the userPassword attribute? You can check on the
user with:

# ldapsearch -D "cn=Directory Manager" -x -w Secret123 -b
"uid=admin,cn=users,cn=accounts,dc=f21" uid userPassword
# extended LDIF
#
# LDAPv3
# base <uid=admin,cn=users,cn=accounts,dc=f21> with scope subtree
# filter: (objectclass=*)
# requesting: uid userPassword
#

# admin, users, accounts, f21
dn: uid=admin,cn=users,cn=accounts,dc=f21
uid: admin
userPassword:: e1NTSEF9K2tZ...Ib3c9PQ==

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Martin


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
/ Alexander Bokovoy


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]