From https://www.redhat.com/archives/freeipa-users/2014-July/msg00081.html
$ ipa user-add "bill.mathews" --last="Mathews" --first="William" --email="blah" --phone="xxx-yyy-zzzz" --setattr userpassword="{SHA}bunchajunka" --setattr o="University of Tweedle" --gidnumber=65534 --uid=2000063
And I get:
ERROR: Constraint violation: invalid password syntax - passwords with storage scheme are not allowed
Seems to be caused by https://fedorahosted.org/389/ticket/47389 and fixed by https://fedorahosted.org/389/ticket/47753 which is not yet in a release AFAICT.
It may be that a 389-ds release fixes this but IPA should have some sort of test or CI to verify that migration is working prior to release.
389 error file when trying to add userPassword via ldapmodify and the cn=directory manager ldaperr.txt
The description in the above tickets suggested that a workaround might be to ldapmodify the migrated-but-passwordless user entries, binding as directory manager. This failed with a not very descriptive "operation error". The attached file is my 389-ds error log, with debug level set to 16383.
I noticed that ticket #3911 seems to indicate that IPA disallows modification of ldap entries using ldap commands. Is this the reason for the failure? Is there any potential workaround to get the ldap password hashes migrated?
In addition to the problem description above, "ipa migrate-ds" also fails to insert the existing passwords into 389-ds.
The following works with plain 389-ds-base in F20 (1.3.2 branch):
ldapmodify -x -h localhost -p 1210 -D "cn=directory manager" -w Secret123 <<EOF dn: uid=scarter,ou=people,dc=example,dc=com changetype: modify replace: userPassword userPassword: {SSHA}T9nQIKIo552eA1vAk4UCOV3z/cvWGprmNh9bEA== EOF modifying entry "uid=scarter,ou=people,dc=example,dc=com"
ticket #3911 is really about moving some of the "business logic" from the python framework into the DS. You can certainly use ldap modify operations directly against IPA, for a limited amount of things.
The problem with pre-hashed userPassword is that it is useless for Kerberos. There must be an IPA plugin that is preventing the use of the pre-hashed password.
As Rich said, we do not disallow direct LDAP modifications, just discourage it in some cases.
Rich, the password is being set for use in sssd migration mode where one can authenticate using LDAP and Kerberos credentials are created with the password provided.
I've confirmed it is failing on my system with the same Operations Error(1). IMHO this should work as Directory Manager.
I tested custom build of 389-ds-base 1.3.3 branch (389-ds-base-1.3.3.a2-20140715104747.git238d8fe.fc20.x86_64) to verify the fix implemented in https://fedorahosted.org/389/ticket/47753 (this switch would need to be enabled when migration mode is started):
# echo Secret123 | ipa migrate-ds ldap://vm-086.idm.lab.bos.redhat.com --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ----------- migrate-ds: ----------- Migrated: Failed user: admin: Constraint violation: invalid password syntax - passwords with storage scheme are not allowed manager: Constraint violation: invalid password syntax - passwords with storage scheme are not allowed ... # ldapmodify -x -D "cn=directory manager" -w Secret123 -h `hostname` dn: cn=config changetype: modify replace: nsslapd-allow-hashed-passwords nsslapd-allow-hashed-passwords: on modifying entry "cn=config" # echo Secret123 | ipa migrate-ds ldap://vm-086.idm.lab.bos.redhat.com --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ----------- migrate-ds: ----------- Migrated: user: manager
Password migration then also worked:
# ldapsearch -h `hostname` -b dc=mkosek-fedora20,dc=test -D uid=manager,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -x -w Secret123 -s base # kinit manager Password for manager@MKOSEK-FEDORA20.TEST: #
Raising priority of the bug as this blocks migration. We will need to:
Patch ''freeipa-mkosek-478-allow-hashed-passwords-in-ds.patch'' sent for review freeipa-mkosek-478-allow-hashed-passwords-in-ds.patch
Updated 389-ds-base from fedora-testing and turned on new hashed passwords attribute.
Deleted all users then re-ran ipa migrate-ds.
ipa migrate-ds
Passwords migrated. Migration web UI works as expected. Authentication via LDAP binds works as expected.
Big kudos and thanks to mkosek!
You are welcome, thanks for testing!
cn=config switch enabled by default by these commits:
master:
ipa-4-1:
ipa-4-0:
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1138775
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 4.0.1
Login to comment on this ticket.