On 05/05/2015 03:48 PM, Alan Evans wrote:
Hello, I thought I saw something like this asked before but after
searching the archive it seems I can't find it.
I am using FreeIPA 3.3.3 on Cent 7 from EPEL. Is it possible using
native ldap tools, ldapadd and ldappasswd in particular, for user
creation and password management?
I am trying to use an IDM to synchronize accounts from one directory
to FreeIPA. The IDM does not have native FreeIPA support but does
have LDAP support.
I have successfully gotten some objects created but I am having
problems with their passwords.
I have tried using https://ipa/ui/migration, resetting passwords in
IPA UI, ldappasswd and the ipa-cli but when I kinit these users I get
the following.
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
foou...@example.com <mailto:foou...@example.com> for
krbtgt/example....@example.com <mailto:example....@example.com>,
Password has expired
May 04 21:21:26 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
foou...@example.com <mailto:foou...@example.com> for
kadmin/chang...@example.com <mailto:chang...@example.com>, Additional
pre-authentication required
May 04 21:26:44 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
foou...@example.com <mailto:foou...@example.com> for
krbtgt/example....@example.com <mailto:example....@example.com>,
Additional pre-authentication required
May 04 21:27:59 ipa01 krb5kdc[12956](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
foou...@example.com <mailto:foou...@example.com> for
krbtgt/example....@example.com <mailto:example....@example.com>,
Password has expired
May 04 21:27:59 ipa01 krb5kdc[12958](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
foou...@example.com <mailto:foou...@example.com> for
kadmin/chang...@example.com <mailto:chang...@example.com>, Additional
pre-authentication required
May 04 21:31:05 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
foou...@example.com <mailto:foou...@example.com> for
krbtgt/example....@example.com <mailto:example....@example.com>,
Additional pre-authentication required
May 04 21:31:48 ipa01 krb5kdc[12957](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
foou...@example.com <mailto:foou...@example.com> for
krbtgt/example....@example.com <mailto:example....@example.com>,
Password has expired
May 04 21:31:48 ipa01 krb5kdc[12959](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
foou...@example.com <mailto:foou...@example.com> for
kadmin/chang...@example.com <mailto:chang...@example.com>, Additional
pre-authentication required
May 04 21:32:23 ipa01 krb5kdc[13581](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: CLIENT KEY EXPIRED:
foou...@example.com <mailto:foou...@example.com> for
krbtgt/example....@example.com <mailto:example....@example.com>,
Password has expired
May 04 21:32:23 ipa01 krb5kdc[13582](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.131.144.139 <http://10.131.144.139>: NEEDED_PREAUTH:
foou...@example.com <mailto:foou...@example.com> for
kadmin/chang...@example.com <mailto:chang...@example.com>, Additional
pre-authentication required
I did get a few google hits on 'CLIENT KEY EXPIRED' but I am not sure
I understand what they're referring to and if they apply in this
situation.
Thank you,
-Alan
This might be caused by the mismatch of the LDAP password hashes.
The password hashes that you had in other directory might not have the
right hash types.
There is a way to change the hashing scheme in IPA directory so that
hashes would become accepted but I do not recall the setting from top of
my head.
In general this is not yet supported. We are working on the feature for 4.2.
http://www.freeipa.org/page/V4/User_Life-Cycle_Management
--
Thank you,
Dmitri Pal
Director of Engineering for IdM portfolio
Red Hat, Inc.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
