Ronald Wimmer wrote: > On 08.01.24 17:14, Rob Crittenden wrote: >> Ronald Wimmer wrote: >>> On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote: >>>> On 02.01.24 16:27, Rob Crittenden wrote: >>>>> Ronald Wimmer via FreeIPA-users wrote: >>>>>> >>>>>> >>>>>> On 14.12.23 14:42, Alexander Bokovoy wrote: >>>>>>> On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote: >>>>>>>> In our company we do have an IAM tool for user management. We >>>>>>>> need to >>>>>>>> create IPA users via this particular tool. I am aware of all IPA >>>>>>>> commands or API calls to create/modify or delete a user. >>>>>>>> >>>>>>>> As the tool does not support FreeIPA yet they asked if there is >>>>>>>> a way >>>>>>>> to manage users by using LDAP only. Could that work? What about >>>>>>>> attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber? >>>>>>> >>>>>>> Learn about lifecycle management. This is your way of integrating >>>>>>> with >>>>>>> such tools bvy creating staged users: >>>>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-idm-for-external-provisioning-of-users_managing-users-groups-hosts#doc-wrapper >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> I followed the instructions from the documentation. >>>>>> >>>>>> How could I possibly overcome >>>>>> >>>>>> Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: >>>>>> ipa: ERROR: Constraint violation: pre-hashed passwords are not valid >>>>>> >>>>>> I need to set passwords from the external system. >>>>> >>>>> You need to enable migration mode (ipa config-mod --enable-migration >>>>> true). >>>>> >>>>> By default a pre-hashed password can only be set once: during the user >>>>> add operation. >>>> >>>> Ok. So this would not work for a password change. So if we need to set >>>> an initial password and change that particular password in some point >>>> in time the only feasible way is the IPA API, right? >>>> >>>> Can the immediate password expiration be overridden? >>> >>> As we have an upcoming please allow me to ask if I got the point here. >>> >>> I appreciate your support in this matter! >> >> I'd recommend you look into the winsync documentation in IPA. There is a >> setting you can configure to allow a pre-hashed password to be written >> without marking it as expired (because this is what winsync does). >> >> If you use Kerberos then users are going to have to migrate their >> password every time it changes on the external system. > > I quickly skipped over the documentation. winsync-migrate seems to > require AD trust. I did not mention that before but we need to get rid > of all trusts in our domain landscape. > > We will need the ability to create and update users from an external > system. Including passwords. So what would probably be the best option > here?
Just look at the docs. There is a synchronization setting you can use to bring in pre-hashed passwords. I don't have a link handy. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
