Ronald Wimmer via FreeIPA-users wrote:
> On 25.01.24 15:27, Ronald Wimmer via FreeIPA-users wrote:
>> On 08.01.24 17:58, Alexander Bokovoy wrote:
>>> On Пан, 08 сту 2024, Ronald Wimmer wrote:
>>>> On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote:
>>>>> On 02.01.24 16:27, Rob Crittenden wrote:
>>>>>> Ronald Wimmer via FreeIPA-users wrote:
>>>>>>>
>>>>>>>
>>>>>>> On 14.12.23 14:42, Alexander Bokovoy wrote:
>>>>>>>> On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
>>>>>>>>> In our company we do have an IAM tool for user management. We
>>>>>>>>> need to
>>>>>>>>> create IPA users via this particular tool. I am aware of all IPA
>>>>>>>>> commands or API calls to create/modify or delete a user.
>>>>>>>>>
>>>>>>>>> As the tool does not support FreeIPA yet they asked if there is
>>>>>>>>> a way
>>>>>>>>> to manage users by using LDAP only. Could that work? What about
>>>>>>>>> attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
>>>>>>>>
>>>>>>>> Learn about lifecycle management. This is your way of
>>>>>>>> integrating with
>>>>>>>> such tools bvy creating staged users:
>>>>>>>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_idm_users_groups_hosts_and_access_control_rules/configuring-idm-for-external-provisioning-of-users_managing-users-groups-hosts#doc-wrapper
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> I followed the instructions from the documentation.
>>>>>>>
>>>>>>> How could I possibly overcome
>>>>>>>
>>>>>>> Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]:
>>>>>>> ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
>>>>>>>
>>>>>>> I need to set passwords from the external system.
>>>>>>
>>>>>> You need to enable migration mode (ipa config-mod
>>>>>> --enable-migration true).
>>>>>>
>>>>>> By default a pre-hashed password can only be set once: during the
>>>>>> user
>>>>>> add operation.
>>>>>
>>>>> Ok. So this would not work for a password change. So if we need to
>>>>> set an initial password and change that particular password in some
>>>>> point in time the only feasible way is the IPA API, right?
>>>>>
>>>>> Can the immediate password expiration be overridden?
>>>>
>>>> As we have an upcoming please allow me to ask if I got the point here.
>>>>
>>>> I appreciate your support in this matter!
>>>>
>>>
>>> I was looking over the code. The only way to accept pre-hashed passwords
>>> is when they also have Kerberos keys set. This means you cannot use
>>> external LDAP modify/add for that as you cannot create the Kerberos key
>>> without knowing a Kerberos master key.
>>>
>>> So the only other option is to submit a clear-text password:
>>>
>>>   userPassword: {CLEAR}text-password
>>>
>>> That will be accepted and if bind DN that performed this change is
>>> either a cn=Directory Manager or a one from the passsync managers, it
>>> would also not be marked for expiration immediately.
>>
>>
>> If I try to set the userPassword attribute to some value with an LDAP
>> browser and chose "plaintext"  the value gets hashed immediately. I do
>> see {PBKDF2_SHA256}. As a consequence the user cannot be activated.
>>
>> What am I doing wrong?
>>
>> I tried to enable migration mode and wanted to try it again but now I
>> cannot connect to IPA's LDAP directory at all anymore...
>>
>> [root@tipa01 ~]# ipa config-mod --enable-migration=true
>>    Maximum username length: 32
>>    Maximum hostname length: 64
>>    Home directory base: /home
>>    Default shell: /bin/sh
>>    Default users group: ipausers
>>    Default e-mail domain: ipatest.mydomain.at
>>    Search time limit: 2
>>    Search size limit: 100
>>    User search fields: uid,givenname,sn,telephonenumber,ou,title
>>    Group search fields: cn,description
>>    Enable migration mode: True
>>    Certificate Subject base: O=IPATEST.MYDOMAIN.AT
>>    Password Expiration Notification (days): 4
>>    Password plugin features: AllowNThash, KDC:Disable Last Success
>>    SELinux user map order:
>> guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
>>
>>    Default SELinux user: unconfined_u:s0-s0:c0.c1023
>>    Default PAC types: MS-PAC, nfs:NONE
>>    IPA masters: tipa01.ipatest.mydomain.at, tipa02.ipatest.mydomain.at
>>    IPA master capable of PKINIT: tipa01.ipatest.mydomain.at,
>> tipa02.ipatest.mydomain.at
>>    IPA CA servers: tipa01.ipatest.mydomain.at
>>    IPA CA renewal master: tipa01.ipatest.mydomain.at
>>    Domain resolution order: org.mydomain.at:ipatest.mydomain.at
>> [root@tipa01 ~]# ipa config-mod --enable-migration=false
>> ipa: ERROR: Major (851968): Unspecified GSS failure.  Minor code may
>> provide more information, Minor (2529638972): KDC returned error
>> string: PROCESS_TGS
> 
> I should have done a little debugging instead of asking again. dirsrv
> was not running after ipa config-mod --enable-migration=true
> 
> OK. Let me summarize... The whole procedure (creating a user in the
> staging area if the password is a cleartext one) works if migration mode
> is enabled. What drawbacks arise if migration mode is enabled all the time?

It is extra work whenever a user is unauthorized and has provided a
password because it will try to authenticate with both Kerberos and LDAP
in an attempt to migrate it.

rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to