I have followed the similar procedure several times migrating from 1.3.x to 2.2.9 (not 2.4.x ) without any problem with the password:
(export): /usr/lib64/dirsrv/slapd-389ds1/db2ldif.pl -D "cn=Directory Manager" -w XXXX -n userRoot -a /tmp/fullbackup.ldif
(import): dsconf -D "cn=Directory Manager" ldap://127.0.0.1 backend import userRoot /var/lib/dirsrv/slapd-ds1/ldif/fullbackup.ldif
On 2.2.9 i have previous set the Default Password Storage Scheme from GUI (cockpit) to SSHA.
Your 389 2.4.x installation is a clean one or an upgrade from centos?? If its an upgrade, maybe something went wrong during that.
Regards,
Antonis
On 4/7/2024 12:28 μ.μ., Ralf Spenneberg wrote:
Hi Viktor,thanks a lot for the suggestion.
So I did an export of the old tree running on 1.3.11 using db2dif:db2ldif -s "dc=xxx,dc=net" -a /tmp/userRoot.ldifAnd I did an import in the new tree running on 2.4:dsconf -D "cn=Directory Manager" -W ldap://localhost backend import dc=...,dc=net /userRoot.ldif
The import task has finished successfullyDirectly afterwards the passwords stopped working again. I had to reset them again. Is there any additional step required?
Kind regards,Ralf
Am Mi., 3. Juli 2024 um 18:26 Uhr schrieb Viktor Ashirov <vashirov@redhat.com>:
--
On Wed, Jul 3, 2024 at 3:48 PM Ralf Spenneberg <rspenneberg@gmail.com> wrote:
Actually I just upgrade the system from centos7 to almalinux9 using elevate. Essentially this is similar to a copy of the /etc/dirsrv and /var/lib/dirsrv directories and started the new ldapserver.We don't support or test in-place upgrades (leapp/elevate) and recommend using export/import or replication methods.
Directly afterwards I was not able to login using the cn=Directory Manager. I checked the hashed password in the dse.ldif file (cn=config) using pwdhash. It was ok.Once I changed the password of the directory manager in the dse.ldif file after stopping the 389ds using PBKDF2-SHA512 hash, the Directory Manager was able to login. Other users required a reset of their password as well for successful login. But since I do not have access to all passwords I would rather reuse the old tree.The nsslapd-allow-hashed-passwords is set to on.
Therefore I doubt that I have double hashed passwords. For the case of the Directory Manager I am positive.And yes, dsconf lists SSHA in my case as well. Any ideas why this is not working?Do you see any errors regarding NSS in the errors log?NSS in EL7 was using an old datbase format, and if you just copied it to EL9, it's very likely to fail initialization.
My passwordpolicy is quite open:Global Password Policy: cn=config
------------------------------------
nsslapd-pwpolicy-local: off
passwordstoragescheme: SSHA512
passwordchange: on
passwordmustchange: off
passwordhistory: off
passwordinhistory: 6
passwordadmindn:
passwordtrackupdatetime: off
passwordwarning: 86400
passwordisglobalpolicy: off
passwordexp: off
passwordmaxage: 8640000
passwordminage: 0
passwordgracelimit: 0
passwordsendexpiringtime: off
passwordlockout: off
passwordunlock: on
passwordlockoutduration: 3600
passwordmaxfailure: 3
passwordresetfailurecount: 600
passwordchecksyntax: off
passwordminlength: 8
passwordmindigits: 0
passwordminalphas: 0
passwordminuppers: 0
passwordminlowers: 0
passwordminspecials: 0
passwordmin8bit: 0
passwordmaxrepeats: 0
passwordmincategories: 3
passwordmintokenlength: 3
nsslapd-allow-hashed-passwords: on
nsslapd-pwpolicy-inherit-global: off
Kind regards,Ralf
--Am Mi., 3. Juli 2024 um 10:42 Uhr schrieb Viktor Ashirov <vashirov@redhat.com>:
--Hi Ralf,
On Tue, Jul 2, 2024 at 2:29 PM Ralf Spenneberg <rspenneberg@gmail.com> wrote:
Hi there,SSHA is still supported in the latest 389-DS:
I am trying to update a ldap tree from 389ds 1.3.11 (centos7) to 2.4.5 (almalinux9). After migrating the tree all passwords stop working including the Directory Manager. The old tree used SSHA. Setting the rootpwstoragescheme does not help for the Directory Manager. Only manually resetting the passwords using pwdhash in the dse.ldif file and using a PBKDF2-SHA512 password works. Is there a way to enable the old SSHA scheme?
# dsconf localhost pwpolicy list-schemes | grep SSHA
SSHA
SSHA256
SSHA384
SSHA512
How did you perform the migration? Via replication or export/import?What is the value of nsslapd-allow-hashed-passwords in cn=config?I suspect that your passwords after the migration might be doubly hashed instead of imported as is.Kind regards,
Ralf
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Viktor
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Viktor
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
No comments:
Post a Comment