Thursday, June 15, 2017

[389-users] Re: Migration from OpenLDAP to 389 DS

On 06/15/2017 07:48 AM, Blaz Kalan wrote:
> Hi,
>
> Sorry, I checked again and we use base64 coded passwords:
> userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=
The server always base64 ecodes passwords - that is fine and expected
>
> what do you suggest in this case?
>
> But even if I try with md5, I get an error.
>
> ldif:
> dn: uid=mnadmin,ou=User,l=Kranj,c=SI
> uid: mnadmin
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: itUserOC
> description: Administrator
> sn: mnadmin
> cn: mnadmin
> userPassword: {MD5}CY9rzUYh03PK3k6DJie09g==
> structuralObjectClass: inetOrgPerson
> nsuniqueid: 2cec3dde-17dd-1035-945a-f5630028a5a6
> creatorsName: cn=ldapadmin,l=Kranj,c=SI
> createTimestamp: 20151105074714Z
> itUserLocked: FALSE
> itSuperUser: TRUE
> itPasswordExpire: 200504101330Z
> itLastLogin: 200504101330Z
> modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI
> modifyTimestamp: 20151105074859Z
>
>
> error:
> Error adding object 'dn: uid=mnadmin,ou=User,l=Kranj,c=SI'. The error sent by the server was 'Constraint violation. invalid password syntax - passwords with storage scheme are not allowed'. The object is: LDAPEntry: uid=mnadmin,ou=User,l=Kranj,c=SI; LDAPAttributeSet: LDAPAttribute {type='itsuperuser', values='TRUE'} LDAPAttribute {type='itlastlogin', values='200504101330Z'} LDAPAttribute {type='sn', values='mnadmin'} LDAPAttribute {type='userpassword', values='{MD5}CY9rzUYh03PK3k6DJie09g=='} LDAPAttribute {type='objectclass', values='inetOrgPerson,organizationalPerson,person,itUserOC'} LDAPAttribute {type='uid', values='mnadmin'} LDAPAttribute {type='ituserlocked', values='FALSE'} LDAPAttribute {type='modifytimestamp', values='20151105074859Z'} LDAPAttribute {type='modifiersname', values='uid=mnadmin,ou=User,l=Kranj,c=SI'} LDAPAttribute {type='nsuniqueid', values='2cec3dde-17dd-1035-945a-f5630028a5a6'} LDAPAttribute {type='createtimestamp', values='20151105074714Z'} LDAPAttribute {
> type='creatorsname', values='cn=ldapadmin,l=Kranj,c=SI'} LDAPAttribute {type='cn', values='mnadmin'} LDAPAttribute {type='itpasswordexpire', values='200504101330Z'} LDAPAttribute {type='description', values='Administrator'} LDAPAttribute {type='structuralobjectclass', values='inetOrgPerson'}.

Okay this is expected if you try and add a prehashed password as a
regular user. So how are you adding these entries exactly?

If you are using ldapmodify, then you need to bind as the directory
manager to bypass these constraints. Or, import the entire user ldif
using ldif2db which also bypasses these checks.

Regards,
Mark
>
> Thank you very much.
> BR,
> Blaz
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org

_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)