#4450 Password migration is broken
Closed: Fixed None Opened 5 years ago by rcritten.

From https://www.redhat.com/archives/freeipa-users/2014-July/msg00081.html

$ ipa user-add "bill.mathews" --last="Mathews" --first="William" --email="blah" --phone="xxx-yyy-zzzz" --setattr userpassword="{SHA}bunchajunka" --setattr o="University of Tweedle" --gidnumber=65534 --uid=2000063

And I get:

ERROR: Constraint violation: invalid password syntax - passwords with
storage scheme are not allowed

Seems to be caused by https://fedorahosted.org/389/ticket/47389 and
fixed by https://fedorahosted.org/389/ticket/47753 which is not yet in a
release AFAICT.

It may be that a 389-ds release fixes this but IPA should have some sort of test or CI to verify that migration is working prior to release.

389 error file when trying to add userPassword via ldapmodify and the cn=directory manager

The description in the above tickets suggested that a workaround might be to ldapmodify the migrated-but-passwordless user entries, binding as directory manager. This failed with a not very descriptive "operation error". The attached file is my 389-ds error log, with debug level set to 16383.

I noticed that ticket #3911 seems to indicate that IPA disallows modification of ldap entries using ldap commands. Is this the reason for the failure? Is there any potential workaround to get the ldap password hashes migrated?

In addition to the problem description above, "ipa migrate-ds" also fails to insert the existing passwords into 389-ds.

The following works with plain 389-ds-base in F20 (1.3.2 branch):

ldapmodify -x -h localhost -p 1210 -D "cn=directory manager" -w Secret123 <<EOF
dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}T9nQIKIo552eA1vAk4UCOV3z/cvWGprmNh9bEA==
modifying entry "uid=scarter,ou=people,dc=example,dc=com"

ticket #3911 is really about moving some of the "business logic" from the python framework into the DS. You can certainly use ldap modify operations directly against IPA, for a limited amount of things.

The problem with pre-hashed userPassword is that it is useless for Kerberos. There must be an IPA plugin that is preventing the use of the pre-hashed password.

As Rich said, we do not disallow direct LDAP modifications, just discourage it in some cases.

Rich, the password is being set for use in sssd migration mode where one can authenticate using LDAP and Kerberos credentials are created with the password provided.

I've confirmed it is failing on my system with the same Operations Error(1). IMHO this should work as Directory Manager.

I tested custom build of 389-ds-base 1.3.3 branch (389-ds-base-1.3.3.a2-20140715104747.git238d8fe.fc20.x86_64) to verify the fix implemented in https://fedorahosted.org/389/ticket/47753 (this switch would need to be enabled when migration mode is started):

# echo Secret123 | ipa migrate-ds ldap://vm-086.idm.lab.bos.redhat.com --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts'
Failed user:
  admin: Constraint violation: invalid password syntax - passwords with storage scheme are not allowed
  manager: Constraint violation: invalid password syntax - passwords with storage scheme are not allowed

# ldapmodify -x -D "cn=directory manager" -w Secret123 -h `hostname`
dn: cn=config
changetype: modify
replace: nsslapd-allow-hashed-passwords
nsslapd-allow-hashed-passwords: on

modifying entry "cn=config"

# echo Secret123 | ipa migrate-ds ldap://vm-086.idm.lab.bos.redhat.com --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts'
  user: manager

Password migration then also worked:

# ldapsearch -h `hostname` -b dc=mkosek-fedora20,dc=test -D uid=manager,cn=users,cn=accounts,dc=mkosek-fedora20,dc=test -x -w Secret123 -s base

# kinit manager
Password for manager@MKOSEK-FEDORA20.TEST: 

Raising priority of the bug as this blocks migration. We will need to:

  • Backport the option fix to Fedora 20's 389-ds-base - 1.3.2 branch
  • Update config-mod --enable-migration to conditionally switch this configuration when migration mode is enabled/disabled.
  • Add the CI test as Rob suggested - this may be tracked by other ticket

Patch ''freeipa-mkosek-478-allow-hashed-passwords-in-ds.patch'' sent for review

Updated 389-ds-base from fedora-testing and turned on new hashed passwords attribute.

Deleted all users then re-ran ipa migrate-ds.

Passwords migrated. Migration web UI works as expected. Authentication via LDAP binds works as expected.

Big kudos and thanks to mkosek!

You are welcome, thanks for testing!

cn=config switch enabled by default by these commits:


  • 15eb343 Allow hashed passwords in DS


  • 15eb343 Allow hashed passwords in DS


  • 4782530 Allow hashed passwords in DS

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 4.0.1

3 years ago

Login to comment on this ticket.