Running FreeIPS 4.8.10-6, 5.10.10-200.fc33.x86_64
I'm using the nis-users.sh script
from https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin...
First note that the part (inside 'Now create this entry') that
has --gecos='$gecos' actually inserts$gecos into the FreeIPA record.
Also a simple fix to insert a first and last name would be:
first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print
$1}')
last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print
$NF}')
and adding in the "Now create this entry section":
--first=$first --last=$last
I'm trying to migrate the passwords from NIS so that they are merged in
the /etc/passwd file. (this is a test server). I followed Rob C's
previous tips from here
<
https://freeipa-users.redhat.narkive.com/vTJsopZ5/problem-migrating-passw...
<
https://www.redhat.com/archives/freeipa-users/2013-April/msg00058.html>.
Not sure it matters but in /etc/libuser.conf, crypt_style = sha512
In the script I added:
password1=$(echo $line | cut -f2 -d:)
and in the Now create this entry section:
--setattr "userpassword='{CRYPT}$password1'"
Here's what gets logged when debug is turned on:
[Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365]
[remote x.x.x.x:59726 <
http://150.108.64.156:59726/>] ipa: INFO:
[jsonserver_session] admin(a)OURDOMAIN.EDU
<mailto:admin@OLDDSM.DSM.FORDHAM.EDU>: user_add/1('john',
givenname='John', sn='Smith', homedirectory='/home/smith',
gecos="'John
Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150,
setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",),
version='2.239'): SUCCESS
So does that appear that {CRYPT} is not being interpreted? I also added
some debug:
echo "Password hash value is $password1"
And what prints is the original hash, sans {CRYPT}.
So to test this outside of the script I added a test user:
ipa user-add --first=test --last=user --setattr userpassword='{CRYPT}
the-actual-hash-of-the-password' testuser
Then I ran the following and the password worked:
ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W
# testuser, users,
accounts, ourdomain.edu <
http://olddsm.dsm.fordham.edu/>
dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu
givenName: test
sn: user
uid: testuser
cn: test user
displayName: test user
initials: tu
gecos: test user
krbPrincipalName: testuser@OURDOMAIN.EDU
<mailto:testuser@OLDDSM.DSM.FORDHAM.EDU>
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: fasuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser
mail: testuser@ourdomain.edu <mailto:testuser@olddsm.dsm.fordham.edu>
krbCanonicalName: testuser@OURDOMAIN.EDU
<mailto:testuser@OLDDSM.DSM.FORDHAM.EDU>
ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0
uidNumber: 1520800007
gidNumber: 1520800007
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu
krbLastPwdChange: 20210203034524Z
krbPasswordExpiration: 20210504034524Z
# testuser, groups,
accounts, ourdomain.edu <
http://olddsm.dsm.fordham.edu/>
dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: testuser
gidNumber: 1520800007
description: User private group for testuser
mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc
=edu
ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0
# search result
search: 2
result: 0 Success
Is it still possible to do this in the current versions?
I think the problem is your double-quoting around the setattr value.
Drop that and it works for me.
I'm not entirely sure how that is messing things up in the API but yeah
it looks like it isn't seeing the {CRYPT} and encoding the whole thing
as a raw password (probably including the {CRYPT}).
rob