Check this out, its not super detailed, but it should be enough to get
you going:
http://port389.org/wiki/Password_Administrator
You need to create a group (with with password admins), or just add a
single DN of a particular user to the attribute passwordAdminDN under
cn=config. Then create an aci that allows that group/user to make
updates to the userpassword attribute, etc.
Also, using the "cn=directory manager" might also work, not 100% sure
though.
Mark
On 03/10/2014 10:31 AM, Steven Crothers wrote:
I am indeed using 1.3.2, I’m going to research the “Password Administrators” feature myself.
If you have the information on hand, that would be greatly appreciated. :)
Thanks for setting me in the right direction!
On Mar 10, 2014, at 10:25 AM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote:
Steven,
What version of 389 are you using?
You can import it using the ldif2db command line tools. Trying to add it using ldapmodify is "not" importing an ldif. There are explicit checks that do not allow to add a prehashed password when adding an entry this way.
There is a new "Password Administrators" feature in 1.3.1, where a "Password Admin" can add prehashed passwords using ldapmodify.
But for now, if you just use ldif2db/ldif2db.pl you can add that LDIF without issue.
Regards,
Mark
On 03/08/2014 11:35 PM, Steven Crothers wrote:
Hello,
I'm trying to accomplish a poor mans replication from OpenDS from
Oracle/Sun. Basically the logic is as follows:
OpenDS is attached to our corporate IDM.
User is managed in OpenDS.
User updates information in OpenDS.
OpenDS read-replica is updated in our local read-slave.
Python script notices there was a change in our local read-slave.
Script isolates the change from our read-slave and sends the DNs to
sync to my 389 (FreeIPA) server.
FreeIPA replica receives input over the network from notification
agent which includes DNs.
DNs attributes are re-organized (OpenDS doesn't use anything logical,
all 100% custom attributes/objectclasses).
DNs with re-organized attributes are inserted/updated in 389 server
(FreeIPA), minus the updated SSHA password hash.
I get an error saying that adding pre-encoded passwords isn't allowed.
But, that makes me say "How the hell do you import an LDIF" backup,
and frankly, I can't find anything on the subject (albeit, I
admittedly didn't quite know how to search this issue either).
I've never seen a server not accept pre-encoded password hashes (or at
least I don't recall this specific error in OpenDS/LDAP), so my
question is, how can I store the SSHA password hash from OpenDS in my
389server (FreeIPA) server?
Steven Crothers
steven.crothers@xxxxxxxxx
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Mark Reynolds
389 Development Team
Red Hat, Inc
mreynolds@xxxxxxxxxx
--
Mark Reynolds
389 Development Team
Red Hat, Inc
mreynolds@xxxxxxxxxx
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
