This is what the source code said to me too.
I'm going to have to fall back to directly interacting with LDAP to make
this work, or set up PWM though we'd prefer an official and supported
password manager plugin for FreeIPA.
From: Alexander Bokovoy [mailto:firstname.lastname@example.org]
Sent: Tuesday, 7 November 2017 7:17 PM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hicks(a)nesi.org.nz>
Subject: Re: [Freeipa-users] Using user-mod to set a hashed password
On ti, 07 marras 2017, Aaron Hicks via FreeIPA-users wrote:
Hello the list,
The next terrible bad thing our customer service model says we'd like
to do with FreeIPA is set user passwords from our customer management
system. It's not AD and it's not LDAP. It does have a store of salted
hashed sha512 passwords.
I have set the FreeIPA directory in migration mode as per
We are able to add new users (with add-user) and set their password
The previous bit is working. The next bit is not.
We have a bunch of users in the directory who were created before we
enabled this feature in user creation, and another bunch who have not
yet generated a password hash. These users have no password set in
FreeIPA. Our script is capable of figuring out if an account
hasPassword attribute is True or False.
We'd like to set these user's passwords if they are not already set, but:
ipa user-mod username --setattr
ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid
We get the same response when we kinit as admin or a user with the System:
Change User password permission.
Is there a specific configuration mode option or account attribute that
allows this to work?
No, nothing would allow you to change pre-hashed passwords
What you could do is to set them a random non-hashed password as
administrator and thus it would force to change the password on next login.
That's all you could do. Of course, 'next login' can be simulated too, but
you cannot do this with a hashed password.
/ Alexander Bokovoy