Running FreeIPS 4.8.10-6, 5.10.10-200.fc33.x86_64
First note that the part (inside 'Now create this entry') that has --gecos='$gecos' actually inserts $gecos into the FreeIPA record. Also a simple fix to insert a first and last name would be:
first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}')
last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}')
and adding in the "Now create this entry section":
--first=$first --last=$last
I'm trying to migrate the passwords from NIS so that they are merged in the
/etc/passwd file. (this is a test server). I followed Rob C's previous tips from
here and
here.
Not sure it matters but in /etc/libuser.conf, crypt_style = sha512
In the script I added:
password1=$(echo $line | cut -f2 -d:)
and in the Now create this entry section:
--setattr "userpassword='{CRYPT}$password1'"
Here's what gets logged when debug is turned on:
[Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365] [remote x.x.x.x:59726] ipa: INFO: [jsonserver_session] admin@OURDOMAIN.EDU: user_add/1('john', givenname='John', sn='Smith', homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150, setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",), version='2.239'): SUCCESS
So does that appear that {CRYPT} is not being interpreted? I also added some debug:
echo "Password hash value is $password1"
And what prints is the original hash, sans {CRYPT}.
So to test this outside of the script I added a test user:
ipa user-add --first=test --last=user --setattr userpassword='{CRYPT} the-actual-hash-of-the-password' testuser
Then I ran the following and the password worked:
ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W
# testuser, users, accounts, ourdomain.edu
dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu
givenName: test
sn: user
uid: testuser
cn: test user
displayName: test user
initials: tu
gecos: test user
krbPrincipalName: testuser@OURDOMAIN.EDU
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: fasuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser
mail: testuser@ourdomain.edu
krbCanonicalName: testuser@OURDOMAIN.EDU
ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0
uidNumber: 1520800007
gidNumber: 1520800007
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu
krbLastPwdChange: 20210203034524Z
krbPasswordExpiration: 20210504034524Z
# testuser, groups, accounts, ourdomain.edu
dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: testuser
gidNumber: 1520800007
description: User private group for testuser
mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc
=edu
ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0
# search result
search: 2
result: 0 Success
Is it still possible to do this in the current versions?
Thanks,
Rob