Hello the list,

The next terrible bad thing our customer service model says we’d like to do with FreeIPA is set user passwords from our customer management system. It’s not AD and it’s not LDAP. It does have a store of salted hashed sha512 passwords.

I have set the FreeIPA directory in migration mode as per http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords

We are able to add new users (with add-user) and set their password with --setattr userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong

The previous bit is working. The next bit is not.

We have a bunch of users in the directory who were created before we enabled this feature in user creation, and another bunch who have not yet generated a password hash. These users have no password set in FreeIPA. Our script is capable of figuring out if an account hasPassword attribute is True or False.

We’d like to set these user’s passwords if they are not already set, but:

ipa user-mod username --setattr userpassword={crypt}$6$reallylongsalteddsha512hashsoveryverylong

ipa: ERROR: Constraint violation: Pre-Encoded passwords are not valid

We get the same response when we kinit as admin or a user with the System: Change User password permission.

Is there a specific configuration mode option or account attribute that allows this to work?

Regards,

Aaron Hicks