In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
Perfect. I wasn't aware that this existed.
Cheers, Ronald
On 14.12.23 14:42, Alexander Bokovoy via FreeIPA-users wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I took a quick look at the documentation. So... is it right that we have two options
- use the IPA API or - LDIF files
Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy via FreeIPA-users wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I took a quick look at the documentation. So... is it right that we have two options
- use the IPA API or
- LDIF files
Or directly over LDAP.
rob
On 14.12.23 23:31, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy via FreeIPA-users wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I took a quick look at the documentation. So... is it right that we have two options
- use the IPA API or
- LDIF files
Or directly over LDAP.
The external IAM system needs to set a IPA user's password as well. What would be the way to go here?
Cheers, Ronald
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
Cheers, Ronald
On 19.12.23 09:23, Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
I've read https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
So I guess our only chance is to use the IPA API for managing a user including its password?
Cheers, Ronald
Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
You need to enable migration mode (ipa config-mod --enable-migration true).
By default a pre-hashed password can only be set once: during the user add operation.
rob
On 02.01.24 16:27, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
You need to enable migration mode (ipa config-mod --enable-migration true).
By default a pre-hashed password can only be set once: during the user add operation.
Ok. So this would not work for a password change. So if we need to set an initial password and change that particular password in some point in time the only feasible way is the IPA API, right?
Can the immediate password expiration be overridden?
Cheers, Ronald
On Аўт, 19 сне 2023, Ronald Wimmer wrote:
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
Set them non-hashed. Why external system hashes them in LDIF?
freeipa-users@lists.fedorahosted.org