Ronald Wimmer wrote:
On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote:
On 02.01.24 16:27, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote:
In our company we do have an IAM tool for user management. We need to create IPA users via this particular tool. I am aware of all IPA commands or API calls to create/modify or delete a user.
As the tool does not support FreeIPA yet they asked if there is a way to manage users by using LDAP only. Could that work? What about attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
You need to enable migration mode (ipa config-mod --enable-migration true).
By default a pre-hashed password can only be set once: during the user add operation.
Ok. So this would not work for a password change. So if we need to set an initial password and change that particular password in some point in time the only feasible way is the IPA API, right?
Can the immediate password expiration be overridden?
As we have an upcoming please allow me to ask if I got the point here.
I appreciate your support in this matter!
I'd recommend you look into the winsync documentation in IPA. There is a setting you can configure to allow a pre-hashed password to be written without marking it as expired (because this is what winsync does).
If you use Kerberos then users are going to have to migrate their password every time it changes on the external system.
rob
On 08.01.24 17:14, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote:
On 02.01.24 16:27, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy wrote:
On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote: > In our company we do have an IAM tool for user management. We need to > create IPA users via this particular tool. I am aware of all IPA > commands or API calls to create/modify or delete a user. > > As the tool does not support FreeIPA yet they asked if there is a way > to manage users by using LDAP only. Could that work? What about > attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber?
Learn about lifecycle management. This is your way of integrating with such tools bvy creating staged users: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm...
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
You need to enable migration mode (ipa config-mod --enable-migration true).
By default a pre-hashed password can only be set once: during the user add operation.
Ok. So this would not work for a password change. So if we need to set an initial password and change that particular password in some point in time the only feasible way is the IPA API, right?
Can the immediate password expiration be overridden?
As we have an upcoming please allow me to ask if I got the point here.
I appreciate your support in this matter!
I'd recommend you look into the winsync documentation in IPA. There is a setting you can configure to allow a pre-hashed password to be written without marking it as expired (because this is what winsync does).
If you use Kerberos then users are going to have to migrate their password every time it changes on the external system.
I quickly skipped over the documentation. winsync-migrate seems to require AD trust. I did not mention that before but we need to get rid of all trusts in our domain landscape.
We will need the ability to create and update users from an external system. Including passwords. So what would probably be the best option here?
Cheers, Ronald
Ronald Wimmer wrote:
On 08.01.24 17:14, Rob Crittenden wrote:
Ronald Wimmer wrote:
On 02.01.24 17:57, Ronald Wimmer via FreeIPA-users wrote:
On 02.01.24 16:27, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 14.12.23 14:42, Alexander Bokovoy wrote: > On Чцв, 14 сне 2023, Ronald Wimmer via FreeIPA-users wrote: >> In our company we do have an IAM tool for user management. We >> need to >> create IPA users via this particular tool. I am aware of all IPA >> commands or API calls to create/modify or delete a user. >> >> As the tool does not support FreeIPA yet they asked if there is >> a way >> to manage users by using LDAP only. Could that work? What about >> attributes like ipaNTSecurityIdentifier, ipaUniqueID or uidNumber? > > Learn about lifecycle management. This is your way of integrating > with > such tools bvy creating staged users: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/htm... > > >
I followed the instructions from the documentation.
How could I possibly overcome
Dec 19 09:18:39 tipa01.ipatest.mydomain.at ipa-activate-all[836863]: ipa: ERROR: Constraint violation: pre-hashed passwords are not valid
I need to set passwords from the external system.
You need to enable migration mode (ipa config-mod --enable-migration true).
By default a pre-hashed password can only be set once: during the user add operation.
Ok. So this would not work for a password change. So if we need to set an initial password and change that particular password in some point in time the only feasible way is the IPA API, right?
Can the immediate password expiration be overridden?
As we have an upcoming please allow me to ask if I got the point here.
I appreciate your support in this matter!
I'd recommend you look into the winsync documentation in IPA. There is a setting you can configure to allow a pre-hashed password to be written without marking it as expired (because this is what winsync does).
If you use Kerberos then users are going to have to migrate their password every time it changes on the external system.
I quickly skipped over the documentation. winsync-migrate seems to require AD trust. I did not mention that before but we need to get rid of all trusts in our domain landscape.
We will need the ability to create and update users from an external system. Including passwords. So what would probably be the best option here?
Just look at the docs. There is a synchronization setting you can use to bring in pre-hashed passwords. I don't have a link handy.
rob
freeipa-users@lists.fedorahosted.org