I am connecting to FreeIPA LDAP (386 Directory Server) as admin. I can find a user, and add the userPassword attribute like
#!RESULT OK
#!CONNECTION ldap://freeipa1.localdomain:389
#!DATE 2014-09-15T20:59:40.323
dn: uid=user,cn=users,cn=accounts,dc=localdomain
changetype: modify
add: userPassword
userPassword:: cGFzc3dvcmQ=
-
however the attribute disappears immediately. In no query I can see the user objects returning userPassword attribute, as a normal or operative attribute.
I really need the attribute to be settable, and visible in queries. Cleartext and hashes are all fine for my application, doesn't really matter security wise. What configuration change I should make?
Best Answer
userPassword
attribute is not visible to anyone exceptcn=Directory Manager
user on purpose. If you try to ldapsearch with that, you should see the password hash. You cannot store or show clear text password with FreeIPA though, as the project tries not to support insecure practices.As for changing the password, please use password extended operation (ldapasswd command uses it). It will trigger FreeIPA
ipa-pwd-extop
plugin which will update all dependent password hashes (like Kerberos'krbPrincipalKey
attribute).