Allow hashed passwords in DS

Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.

https://fedorahosted.org/freeipa/ticket/4450

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

2 files changed, 7 insertions, 2 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5e0fe961f..50262f7fb 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -86,7 +86,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.2.19
+Requires: 389-ds-base >= 1.3.2.20
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -122,7 +122,7 @@ Requires: zip
 Requires: policycoreutils >= %{POLICYCOREUTILSVER}
 Requires: tar
 Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.2.19
+Requires(pre): 389-ds-base >= 1.3.2.20
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 
diff --git a/install/updates/10-config.update b/install/updates/10-config.update
index 1512b3601..30fafbf9e 100644
--- a/install/updates/10-config.update
+++ b/install/updates/10-config.update
@@ -63,3 +63,8 @@ addifnew:nsSaslMapPriority: 10
 # Can be removed when https://fedorahosted.org/389/ticket/47457 is fixed
 dn: cn=config
 only:nsslapd-sasl-max-buffer-size:2097152
+
+# Allow hashed passwords to be added by non-DM users. Without this
+# setting, password migration fails
+dn: cn=config
+only:nsslapd-allow-hashed-passwords:on