Florence Blanc-Renaud via FreeIPA-users wrote:
> On 03/09/2018 10:26 AM, Roderick Johnstone via FreeIPA-users wrote:
>> On 09/03/2018 09:13, Florence Blanc-Renaud wrote:
>>> On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote:
>>>> Hi
>>>>
>>>> I'm using migration mode (ipa config-mod --enable-migration=true) to
>>>> help migrate from one freeipa instance to another.
>>>>
>>>> I wasn't able to find any docs on what enabling migration mode
>>>> actually does, exactly.
>>>>
>>>> Can anyone supply details please?
>>>>
>>>> Thanks.
>>>>
>>>> Roderick Johnstone
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-le...@lists.fedorahosted.org
>>>
>>> Hi,
>>>
>>> the migration mode allows to add an entry with a pre-hashed password.
>>>
>>> When this mode is disabled, this operation would be refused because
>>> IPA needs a clear-text password in order to run password policy
>>> checks and generate kerberos keys.
>>>
>>> HTH,
>>> Flo
>>
>> Hi Flo
>>
>> So, why wouldn't you want to have that enabled all the time.
>>
>> ie are there any other consequences of having this enabled.
>>
> 
> When migration mode is enabled, the ldap server accepts to modify a
> password using a pre-hashed value (the userPassword attribute of the
> user entry). As the value is not clear-text, it is not possible to run
> password policy checks (for instance does it contain enough characters,
> was it already in the password history...) => not as secure as the
> sysadmin intended.
> 
> The second issue is that the kerberos keys (stored in the
> krbprincipalkey of the user attribute) cannot be generated from a hash
> value, the algorithm needs a clear value. As a consequence, kerberos
> authentication would not succeed because it is based on krbprincipalkey.
> 
> This is why the migration procedure requires to instruct users to login
> to the migration web page, so that they enter a new password that will
> re-generate their kerberos keys (see step 10 in [1]).
> 
> Hope this clarifies,
> Flo
> 
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/mig-ldap-to-idm

SSSD also checks this value and will authenticate over LDAP then set the
Kerberos credentials. This is similar in practice to using the web page
but without requiring user intervention. Without this flag enabled
having only and LDAP password will fail authentication.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to