On 13/11/2024 16:11, Rob Crittenden wrote: > Kapetanakis Giannis via FreeIPA-users wrote: >> Hi, >> >> We're looking into migrating our current LDAP setup (389) to a FreeIPA setup. >> >> Reading documentation and searching online cannot answer the following >> question. >> >> Is FreeIPA able to authenticate normal LDAP clients without any Kerberos, >> GSSAPI involved on the client side? >> Most of my LDAP clients support only LDAP authentication over SSL/TLS. > What kind of authentication? Simple bind works out of the box. > >> Will FreeIPA's LDAP server delegate authentication to Kerberos on behalf of >> the client or >> does it need the userPassword attribute stored in it's LDAP server? >> >> Which SASL Mechanism is being used in this case? >> >> If the userPassword in needed how does it stay in sync with the user's >> kerberos credentials? >> Is the sync both ways (LDAP-Kerberos)? > IPA handles keeping the userPassword and krbPrincipalKey values in sync > via a 389-ds plugin. > >> Is there documentation about these specific tasks? > Which tasks? There is probably only a bullet-point in the docs for the > password synchronization because it is not configurable and happens > automatically. > > rob
Thanks for the quick reply. So essentially the LDAP server is accepting normal ldap binds, is using the local userPassword and is not delegating (somehow) the authentication to Kerberos. If I want Kerberos then the client must support it. Does ldapmodify of userPassword (cleartext not hashed) triggers a password change inside Kerberos as well? Reading: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/migrating-from-an-ldap-directory-to-idm_migrating-to-idm-from-external-sources#using-sssd_planning-password-migration-when-migrating-from-ldap-to-idm "IdM intercepts this bind request. If the user has a Kerberos principal but no Kerberos hashes, then the IdM identity provider generates the hashes and stores them in the user entry." Does this intercept only happen if the kerberos hash is missing or even if the password is different? Essentially if all users/passwords are migrated and all applications/services are supporting GSSAPI, then I could delete userPassword from LDAP? Thanks, G -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
