Doug Chapman wrote:
> I'm working on migrating from SunDS to IPA and I've got everything
> moved over, but I'm having some issues with userPassword.  I'd like
> users to be able to connect with their existing passwords and set an
> force a password expiration after our transition is done.
> I can copy the {SHA} hash from SunDS to IPA and ldap authentication
> works in IPA, but when I try to use kinit u...@realm it is failing
> with an 'invalid password'.
> I've looked through the schema and can't find a separate 'krbPassword'
> entry, can someone clarify for me why this is failing?
> Is there another place where the password is stored besides userPassword ?

The user password in IPA is not simple hash.  If you create  a user in
IPA and set his password this user will get a kerberos hash not a DS
hash. So the problem you are facing is the problem of migrating
passwords. It is not easily solvable with IPA 1.2.x. It is solved (as
much as we think it can be solved) in v2.
In v2 there are two options:
1) You can instruct users to go to a special URL and pass the
authentication there. The authentication against that page will allow
IPA server to capture user password and generate appropriate kerberos hash
2) Using SSSD as a client. SSSD has special logic that allows it to
handle this case behind the scenes. When user logs in and SSSD and IPA
are configured is migration mode then SSSD will do everything

What is the version of IPA you are using? Would any of the two options
work for you?    
> tia
> DougC
> ------------------------------------------------------------------------
> _______________________________________________
> Freeipa-users mailing list

Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to