Dmitri Pal wrote:
Doug Chapman wrote:
I'm working on migrating from SunDS to IPA and I've got everything
moved over, but I'm having some issues with userPassword.  I'd like
users to be able to connect with their existing passwords and set an
force a password expiration after our transition is done.

I can copy the {SHA} hash from SunDS to IPA and ldap authentication
works in IPA, but when I try to use kinit u...@realm it is failing
with an 'invalid password'.

I've looked through the schema and can't find a separate 'krbPassword'
entry, can someone clarify for me why this is failing?

Is there another place where the password is stored besides userPassword ?

The user password in IPA is not simple hash.  If you create  a user in
IPA and set his password this user will get a kerberos hash not a DS
hash. So the problem you are facing is the problem of migrating
passwords. It is not easily solvable with IPA 1.2.x. It is solved (as
much as we think it can be solved) in v2.
In v2 there are two options:
1) You can instruct users to go to a special URL and pass the
authentication there. The authentication against that page will allow
IPA server to capture user password and generate appropriate kerberos hash
2) Using SSSD as a client. SSSD has special logic that allows it to
handle this case behind the scenes. When user logs in and SSSD and IPA
are configured is migration mode then SSSD will do everything

What is the version of IPA you are using? Would any of the two options
work for you?

As Dmitri said, the problem is that kerberos uses a different password attribute than LDAP. For passwords set within IPA we capture password changes from both LDAP and kerberos and keep the two in sync.

When you migrate just the LDAP password you need some mechanism to authenticate the user and reset the password, therefore creating the kerberos credentials and starting to keep the two in sync.

Off the top of my head, you may be able to do something in v1 with a little bit of work:

- When you load users via ldif add the krbPrincipalAux objectclass and set krbprincipalname to u...@realm. - Write a simple web page that uses LDAP authentication. On the page itself prompt for a new password and use the LDAP protocol to change the password (this is pretty standard stuff).
- This should, in theory, add the kerberos credentials.

It should be pretty easy to verify using ldappasswd. If you get credentials by resetting the password with that then it should work using the more complex web-based procedure I outlined.

Actually, when you load your uses via LDIF be sure to configure them using the same objectclasses we use to ensure that the IPA framework is going to see them as IPA users. You'll need to adhere to our tree structure as well.


Freeipa-users mailing list

Reply via email to