On 09/15/2010 10:14 PM, Rob Crittenden wrote:

As Dmitri said, the problem is that kerberos uses a different password
attribute than LDAP. For passwords set within IPA we capture password
changes from both LDAP and kerberos and keep the two in sync.

When you migrate just the LDAP password you need some mechanism to
authenticate the user and reset the password, therefore creating the
kerberos credentials and starting to keep the two in sync.

Off the top of my head, you may be able to do something in v1 with a
little bit of work:

- When you load users via ldif add the krbPrincipalAux objectclass and
set krbprincipalname to u...@realm.
- Write a simple web page that uses LDAP authentication. On the page
itself prompt for a new password and use the LDAP protocol to change
the password (this is pretty standard stuff).
- This should, in theory, add the kerberos credentials.
I can confirm that using an LDAP password reset function will sync both the LDAP and Kerberos passwords. If using Perl website, be sure to use Net::LDAP::Extension::SetPassword. This is critical if your FreeIPA server is connected an Active Directory server. Methods where you insert a pre-hashed value into the LDAP directory can't be propagated to the Windows Domain.

It should be pretty easy to verify using ldappasswd. If you get
credentials by resetting the password with that then it should work
using the more complex web-based procedure I outlined.

Actually, when you load your uses via LDIF be sure to configure them
using the same objectclasses we use to ensure that the IPA framework
is going to see them as IPA users. You'll need to adhere to our tree
structure as well.


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to