Steven Jones wrote: > Is there a method to do this? > > I tried to use LdapImport.pl from the 389 project and this failed.... > > Giving me all # = entry not added to destination (other error) > > Possibly the password criteria in freeipa is "too strong"? > > How can I disable this feature? > > or is there another way to import? > > Migration of the passwords is a tough problem. The issue is that the passwords in the local files are hashed using simple hash algorithm while in IPA they are hashed to create kerberos keys. Converting from one to another without knowing clear password is not possible. If you already have an LDAP server with password you can take advantage of our LDAP migration schemes but if you have local files this will be a challenge. For migrating from LDAP case you can load your users into the IPA and then configure SSSD to use migration mode on the client or you can instruct users to go to a special migration web page. In both cases you already have the password hashed in the LDAP format in the IPA so SSSD or Migration page will capture the cleartext password and pass it to IPA so that it can use it to generate the Kerberos hashes.
A quick search around migrating passwords from flat files to LDAP showed that it is in some cases possible (if the hash that is used by the flat file is supported by the DS server, but tricky). We do not have any aid here so it is simpler to reset the password. If this is not an option, as far as I understand you need to create user accounts first with some password and then overwrite the password attribute in the LDAP with the properly decorated hash take from the password file. And after that you still need the kerberos keys for IPA to work so you still need to use Migration page or SSSD. It might be less trouble just to bite the bullet and reset passwords as you migrate to IPA. Thanks Dmitri > regards > > > Steven Jones Technical Specialist Linux/Vmware > Tele 64 4 463 6272 > Victoria University > Kelburn > New Zealand > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
