On 09/07/2011 02:45 PM, Dan Scott wrote:
> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After
> migration, the script says:
> "Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts."
> I have some users who are authenticated via LDAP. Also I have a Java
> application which allows them to change their password using LDAP.
> Will existing passwords continue to work when using LDAP
> authentication/password changes? It is only Kerberos authentication
> which requires users to re-login on this special page?
If you update the password via LDAP using bind over SSL so that server
has the password in clear the new Kerberos hashes will be generated
automatically and kerberos will become usable for these users once again.
Also SSSD has a nice feature to migrate user passwords. Read more about
it in the SSSD docs.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list