On Wed, Sep 7, 2011 at 14:59, Dmitri Pal <d...@redhat.com> wrote:
> On 09/07/2011 02:45 PM, Dan Scott wrote:
>> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After
>> migration, the script says:
>> "Passwords have been migrated in pre-hashed format.
>> IPA is unable to generate Kerberos keys unless provided
>> with clear text passwords. All migrated users need to
>> login at https://your.domain/ipa/migration/ before they
>> can use their Kerberos accounts."
>> I have some users who are authenticated via LDAP. Also I have a Java
>> application which allows them to change their password using LDAP.
>> Will existing passwords continue to work when using LDAP
>> authentication/password changes? It is only Kerberos authentication
>> which requires users to re-login on this special page?
> If you update the password via LDAP using bind over SSL so that server
> has the password in clear the new Kerberos hashes will be generated
> automatically and kerberos will become usable for these users once again.
> Also SSSD has a nice feature to migrate user passwords. Read more about
> it in the SSSD docs.

Excellent, thanks for the repsponse. The LDAP bind must be over SSL,
correct? When not using SSL, I get:

javax.security.auth.login.LoginException: LDAP bind failed for

When using LDAPS, I get:

"Exception in LdapRealm when trying to authenticate user.
javax.naming.CommunicationException: anonymous bind failed:
kelvin.example.com:636 [Root exception is
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]"

So I guess I need to add a FreeIPA certificate into my Glassfish
keystore. Does this sound right? Should I create a certificate for my


Or should I be adding the CA of my FreeIPA installation?



>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> --
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Freeipa-users mailing list

Reply via email to