Hi,

On Wed, Sep 7, 2011 at 14:59, Dmitri Pal <d...@redhat.com> wrote:
> On 09/07/2011 02:45 PM, Dan Scott wrote:
>> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After
>> migration, the script says:
>>
>> "Passwords have been migrated in pre-hashed format.
>> IPA is unable to generate Kerberos keys unless provided
>> with clear text passwords. All migrated users need to
>> login at https://your.domain/ipa/migration/ before they
>> can use their Kerberos accounts."
>>
>> I have some users who are authenticated via LDAP. Also I have a Java
>> application which allows them to change their password using LDAP.
>> Will existing passwords continue to work when using LDAP
>> authentication/password changes? It is only Kerberos authentication
>> which requires users to re-login on this special page?
>>
>
> If you update the password via LDAP using bind over SSL so that server
> has the password in clear the new Kerberos hashes will be generated
> automatically and kerberos will become usable for these users once again.
>
> Also SSSD has a nice feature to migrate user passwords. Read more about
> it in the SSSD docs.

Excellent, thanks for the repsponse. The LDAP bind must be over SSL,
correct? When not using SSL, I get:

"javax.security.auth.login.LoginException:
javax.security.auth.login.LoginException: LDAP bind failed for
uid=djscott,cn=users,cn=compat,dc=..."

When using LDAPS, I get:

"Exception in LdapRealm when trying to authenticate user.
javax.security.auth.login.LoginException:
javax.naming.CommunicationException: anonymous bind failed:
kelvin.example.com:636 [Root exception is
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]"

So I guess I need to add a FreeIPA certificate into my Glassfish
keystore. Does this sound right? Should I create a certificate for my
service?:

https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service

Or should I be adding the CA of my FreeIPA installation?

Thanks,

Dan


>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to