Hi, On Wed, Sep 7, 2011 at 14:59, Dmitri Pal <d...@redhat.com> wrote: > On 09/07/2011 02:45 PM, Dan Scott wrote: >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After >> migration, the script says: >> >> "Passwords have been migrated in pre-hashed format. >> IPA is unable to generate Kerberos keys unless provided >> with clear text passwords. All migrated users need to >> login at https://your.domain/ipa/migration/ before they >> can use their Kerberos accounts." >> >> I have some users who are authenticated via LDAP. Also I have a Java >> application which allows them to change their password using LDAP. >> Will existing passwords continue to work when using LDAP >> authentication/password changes? It is only Kerberos authentication >> which requires users to re-login on this special page? >> > > If you update the password via LDAP using bind over SSL so that server > has the password in clear the new Kerberos hashes will be generated > automatically and kerberos will become usable for these users once again. > > Also SSSD has a nice feature to migrate user passwords. Read more about > it in the SSSD docs.
Excellent, thanks for the repsponse. The LDAP bind must be over SSL, correct? When not using SSL, I get: "javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: LDAP bind failed for uid=djscott,cn=users,cn=compat,dc=..." When using LDAPS, I get: "Exception in LdapRealm when trying to authenticate user. javax.security.auth.login.LoginException: javax.naming.CommunicationException: anonymous bind failed: kelvin.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]" So I guess I need to add a FreeIPA certificate into my Glassfish keystore. Does this sound right? Should I create a certificate for my service?: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service Or should I be adding the CA of my FreeIPA installation? Thanks, Dan >> _______________________________________________ >> Freeipa-users mailing list >> Freeipaemail@example.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users > _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users