On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote: > Hi, > > On Wed, Sep 7, 2011 at 14:59, Dmitri Pal <[email protected]> wrote: > > On 09/07/2011 02:45 PM, Dan Scott wrote: > >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After > >> migration, the script says: > >> > >> "Passwords have been migrated in pre-hashed format. > >> IPA is unable to generate Kerberos keys unless provided > >> with clear text passwords. All migrated users need to > >> login at https://your.domain/ipa/migration/ before they > >> can use their Kerberos accounts." > >> > >> I have some users who are authenticated via LDAP. Also I have a Java > >> application which allows them to change their password using LDAP. > >> Will existing passwords continue to work when using LDAP > >> authentication/password changes? It is only Kerberos authentication > >> which requires users to re-login on this special page? > >> > > > > If you update the password via LDAP using bind over SSL so that server > > has the password in clear the new Kerberos hashes will be generated > > automatically and kerberos will become usable for these users once again. > > > > Also SSSD has a nice feature to migrate user passwords. Read more about > > it in the SSSD docs. > > Excellent, thanks for the repsponse. The LDAP bind must be over SSL, > correct? When not using SSL, I get: > > "javax.security.auth.login.LoginException: > javax.security.auth.login.LoginException: LDAP bind failed for > uid=djscott,cn=users,cn=compat,dc=..." > > When using LDAPS, I get: > > "Exception in LdapRealm when trying to authenticate user. > javax.security.auth.login.LoginException: > javax.naming.CommunicationException: anonymous bind failed: > kelvin.example.com:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target]" > > So I guess I need to add a FreeIPA certificate into my Glassfish > keystore. Does this sound right? Should I create a certificate for my > service?: > > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service > > Or should I be adding the CA of my FreeIPA installation?
You need to add and trust the FreeIPA CA certificate to your glassfish CA cert store. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
