Hi, On Thu, Sep 8, 2011 at 21:20, Simo Sorce <[email protected]> wrote: > On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote: >> Hi, >> >> On Wed, Sep 7, 2011 at 14:59, Dmitri Pal <[email protected]> wrote: >> > On 09/07/2011 02:45 PM, Dan Scott wrote: >> >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After >> >> migration, the script says: >> >> >> >> "Passwords have been migrated in pre-hashed format. >> >> IPA is unable to generate Kerberos keys unless provided >> >> with clear text passwords. All migrated users need to >> >> login at https://your.domain/ipa/migration/ before they >> >> can use their Kerberos accounts." >> >> >> >> I have some users who are authenticated via LDAP. Also I have a Java >> >> application which allows them to change their password using LDAP. >> >> Will existing passwords continue to work when using LDAP >> >> authentication/password changes? It is only Kerberos authentication >> >> which requires users to re-login on this special page? >> >> >> > >> > If you update the password via LDAP using bind over SSL so that server >> > has the password in clear the new Kerberos hashes will be generated >> > automatically and kerberos will become usable for these users once again. >> > >> > Also SSSD has a nice feature to migrate user passwords. Read more about >> > it in the SSSD docs. >> >> Excellent, thanks for the repsponse. The LDAP bind must be over SSL, >> correct? When not using SSL, I get: >> >> "javax.security.auth.login.LoginException: >> javax.security.auth.login.LoginException: LDAP bind failed for >> uid=djscott,cn=users,cn=compat,dc=..." >> >> When using LDAPS, I get: >> >> "Exception in LdapRealm when trying to authenticate user. >> javax.security.auth.login.LoginException: >> javax.naming.CommunicationException: anonymous bind failed: >> kelvin.example.com:636 [Root exception is >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target]" >> >> So I guess I need to add a FreeIPA certificate into my Glassfish >> keystore. Does this sound right? Should I create a certificate for my >> service?: >> >> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service >> >> Or should I be adding the CA of my FreeIPA installation? > > You need to add and trust the FreeIPA CA certificate to your glassfish > CA cert store.
Thanks, I'm getting closer. I now receive the "LDAP bind failed for" message when attempting LDAPS authentication. Is there a way I can test LDAPS authentication from the command line? Dan _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
