On 09/20/2011 09:18 AM, Jan-Frode Myklebust wrote: > We have an existing user database managed by Sun Identity Manager, > which populates a centos-directory-server. The users in the directory > server have all passwords hassed with SSHA, and "ipa migrate-ds" told me > that the passwords has been migrated in pre-hashed format. > > Luckily Sun Identity Manager has the plain text passwords hidden away > somewhere, and should let me change hash algorithm. For the selection > of password hash algorithm, it says: > > Password Hash Algorithm > ------------------------- > Indicates the algorithm that the system should use to hash the password. > Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE > or no value indicates that the system will not hash passwords. This will > cause cleartext passwords to be stored in LDAP unless the LDAP server > performs the hash (Netscape Directory Server and iPlanet Directory > Server do). > > Will the ipa-migration handle any of these formats ? Which would be the > preferred ? > I am not sure it keeps it in clear internally anywhere. Password is always hashed unless you explicitly set it to be cleartext in the setting above. The problem is not with password hash but with Kerberos password. While your LDAP hashes most likely will be migrated and supported you will still be missing kerberos hashes. To create these hashes in IPA one has three options: 1) Reset passwords in IPA and let users set them. 2) After importing users turn on the password set screen and point users to this web page to pass authentication. IPA will capture password, make sure it matches ldap hash and will generate the Kerberos hash. 3) After importing users use SSSD in migration mode (special setting in SSSD config). In this case for any user without kerberos hash who would log via SSSD the SSSD would connect IPA in a special way and trigger the Kerberos hash generation.
> -jf > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
