On 09/20/2011 09:18 AM, Jan-Frode Myklebust wrote:
> We have an existing user database managed by Sun Identity Manager,
> which populates a centos-directory-server. The users in the directory
> server have all passwords hassed with SSHA, and "ipa migrate-ds" told me
> that the passwords has been migrated in pre-hashed format.
> Luckily Sun Identity Manager has the plain text passwords hidden away
> somewhere, and should let me change hash algorithm. For the selection
> of password hash algorithm, it says:
> Password Hash Algorithm
> Indicates the algorithm that the system should use to hash the password.
> Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE
> or no value indicates that the system will not hash passwords. This will
> cause cleartext passwords to be stored in LDAP unless the LDAP server
> performs the hash (Netscape Directory Server and iPlanet Directory
> Server do).
> Will the ipa-migration handle any of these formats ? Which would be the
> preferred ?
I am not sure it keeps it in clear internally anywhere. Password is
always hashed unless you explicitly set it to be cleartext in the
The problem is not with password hash but with Kerberos password. While
your LDAP hashes most likely will be migrated and supported you will
still be missing kerberos hashes. To create these hashes in IPA one has
1) Reset passwords in IPA and let users set them.
2) After importing users turn on the password set screen and point users
to this web page to pass authentication. IPA will capture password, make
sure it matches ldap hash and will generate the Kerberos hash.
3) After importing users use SSSD in migration mode (special setting in
SSSD config). In this case for any user without kerberos hash who would
log via SSSD the SSSD would connect IPA in a special way and trigger the
Kerberos hash generation.
> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list