On Tue, 2011-09-20 at 09:59 -0400, Dmitri Pal wrote:
> 3) After importing users use SSSD in migration mode (special setting in
> SSSD config). In this case for any user without kerberos hash who would
> log via SSSD the SSSD would connect IPA in a special way and trigger the
> Kerberos hash generation. 

Migration mode in SSSD is not a client-side configuration. We ask the
FreeIPA server whether migration is active.

Specifically, the way SSSD behaves is as follows:
1) Try to authenticate with Kerberos. If Kerberos responds that there's
no hash for this user,
2) Ask FreeIPA if migration mode is enabled, if it is,
3) Try to bind to FreeIPA LDAP using the same password. If this
succeeds, we know that the password is valid
4) Initiate a kerberos password-change to set the kerberos password
equal to the LDAP password.

Attachment: signature.asc
Description: This is a digitally signed message part

Freeipa-users mailing list

Reply via email to