On Tue, Sep 20, 2011 at 10:18:13AM -0400, Stephen Gallagher wrote:
> Specifically, the way SSSD behaves is as follows:
> 1) Try to authenticate with Kerberos. If Kerberos responds that there's
> no hash for this user,
> 2) Ask FreeIPA if migration mode is enabled, if it is,
> 3) Try to bind to FreeIPA LDAP using the same password. If this
> succeeds, we know that the password is valid
> 4) Initiate a kerberos password-change to set the kerberos password
> equal to the LDAP password.
Is it supported to run a mixed ldap bind / kerberos environment? I'm
thinking of letting all old RHEL4 and RHEL5 systems keep running ldap
bind authentication, and only enable kerberos/sssd on RHEL6 initially.
After 3 months, or so, all users should have been forced to change their
passwords trough the password expiry policy. Will then the RHEL4/5
klients also update kerberos password when they're forced to change their
LDAP password ?
Freeipa-users mailing list