On Fri, 2011-09-23 at 10:20 +0200, Jan-Frode Myklebust wrote: > On Tue, Sep 20, 2011 at 10:18:13AM -0400, Stephen Gallagher wrote: > > > > Specifically, the way SSSD behaves is as follows: > > 1) Try to authenticate with Kerberos. If Kerberos responds that there's > > no hash for this user, > > 2) Ask FreeIPA if migration mode is enabled, if it is, > > 3) Try to bind to FreeIPA LDAP using the same password. If this > > succeeds, we know that the password is valid > > 4) Initiate a kerberos password-change to set the kerberos password > > equal to the LDAP password. > > Is it supported to run a mixed ldap bind / kerberos environment? I'm > thinking of letting all old RHEL4 and RHEL5 systems keep running ldap > bind authentication, and only enable kerberos/sssd on RHEL6 initially.
Yes, that's ok, ldap auth is there explicit to support clients that can't do kerb auth for whatever reason. > After 3 months, or so, all users should have been forced to change their > passwords trough the password expiry policy. Will then the RHEL4/5 > klients also update kerberos password when they're forced to change their > LDAP password ? They should. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
