On Fri, 2011-09-23 at 10:20 +0200, Jan-Frode Myklebust wrote:
> On Tue, Sep 20, 2011 at 10:18:13AM -0400, Stephen Gallagher wrote:
> > 
> > Specifically, the way SSSD behaves is as follows:
> > 1) Try to authenticate with Kerberos. If Kerberos responds that there's
> > no hash for this user,
> > 2) Ask FreeIPA if migration mode is enabled, if it is,
> > 3) Try to bind to FreeIPA LDAP using the same password. If this
> > succeeds, we know that the password is valid
> > 4) Initiate a kerberos password-change to set the kerberos password
> > equal to the LDAP password.
> Is it supported to run a mixed ldap bind / kerberos environment? I'm
> thinking of letting all old RHEL4 and RHEL5 systems keep running ldap
> bind authentication, and only enable kerberos/sssd on RHEL6 initially.

Yes, that's ok, ldap auth is there explicit to support clients that
can't do kerb auth for whatever reason.

> After 3 months, or so, all users should have been forced to change their
> passwords trough the password expiry policy. Will then the RHEL4/5
> klients also update kerberos password when they're forced to change their
> LDAP password ?

They should.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to