Hi Mark:

 

I did not find any entries related to passwords in the LDAP record.
There were some entries that looked as though they were related to
Kerberos which might be useful.

% ldapseach -LLL -x -b
"uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb

krbPwdPolicyReference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc=

krbPrincipalName: big...@example.com

krbLastPwdChange: 20120530170153Z

krbPasswordExpiration: 20120828170153Z

krbExtraData:: AAgBAA==

krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A

krbLastSuccessfulAuth: 20120621180658Z

krbLastFailedAuth: 20120620013218Z

krbLoginFailedCount: 0

 

Unfortunately, I am new to IPA so I don't yet understand the internals
for password management. Can you suggest any documentation I can read? I
am fairly familiar with LDAP and Kerberos.

 

Thanks,

 

Joe

 

 

From: Joe Linoff 
Sent: Sunday, June 24, 2012 2:43 PM
To: Mark Reynolds
Cc: freeipa-users@redhat.com; Joe Linoff
Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP

 

Hi Mark:

 

Thank you, that is really helpful. 

 

Regards,

 

Joe

 

From: Mark Reynolds [mailto:marey...@redhat.com] 
Sent: Sunday, June 24, 2012 12:49 PM
To: Joe Linoff
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP

 

Hi Joe,

I'm not really an IPA guy, but IPA uses 389 directory server as its
backend.  You would need to convert the your DB entries to LDAP entries,
but 389 supports your password type, so it should not be a problem if
you copy & paste the password hashes.  LDAP expects the password to be
something like:

 userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w==

Mark

On 06/24/2012 02:30 PM, Joe Linoff wrote: 

Hi Everybody:

 

We have a legacy web based application (CakePHP) that stores user data
in a DB and I would like to transfer that information to a FreeIPA
Identity Management Server without requiring the users to re-enter their
passwords (if possible).

 

How would I do that?

 

I know that the DB stores the password as a SHA-1 hash with a salt. I
was hoping that there was a way for the administrator to directly copy
the SHA-1 password hash from the DB into the Free-IPA LDAP for the user
but I don't even know if that is a reasonable expectation.

 

Any help would be greatly appreciated.

 

Thanks,

 

Joe

 

 





_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

 

-- 
Mark Reynolds
Senior Software Engineer
Red Hat, Inc
mreyno...@redhat.com
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to