On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote:
> Hi Mark:
> 
>  
> 
> I did not find any entries related to passwords in the LDAP record.
> There were some entries that looked as though they were related to
> Kerberos which might be useful.
> 
> % ldapseach -LLL -x -b
> "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb
> 
> krbPwdPolicyReference:
> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc=
> 
> krbPrincipalName: big...@example.com
> 
> krbLastPwdChange: 20120530170153Z
> 
> krbPasswordExpiration: 20120828170153Z
> 
> krbExtraData:: AAgBAA==
> 
> krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A
> 
> krbLastSuccessfulAuth: 20120621180658Z
> 
> krbLastFailedAuth: 20120620013218Z
> 
> krbLoginFailedCount: 0
> 
>  
> 
> Unfortunately, I am new to IPA so I don’t yet understand the internals
> for password management. Can you suggest any documentation I can read?
> I am fairly familiar with LDAP and Kerberos.


You do not need to populate the Kerberos password fields directly. Once
you migrate your DB users to LDAP, if you enable IPA's "migration
mode" (see the docs on how), the next time a user binds to LDAP using
their existing password, a pre-bind plugin on FreeIPA will catch the
plaintext password and use it to populate the Kerberos password fields
automatically.

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to