On Sun, 2012-06-24 at 15:49 -0400, Mark Reynolds wrote:
> Hi Joe,
> I'm not really an IPA guy, but IPA uses 389 directory server as its
> backend.  You would need to convert the your DB entries to LDAP
> entries, but 389 supports your password type, so it should not be a
> problem if you copy & paste the password hashes.  LDAP expects the
> password to be something like:
> userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w==
> Mark

Normally this is not actually allowed, the reason is that kerberos needs
keys generated, and can't work with the userPasswrod hash, so we prevent
storing any hash in userPassword and reject any attempt that does not
involve a clear text password.

However if you enable the migration mode we do allow to set the hash,
what we expect then is to have either users or some application to
authenticate via an ldap bind that sends a clear text password. While in
migration mode, a bind will check if the password is valid, and if it is
it will generate the kerberos keys out of it.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to