> You do not need to populate the Kerberos password fields directly. Once you > migrate your DB > users to LDAP, if you enable IPA's "migration mode" (see the docs on how), > the next time a > user binds to LDAP using their existing password, a pre-bind plugin on > FreeIPA will catch > the plaintext password and use it to populate the Kerberos password fields > automatically.
Thank you, that makes sense but my problem is doing the initial migration. How do I get the existing user data into LDAP using the hashed password from the old database? Regards, Joe -----Original Message----- From: Stephen Gallagher [mailto:sgall...@redhat.com] Sent: Monday, June 25, 2012 4:20 AM To: Joe Linoff Cc: Mark Reynolds; firstname.lastname@example.org Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote: > Hi Mark: > > > > I did not find any entries related to passwords in the LDAP record. > There were some entries that looked as though they were related to > Kerberos which might be useful. > > % ldapseach -LLL -x -b > "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb > > krbPwdPolicyReference: > cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= > > krbPrincipalName: big...@example.com > > krbLastPwdChange: 20120530170153Z > > krbPasswordExpiration: 20120828170153Z > > krbExtraData:: AAgBAA== > > krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A > > krbLastSuccessfulAuth: 20120621180658Z > > krbLastFailedAuth: 20120620013218Z > > krbLoginFailedCount: 0 > > > > Unfortunately, I am new to IPA so I don’t yet understand the internals > for password management. Can you suggest any documentation I can read? > I am fairly familiar with LDAP and Kerberos. You do not need to populate the Kerberos password fields directly. Once you migrate your DB users to LDAP, if you enable IPA's "migration mode" (see the docs on how), the next time a user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch the plaintext password and use it to populate the Kerberos password fields automatically. _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users