Hi Simo: > Normally this is not actually allowed, the reason is that kerberos needs keys > generated, > and can't work with the userPasswrod hash, so we prevent storing any hash in > userPassword > and reject any attempt that does not involve a clear text password.
That makes sense. Thank you for clearing that up. > However if you enable the migration mode we do allow to set the hash, what we > expect then > is to have either users or some application to authenticate via an ldap bind > that sends a > clear text password. While in migration mode, a bind will check if the > password is valid, > and if it is it will generate the kerberos keys out of it. That also makes sense and it is a great way to transfer users from an existing LDAP to FreeIPA. Unfortunately, the problem I have is that I have the user data and the hashed password in a standalone database and I want to move it into FreeIPA without requiring the users to re-authenticate. I do not have a plaintext password and I do not have an LDAP DB. From what you and Mark have said, I need to find a way to emulate migration mode for my setup or, if possible, insert the existing hash directly in Kerberos. Does that make sense? Regards, Joe -----Original Message----- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, June 25, 2012 4:50 AM To: Mark Reynolds Cc: Joe Linoff; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP On Sun, 2012-06-24 at 15:49 -0400, Mark Reynolds wrote: > Hi Joe, > > I'm not really an IPA guy, but IPA uses 389 directory server as its > backend. You would need to convert the your DB entries to LDAP > entries, but 389 supports your password type, so it should not be a > problem if you copy & paste the password hashes. LDAP expects the > password to be something like: > > userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== > Mark Normally this is not actually allowed, the reason is that kerberos needs keys generated, and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword and reject any attempt that does not involve a clear text password. However if you enable the migration mode we do allow to set the hash, what we expect then is to have either users or some application to authenticate via an ldap bind that sends a clear text password. While in migration mode, a bind will check if the password is valid, and if it is it will generate the kerberos keys out of it. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
