On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote:
> Unfortunately, the problem I have is that I have the user data and the
> hashed password in a standalone database and I want to move it into
> FreeIPA without requiring the users to re-authenticate. I do not have
> a plaintext password and I do not have an LDAP DB. From what you and
> Mark have said, I need to find a way to emulate migration mode for my
> setup or, if possible, insert the existing hash directly in Kerberos.
> Does that make sense?

Not really.
A few questions:
- how do users authenticate to CakePHP at the moment ?
- how are passwords stored in your current DB ?

If users authenticate by passing in a username/password combo you have
various options, in the sense you should be able to modify the cakePHP
application to recalculate a valid SHA hash and dump it into a file.

If the app db already contains a good hash that is suppoted by 389ds
then you  can simply grab the hashes from there.

Once you have hashes you can create a script that lists users in cakePHP
and for each of them create a new freeipa users via ipa user-add

Then you switch to migration mode and you can use another script to
store the hashes you collected in each user's userPassword field.

Finally change your cakePHP app to make an ldap bind to authenticate
users instead of checkign it's own database.

This procedure requires some advanced scripting ability, and minor
segues into firing a few ldapmodify commands with a very simple template
ldif and a couple substitutions.

However this is a possible solution.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to