Hi Simo:
I really appreciate your help.
>> If users authenticate by passing in a username/password combo you have
>> various
>> options, in the sense you should be able to modify the cakePHP application
>> to
>> recalculate a valid SHA hash and dump it into a file.
That would be great.
>> If the app db already contains a good hash that is suppoted by 389ds then
>> you
>> can simply grab the hashes from there.
I believe that it does. I perused the CakePHP code and found that it used this
algorithm to create the password:
// PHP
$salt = Configure::read('Security.salt');
$phpPasswd = sha1( $salt + $plaintext ); // Same as
Security::hash($plaintext, 'sha1', true);
Here is the same algorithm in python along with an LDAP encoding using SHA.
They are embedding the salt along with the password so it is not SSHA.
# python
import hashlib
from base64 import urlsafe_b64encode as encode
from base64 import urlsafe_b64decode as decode
salt = constantValueFromConfigFile()
# SHA1 hash
h = hashlib.sha1(salt + plaintext)
# PHP password string
phpPasswd = h.hexdigest()
# LDAP password - this won't work for the userPassword field.
ldapPasswd = '{SHA}'+encode(h.digest()) # OpenLDAP format
# LDAP userPassword attribute format is the base64 MIME encoded version of
above.
# This is what you see when you run a command like:
# ldapsearch -LLL -x -w <passwd> -D 'cn=Directory Manager' -b
'cn=user,cn=accounts,dc=example,dc=com' userpassword
userPasswd = encode(ldapPasswd)
>> Once you have hashes you can create a script that lists users in cakePHP and
>> for each of
>> them create a new freeipa users via ipa user-add
Ok. That sounds straightforward.
>> Then you switch to migration mode and you can use another script to store
>> the hashes you
>> collected in each user's userPassword field.
That would be perfect but how do I switch to migration mode?
Can I simply bind as the "Directory Manager" and update the userPassword field
using something like ldapmodify or is there a better way?
Is there an example of script like this that I can look at?
>> Finally change your cakePHP app to make an ldap bind to authenticate users
>> instead
>> of checkign it's own database.
Yup.
>> This procedure requires some advanced scripting ability, and minor segues
>> into firing
>> a few ldapmodify commands with a very simple template ldif and a couple
>> substitutions.
>> However this is a possible solution.
Yup, I really like it. I am going to give it a try. Should I use the
ipalib/plugins/migration.py as a starting point or is there a more relevant
module?
Thanks,
Joe
-----Original Message-----
From: Simo Sorce [mailto:s...@redhat.com]
Sent: Monday, June 25, 2012 6:07 AM
To: Joe Linoff
Cc: Mark Reynolds; freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP
On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote:
> Unfortunately, the problem I have is that I have the user data and the
> hashed password in a standalone database and I want to move it into
> FreeIPA without requiring the users to re-authenticate. I do not have
> a plaintext password and I do not have an LDAP DB. From what you and
> Mark have said, I need to find a way to emulate migration mode for my
> setup or, if possible, insert the existing hash directly in Kerberos.
> Does that make sense?
Not really.
A few questions:
- how do users authenticate to CakePHP at the moment ?
- how are passwords stored in your current DB ?
If users authenticate by passing in a username/password combo you have various
options, in the sense you should be able to modify the cakePHP application to
recalculate a valid SHA hash and dump it into a file.
If the app db already contains a good hash that is suppoted by 389ds then you
can simply grab the hashes from there.
Once you have hashes you can create a script that lists users in cakePHP and
for each of them create a new freeipa users via ipa user-add
Then you switch to migration mode and you can use another script to store the
hashes you collected in each user's userPassword field.
Finally change your cakePHP app to make an ldap bind to authenticate users
instead of checkign it's own database.
This procedure requires some advanced scripting ability, and minor segues into
firing a few ldapmodify commands with a very simple template ldif and a couple
substitutions.
However this is a possible solution.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
