Hi Simo: I really appreciate your help.
>> If users authenticate by passing in a username/password combo you have >> various >> options, in the sense you should be able to modify the cakePHP application >> to >> recalculate a valid SHA hash and dump it into a file. That would be great. >> If the app db already contains a good hash that is suppoted by 389ds then >> you >> can simply grab the hashes from there. I believe that it does. I perused the CakePHP code and found that it used this algorithm to create the password: // PHP $salt = Configure::read('Security.salt'); $phpPasswd = sha1( $salt + $plaintext ); // Same as Security::hash($plaintext, 'sha1', true); Here is the same algorithm in python along with an LDAP encoding using SHA. They are embedding the salt along with the password so it is not SSHA. # python import hashlib from base64 import urlsafe_b64encode as encode from base64 import urlsafe_b64decode as decode salt = constantValueFromConfigFile() # SHA1 hash h = hashlib.sha1(salt + plaintext) # PHP password string phpPasswd = h.hexdigest() # LDAP password - this won't work for the userPassword field. ldapPasswd = '{SHA}'+encode(h.digest()) # OpenLDAP format # LDAP userPassword attribute format is the base64 MIME encoded version of above. # This is what you see when you run a command like: # ldapsearch -LLL -x -w <passwd> -D 'cn=Directory Manager' -b 'cn=user,cn=accounts,dc=example,dc=com' userpassword userPasswd = encode(ldapPasswd) >> Once you have hashes you can create a script that lists users in cakePHP and >> for each of >> them create a new freeipa users via ipa user-add Ok. That sounds straightforward. >> Then you switch to migration mode and you can use another script to store >> the hashes you >> collected in each user's userPassword field. That would be perfect but how do I switch to migration mode? Can I simply bind as the "Directory Manager" and update the userPassword field using something like ldapmodify or is there a better way? Is there an example of script like this that I can look at? >> Finally change your cakePHP app to make an ldap bind to authenticate users >> instead >> of checkign it's own database. Yup. >> This procedure requires some advanced scripting ability, and minor segues >> into firing >> a few ldapmodify commands with a very simple template ldif and a couple >> substitutions. >> However this is a possible solution. Yup, I really like it. I am going to give it a try. Should I use the ipalib/plugins/migration.py as a starting point or is there a more relevant module? Thanks, Joe -----Original Message----- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, June 25, 2012 6:07 AM To: Joe Linoff Cc: Mark Reynolds; freeipa-users@redhat.com Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote: > Unfortunately, the problem I have is that I have the user data and the > hashed password in a standalone database and I want to move it into > FreeIPA without requiring the users to re-authenticate. I do not have > a plaintext password and I do not have an LDAP DB. From what you and > Mark have said, I need to find a way to emulate migration mode for my > setup or, if possible, insert the existing hash directly in Kerberos. > Does that make sense? Not really. A few questions: - how do users authenticate to CakePHP at the moment ? - how are passwords stored in your current DB ? If users authenticate by passing in a username/password combo you have various options, in the sense you should be able to modify the cakePHP application to recalculate a valid SHA hash and dump it into a file. If the app db already contains a good hash that is suppoted by 389ds then you can simply grab the hashes from there. Once you have hashes you can create a script that lists users in cakePHP and for each of them create a new freeipa users via ipa user-add Then you switch to migration mode and you can use another script to store the hashes you collected in each user's userPassword field. Finally change your cakePHP app to make an ldap bind to authenticate users instead of checkign it's own database. This procedure requires some advanced scripting ability, and minor segues into firing a few ldapmodify commands with a very simple template ldif and a couple substitutions. However this is a possible solution. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users