Simo Sorce wrote:
On Wed, 2013-01-02 at 18:36 +0100, Jan-Frode Myklebust wrote:
But... where do I find the LDAP passwords in IPA ? I see there's no
"userPassword" attribute on each user as I was expecting.., so where
is this hidden? And can it be compared against the SSHA from the old
directory ?

Passwords are stored in both the userPassword attribute (SHA256 hash by
deault) and the krbPrincipalKey attribute an opaque and encrypted object
containing Kerberos Keys (RC4/3DES/AES keys).
If you enabled trusts or samba integration you will also have RC4 hashes
in the sambaNTpassword or ipaNThash attributes.

None of these attributes are readable, so you will not see them. Only
'cn=Directory Manager' can retrieve them, because that account has super


Right, so you can probably tell who has migrated and already set their password in IPA by looking for users with both userPassword and krbPrincipalKey set. If just userPassword is set then they were migrated but have not set their password yet.

I don't believe there is a way to re-sync just the password entry using migrate-ds. It will skip over users already loaded. You would have to either write a small sync routine yourself or delete this subset of users from ipa and re-migrate.


Freeipa-users mailing list

Reply via email to