Simo Sorce wrote:
On Wed, 2013-01-02 at 18:36 +0100, Jan-Frode Myklebust wrote:
But... where do I find the LDAP passwords in IPA ? I see there's no
"userPassword" attribute on each user as I was expecting.., so where
is this hidden? And can it be compared against the SSHA from the old
Passwords are stored in both the userPassword attribute (SHA256 hash by
deault) and the krbPrincipalKey attribute an opaque and encrypted object
containing Kerberos Keys (RC4/3DES/AES keys).
If you enabled trusts or samba integration you will also have RC4 hashes
in the sambaNTpassword or ipaNThash attributes.
None of these attributes are readable, so you will not see them. Only
'cn=Directory Manager' can retrieve them, because that account has super
Right, so you can probably tell who has migrated and already set their
password in IPA by looking for users with both userPassword and
krbPrincipalKey set. If just userPassword is set then they were migrated
but have not set their password yet.
I don't believe there is a way to re-sync just the password entry using
migrate-ds. It will skip over users already loaded. You would have to
either write a small sync routine yourself or delete this subset of
users from ipa and re-migrate.
Freeipa-users mailing list