On 09/13/2013 12:24 PM, Simo Sorce wrote:
> On Thu, 2013-09-12 at 11:23 -0400, sergey ivanov wrote:
>> I am looking for deployment of freeIPA in our organization. We have
>> kerberos servers used for authentication on our computers and in
>> applications, while users are mostly defined in /etc/passwd.
>> For migration of user's password I have tried the way we usually do
>> replicating password changes from master kerberos server to slaves. I
>> did kdb5_util dump on old servers, transferred the dump to machine
>> running FreeIPA, and was not able to do kdb5_util load -update,
>> because of "Kerberos database constraints violated". Is there a way to
>> import into freeIPA kerberos servers dump of kerberos principals,
>> dumped by kdb5_util?
> You could *try* do it *after* you create all users in freeipa, but I
> think you'd break something. At the very least you would break plain
> text binds as you would not generate the userPassword hash, not sure
> what else, and I cannot guarantee it really works all the way.
So the answer is no, not the way you envisioned it.
You need to get users from KDC DB. Reformat into and LDIF or just script
invocation of the ipa user-add command. You would need to set temp
passwords for users.
Users would have to change their passwords on the first login.
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list