On Thu, 06 Nov 2014, Andreas Ladanyi wrote:
Hi,

i migrated user data with the ipa migrate-ds script without problems.
The users in the old OpenLDAP doesnt have a userPasswort and only the
kerberos principal from local KRB DB was used for authentification.
After migration FreeIPA doesnt have a userPassword and there is no
Kerberos hash.

Know i tried out the /ipa/migration webpage and want to set a
userPassword/Kerberos hash for a user in FreeIPA. The result was the
error message i entered the wrong password or/and username.

Now my question is what is the requirement for the migration webpage to
work ? The documentation says that migration webpage takes a cleartext
password and generates the kerberos hash. Does the migration page need a
userPassword entry ?
/ipa/migration page expects that you have a password hash in
userPassword attribute set but no Kerberos hashes. It binds to LDAP
server using the password user entered on the page and then IPA's plugin
performs generation of Kerberos hashes as part of LDAP BIND operation.

I tried out to reset the pssword of a user in the WebUI and the
migration webpage works with this password from the manual passwort reset ?!
When you reset the password, all hashes (including Kerberos ones) are
generated and then user can change the password either through main
login page or the migration page.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to