I’m looking for an example sssd.conf migrationconfiguration that will allow for 
the user to seamlessly authenticate to LDAP or freeIPA prior to installation of 
the freeipa client. 

This would be during migration to generate kerberos hashes for each user while 
still providing legacy LDAP support until migration can be completed. Hopefully 
with minimal changes to our existing sssd.conf file. 

Hinted at here: 
( Migration Sequence - 

and here: 

The redhat documentation describes  
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Migrating_from_a_Directory_Server_to_IPA.html Method 3: Using SSSD (Recommended)

SSSD can work with IdM to mitigate the user impact on migrating by generating 
the required user keys. For deployments with a lot of users or where users 
shouldn't be burdened with password changes, this is the best scenario.
        • A user tries to log into a machine with SSSD.
        • SSSD attempts to perform Kerberos authentication against the IdM 
        • Even though the user exists in the system, the authentication will 
fail with the error key type is not supported because the Kerberos hashes do 
not yet exist.
        • SSSD then performs a plain text LDAP bind over a secure connection.
        • IdM intercepts this bind request. If the user has a Kerberos 
principal but no Kerberos hashes, then the IdM identity provider generates the 
hashes and stores them in the user entry.
        • If authentication is successful, SSSD disconnects from IdM and tries 
Kerberos authentication again. This time, the request succeeds because the hash 
exists in the entry.
That entire process is entirely transparent to the user; as far as users known, 
they simply log into a client service and it works as normal.

Specifically, the way SSSD behaves is as follows: 
1) Try to authenticate with Kerberos. If Kerberos responds that there's no hash 
for this user, 
2) Ask FreeIPA if migration mode is enabled, if it is, 
3) Try to bind to FreeIPA LDAP using the same password. If this succeeds, we 
know that the password is valid 
4) Initiate a kerberos password-change to set the kerberos password equal to 
the LDAP password.

Thanks for your help!

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to