Hello everyone,

As I explained you some time ago, I have been skirting the ipa's
limitation to setting pre-hashed passwords by using ldappasswd. (I know
you guys think it's wrong. In this case the hashes come from an other
ldap which, for intern reasons, we can not synchronize with otherwise
than by frequent ldif extractions. So it's the only solution to have
unified passwords)

To have the kerberos key generated, I can ask the users to do an
ldapsearch or to ssh on a machine with sssd enabled.
Yet, as most users will mainly want to use the WebUi, I am looking for a
way to have them able to connect to it without needing to do an
ldapsearch first.

To be precise, I set the userPassword field using ldappasswd, and delete
the krbprincipalkey.

Do you see any way to make the webui directly authenticable ?

Sebastien Julliot.

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to