[Freeipa-users] Re: What does migration mode actually do?
Florence Blanc-Renaud via FreeIPA-users wrote: > On 03/09/2018 10:26 AM, Roderick Johnstone via FreeIPA-users wrote: >> On 09/03/2018 09:13, Florence Blanc-Renaud wrote: >>> On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote: Hi I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another. I wasn't able to find any docs on what enabling migration mode actually does, exactly. Can anyone supply details please? Thanks. Roderick Johnstone ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> >>> Hi, >>> >>> the migration mode allows to add an entry with a pre-hashed password. >>> >>> When this mode is disabled, this operation would be refused because >>> IPA needs a clear-text password in order to run password policy >>> checks and generate kerberos keys. >>> >>> HTH, >>> Flo >> >> Hi Flo >> >> So, why wouldn't you want to have that enabled all the time. >> >> ie are there any other consequences of having this enabled. >> > > When migration mode is enabled, the ldap server accepts to modify a > password using a pre-hashed value (the userPassword attribute of the > user entry). As the value is not clear-text, it is not possible to run > password policy checks (for instance does it contain enough characters, > was it already in the password history...) => not as secure as the > sysadmin intended. > > The second issue is that the kerberos keys (stored in the > krbprincipalkey of the user attribute) cannot be generated from a hash > value, the algorithm needs a clear value. As a consequence, kerberos > authentication would not succeed because it is based on krbprincipalkey. > > This is why the migration procedure requires to instruct users to login > to the migration web page, so that they enter a new password that will > re-generate their kerberos keys (see step 10 in [1]). > > Hope this clarifies, > Flo > > [1] > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/mig-ldap-to-idm SSSD also checks this value and will authenticate over LDAP then set the Kerberos credentials. This is similar in practice to using the web page but without requiring user intervention. Without this flag enabled having only and LDAP password will fail authentication. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: What does migration mode actually do?
On 03/09/2018 10:26 AM, Roderick Johnstone via FreeIPA-users wrote: On 09/03/2018 09:13, Florence Blanc-Renaud wrote: On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote: Hi I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another. I wasn't able to find any docs on what enabling migration mode actually does, exactly. Can anyone supply details please? Thanks. Roderick Johnstone ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, the migration mode allows to add an entry with a pre-hashed password. When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys. HTH, Flo Hi Flo So, why wouldn't you want to have that enabled all the time. ie are there any other consequences of having this enabled. When migration mode is enabled, the ldap server accepts to modify a password using a pre-hashed value (the userPassword attribute of the user entry). As the value is not clear-text, it is not possible to run password policy checks (for instance does it contain enough characters, was it already in the password history...) => not as secure as the sysadmin intended. The second issue is that the kerberos keys (stored in the krbprincipalkey of the user attribute) cannot be generated from a hash value, the algorithm needs a clear value. As a consequence, kerberos authentication would not succeed because it is based on krbprincipalkey. This is why the migration procedure requires to instruct users to login to the migration web page, so that they enter a new password that will re-generate their kerberos keys (see step 10 in [1]). Hope this clarifies, Flo [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/mig-ldap-to-idm Thanks. Roderick ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: What does migration mode actually do?
On 09/03/2018 09:13, Florence Blanc-Renaud wrote: On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote: Hi I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another. I wasn't able to find any docs on what enabling migration mode actually does, exactly. Can anyone supply details please? Thanks. Roderick Johnstone ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, the migration mode allows to add an entry with a pre-hashed password. When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys. HTH, Flo Hi Flo So, why wouldn't you want to have that enabled all the time. ie are there any other consequences of having this enabled. Thanks. Roderick ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: What does migration mode actually do?
On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote: Hi I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another. I wasn't able to find any docs on what enabling migration mode actually does, exactly. Can anyone supply details please? Thanks. Roderick Johnstone ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Hi, the migration mode allows to add an entry with a pre-hashed password. When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys. HTH, Flo ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
