Hi,
Thanks...
Re: your comment...However I will re-direct you to one of the core ideas I
thought was behind FreeIPA?to make it easy for the end user to deploy and
use?
In my situation I have hundreds of users, over 2 hundred RHEL servers and
probably shortly a pile of workstations...I have no experience/knowledge
with any centralised system, LDAP, AD etc and zero programming capability
beyond bash scripting, no money and no timeso this is actually VERY
technically challenging for me ESPECIALLY with a management that are all
Windows trained and are used to typing dcpromo and job done with no cost and
would happliy rip out RedHat to save money at the drop of a hat if they could.
Redhat I assume wants to sell this into the enterprise?, in version RHEL 6.1?
this is certainly what our friendly RH architect tells us...He recommended we
try freeIPA, I will feed back to him.
So please dont under-estimate the value of migration tools. For you, sure, its
techinically easy, for me at the bottom of the identity management ladder, I
have a huge setup, so its close to impossible.
You dont deploy this as a one off in the real world or day to day.?
So anyway I used the existing padl tools and oh that didnt workeasy would
have been...it worked.
Its very simple, vendors who want to sell their [alternative] product into the
market place have to supply a migration tool from the competition's product or
there wont be a deal
regards
Steven
bcc MW.
From: Rob Crittenden [rcrit...@redhat.com]
Sent: Tuesday, 28 September 2010 4:30 a.m.
To: Steven Jones
Cc: Dmitri Pal; freeipa-users
Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa
Steven Jones wrote:
Ok,
So lets avoid the passwords
Is there an automatic / scripted way to import the passwd file so I get the
UID's, GID's etc into ipa?
We have generally left this as an exercise for the end-user because it
isn't a technically difficult problem. It is more a policy and config
problem.
Attached is a simple demonstration of doing this using IPA command-line.
The tricky part is dealing with names. There is no universal way of
getting it right. Entries without a gecos are skipped.
It worked fine on my system with 2 password entries. YYMV.
rob
regards
Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand
-Original Message-
From: Dmitri Pal [mailto:d...@redhat.com]
Sent: Friday, 24 September 2010 11:18 p.m.
To: Steven Jones
Cc: freeipa-users
Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa
Steven Jones wrote:
Is there a method to do this?
I tried to use LdapImport.pl from the 389 project and this failed
Giving me all # = entry not added to destination (other error)
Possibly the password criteria in freeipa is too strong?
How can I disable this feature?
or is there another way to import?
Migration of the passwords is a tough problem.
The issue is that the passwords in the local files are hashed using
simple hash algorithm while in IPA they are hashed to create kerberos keys.
Converting from one to another without knowing clear password is not
possible. If you already have an LDAP server with password you can take
advantage of our LDAP migration schemes but if you have local files this
will be a challenge.
For migrating from LDAP case you can load your users into the IPA and
then configure SSSD to use migration mode on the client or you can
instruct users to go to a special migration web page. In both cases you
already have the password hashed in the LDAP format in the IPA so SSSD
or Migration page will capture the cleartext password and pass it to IPA
so that it can use it to generate the Kerberos hashes.
A quick search around migrating passwords from flat files to LDAP showed
that it is in some cases possible (if the hash that is used by the flat
file is supported by the DS server, but tricky).
We do not have any aid here so it is simpler to reset the password. If
this is not an option, as far as I understand you need to create user
accounts first with some password and then overwrite the password
attribute in the LDAP with the properly decorated hash take from the
password file. And after that you still need the kerberos keys for IPA
to work so you still need to use Migration page or SSSD. It might be
less trouble just to bite the bullet and reset passwords as you migrate
to IPA.
Thanks
Dmitri
regards
Steven Jones Technical Specialist Linux/Vmware
Tele 64 4 463 6272
Victoria University
Kelburn
New Zealand
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo