Re: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP
Hi, On Thu, Sep 8, 2011 at 21:20, Simo Sorce wrote: > On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote: >> Hi, >> >> On Wed, Sep 7, 2011 at 14:59, Dmitri Pal wrote: >> > On 09/07/2011 02:45 PM, Dan Scott wrote: >> >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After >> >> migration, the script says: >> >> >> >> "Passwords have been migrated in pre-hashed format. >> >> IPA is unable to generate Kerberos keys unless provided >> >> with clear text passwords. All migrated users need to >> >> login at https://your.domain/ipa/migration/ before they >> >> can use their Kerberos accounts." >> >> >> >> I have some users who are authenticated via LDAP. Also I have a Java >> >> application which allows them to change their password using LDAP. >> >> Will existing passwords continue to work when using LDAP >> >> authentication/password changes? It is only Kerberos authentication >> >> which requires users to re-login on this special page? >> >> >> > >> > If you update the password via LDAP using bind over SSL so that server >> > has the password in clear the new Kerberos hashes will be generated >> > automatically and kerberos will become usable for these users once again. >> > >> > Also SSSD has a nice feature to migrate user passwords. Read more about >> > it in the SSSD docs. >> >> Excellent, thanks for the repsponse. The LDAP bind must be over SSL, >> correct? When not using SSL, I get: >> >> "javax.security.auth.login.LoginException: >> javax.security.auth.login.LoginException: LDAP bind failed for >> uid=djscott,cn=users,cn=compat,dc=..." >> >> When using LDAPS, I get: >> >> "Exception in LdapRealm when trying to authenticate user. >> javax.security.auth.login.LoginException: >> javax.naming.CommunicationException: anonymous bind failed: >> kelvin.example.com:636 [Root exception is >> javax.net.ssl.SSLHandshakeException: >> sun.security.validator.ValidatorException: PKIX path building failed: >> sun.security.provider.certpath.SunCertPathBuilderException: unable to >> find valid certification path to requested target]" >> >> So I guess I need to add a FreeIPA certificate into my Glassfish >> keystore. Does this sound right? Should I create a certificate for my >> service?: >> >> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service >> >> Or should I be adding the CA of my FreeIPA installation? > > You need to add and trust the FreeIPA CA certificate to your glassfish > CA cert store. Thanks, I'm getting closer. I now receive the "LDAP bind failed for" message when attempting LDAPS authentication. Is there a way I can test LDAPS authentication from the command line? Dan ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP
On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote: > Hi, > > On Wed, Sep 7, 2011 at 14:59, Dmitri Pal wrote: > > On 09/07/2011 02:45 PM, Dan Scott wrote: > >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After > >> migration, the script says: > >> > >> "Passwords have been migrated in pre-hashed format. > >> IPA is unable to generate Kerberos keys unless provided > >> with clear text passwords. All migrated users need to > >> login at https://your.domain/ipa/migration/ before they > >> can use their Kerberos accounts." > >> > >> I have some users who are authenticated via LDAP. Also I have a Java > >> application which allows them to change their password using LDAP. > >> Will existing passwords continue to work when using LDAP > >> authentication/password changes? It is only Kerberos authentication > >> which requires users to re-login on this special page? > >> > > > > If you update the password via LDAP using bind over SSL so that server > > has the password in clear the new Kerberos hashes will be generated > > automatically and kerberos will become usable for these users once again. > > > > Also SSSD has a nice feature to migrate user passwords. Read more about > > it in the SSSD docs. > > Excellent, thanks for the repsponse. The LDAP bind must be over SSL, > correct? When not using SSL, I get: > > "javax.security.auth.login.LoginException: > javax.security.auth.login.LoginException: LDAP bind failed for > uid=djscott,cn=users,cn=compat,dc=..." > > When using LDAPS, I get: > > "Exception in LdapRealm when trying to authenticate user. > javax.security.auth.login.LoginException: > javax.naming.CommunicationException: anonymous bind failed: > kelvin.example.com:636 [Root exception is > javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target]" > > So I guess I need to add a FreeIPA certificate into my Glassfish > keystore. Does this sound right? Should I create a certificate for my > service?: > > https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service > > Or should I be adding the CA of my FreeIPA installation? You need to add and trust the FreeIPA CA certificate to your glassfish CA cert store. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP
Hi, On Wed, Sep 7, 2011 at 14:59, Dmitri Pal wrote: > On 09/07/2011 02:45 PM, Dan Scott wrote: >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After >> migration, the script says: >> >> "Passwords have been migrated in pre-hashed format. >> IPA is unable to generate Kerberos keys unless provided >> with clear text passwords. All migrated users need to >> login at https://your.domain/ipa/migration/ before they >> can use their Kerberos accounts." >> >> I have some users who are authenticated via LDAP. Also I have a Java >> application which allows them to change their password using LDAP. >> Will existing passwords continue to work when using LDAP >> authentication/password changes? It is only Kerberos authentication >> which requires users to re-login on this special page? >> > > If you update the password via LDAP using bind over SSL so that server > has the password in clear the new Kerberos hashes will be generated > automatically and kerberos will become usable for these users once again. > > Also SSSD has a nice feature to migrate user passwords. Read more about > it in the SSSD docs. Excellent, thanks for the repsponse. The LDAP bind must be over SSL, correct? When not using SSL, I get: "javax.security.auth.login.LoginException: javax.security.auth.login.LoginException: LDAP bind failed for uid=djscott,cn=users,cn=compat,dc=..." When using LDAPS, I get: "Exception in LdapRealm when trying to authenticate user. javax.security.auth.login.LoginException: javax.naming.CommunicationException: anonymous bind failed: kelvin.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]" So I guess I need to add a FreeIPA certificate into my Glassfish keystore. Does this sound right? Should I create a certificate for my service?: https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service Or should I be adding the CA of my FreeIPA installation? Thanks, Dan >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP
Dan Scott wrote: Hi, I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After migration, the script says: "Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts." I have some users who are authenticated via LDAP. Also I have a Java application which allows them to change their password using LDAP. Will existing passwords continue to work when using LDAP authentication/password changes? It is only Kerberos authentication which requires users to re-login on this special page? Thanks, Dan That is correct. When the user authenticates to this special page (sssd can also handle this) then Kerberos credentials are generated for the user. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Migration to FreeIPA 2 - password update via LDAP
On 09/07/2011 02:45 PM, Dan Scott wrote: > Hi, > > I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After > migration, the script says: > > "Passwords have been migrated in pre-hashed format. > IPA is unable to generate Kerberos keys unless provided > with clear text passwords. All migrated users need to > login at https://your.domain/ipa/migration/ before they > can use their Kerberos accounts." > > I have some users who are authenticated via LDAP. Also I have a Java > application which allows them to change their password using LDAP. > Will existing passwords continue to work when using LDAP > authentication/password changes? It is only Kerberos authentication > which requires users to re-login on this special page? > If you update the password via LDAP using bind over SSL so that server has the password in clear the new Kerberos hashes will be generated automatically and kerberos will become usable for these users once again. Also SSSD has a nice feature to migrate user passwords. Read more about it in the SSSD docs. > Thanks, > > Dan > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users