On 11/04/2016 03:09 PM, Sebastien Julliot wrote: > Hello everyone, > > As I explained you some time ago, I have been skirting the ipa's > limitation to setting pre-hashed passwords by using ldappasswd. (I know > you guys think it's wrong. In this case the hashes come from an other > ldap which, for intern reasons, we can not synchronize with otherwise > than by frequent ldif extractions. So it's the only solution to have > unified passwords) > > To have the kerberos key generated, I can ask the users to do an > ldapsearch or to ssh on a machine with sssd enabled. > Yet, as most users will mainly want to use the WebUi, I am looking for a > way to have them able to connect to it without needing to do an > ldapsearch first. > > To be precise, I set the userPassword field using ldappasswd, and delete > the krbprincipalkey. > > Do you see any way to make the webui directly authenticable ? > > Thanks, > Sebastien Julliot. >
Not sure what you want exactly. But if you want users to do simple ldap bind with username and password and nothing else then they can use migration page: https://ipa.demo1.freeipa.org/ipa/migration/index.html -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project