Re: [Freeipa-users] userPassword change with ldif
On 09/15/2010 10:14 PM, Rob Crittenden wrote: As Dmitri said, the problem is that kerberos uses a different password attribute than LDAP. For passwords set within IPA we capture password changes from both LDAP and kerberos and keep the two in sync. When you migrate just the LDAP password you need some mechanism to authenticate the user and reset the password, therefore creating the kerberos credentials and starting to keep the two in sync. Off the top of my head, you may be able to do something in v1 with a little bit of work: - When you load users via ldif add the krbPrincipalAux objectclass and set krbprincipalname to u...@realm. - Write a simple web page that uses LDAP authentication. On the page itself prompt for a new password and use the LDAP protocol to change the password (this is pretty standard stuff). - This should, in theory, add the kerberos credentials. I can confirm that using an LDAP password reset function will sync both the LDAP and Kerberos passwords. If using Perl website, be sure to use Net::LDAP::Extension::SetPassword. This is critical if your FreeIPA server is connected an Active Directory server. Methods where you insert a pre-hashed value into the LDAP directory can't be propagated to the Windows Domain. It should be pretty easy to verify using ldappasswd. If you get credentials by resetting the password with that then it should work using the more complex web-based procedure I outlined. Actually, when you load your uses via LDIF be sure to configure them using the same objectclasses we use to ensure that the IPA framework is going to see them as IPA users. You'll need to adhere to our tree structure as well. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] userPassword change with ldif
Dmitri Pal wrote:
Doug Chapman wrote:
I'm working on migrating from SunDS to IPA and I've got everything
moved over, but I'm having some issues with userPassword. I'd like
users to be able to connect with their existing passwords and set an
force a password expiration after our transition is done.
I can copy the {SHA} hash from SunDS to IPA and ldap authentication
works in IPA, but when I try to use kinit u...@realm it is failing
with an 'invalid password'.
I've looked through the schema and can't find a separate 'krbPassword'
entry, can someone clarify for me why this is failing?
Is there another place where the password is stored besides userPassword ?
The user password in IPA is not simple hash. If you create a user in
IPA and set his password this user will get a kerberos hash not a DS
hash. So the problem you are facing is the problem of migrating
passwords. It is not easily solvable with IPA 1.2.x. It is solved (as
much as we think it can be solved) in v2.
In v2 there are two options:
1) You can instruct users to go to a special URL and pass the
authentication there. The authentication against that page will allow
IPA server to capture user password and generate appropriate kerberos hash
2) Using SSSD as a client. SSSD has special logic that allows it to
handle this case behind the scenes. When user logs in and SSSD and IPA
are configured is migration mode then SSSD will do everything
automatically.
What is the version of IPA you are using? Would any of the two options
work for you?
As Dmitri said, the problem is that kerberos uses a different password
attribute than LDAP. For passwords set within IPA we capture password
changes from both LDAP and kerberos and keep the two in sync.
When you migrate just the LDAP password you need some mechanism to
authenticate the user and reset the password, therefore creating the
kerberos credentials and starting to keep the two in sync.
Off the top of my head, you may be able to do something in v1 with a
little bit of work:
- When you load users via ldif add the krbPrincipalAux objectclass and
set krbprincipalname to u...@realm.
- Write a simple web page that uses LDAP authentication. On the page
itself prompt for a new password and use the LDAP protocol to change the
password (this is pretty standard stuff).
- This should, in theory, add the kerberos credentials.
It should be pretty easy to verify using ldappasswd. If you get
credentials by resetting the password with that then it should work
using the more complex web-based procedure I outlined.
Actually, when you load your uses via LDIF be sure to configure them
using the same objectclasses we use to ensure that the IPA framework is
going to see them as IPA users. You'll need to adhere to our tree
structure as well.
rob
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] userPassword change with ldif
Doug Chapman wrote:
> I'm working on migrating from SunDS to IPA and I've got everything
> moved over, but I'm having some issues with userPassword. I'd like
> users to be able to connect with their existing passwords and set an
> force a password expiration after our transition is done.
>
> I can copy the {SHA} hash from SunDS to IPA and ldap authentication
> works in IPA, but when I try to use kinit u...@realm it is failing
> with an 'invalid password'.
>
> I've looked through the schema and can't find a separate 'krbPassword'
> entry, can someone clarify for me why this is failing?
>
> Is there another place where the password is stored besides userPassword ?
The user password in IPA is not simple hash. If you create a user in
IPA and set his password this user will get a kerberos hash not a DS
hash. So the problem you are facing is the problem of migrating
passwords. It is not easily solvable with IPA 1.2.x. It is solved (as
much as we think it can be solved) in v2.
In v2 there are two options:
1) You can instruct users to go to a special URL and pass the
authentication there. The authentication against that page will allow
IPA server to capture user password and generate appropriate kerberos hash
2) Using SSSD as a client. SSSD has special logic that allows it to
handle this case behind the scenes. When user logs in and SSSD and IPA
are configured is migration mode then SSSD will do everything
automatically.
What is the version of IPA you are using? Would any of the two options
work for you?
>
> tia
>
> DougC
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Engineering Manager IPA project,
Red Hat Inc.
---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
