Re: [Freeipa-users] userPassword change with ldif
On 09/15/2010 10:14 PM, Rob Crittenden wrote: As Dmitri said, the problem is that kerberos uses a different password attribute than LDAP. For passwords set within IPA we capture password changes from both LDAP and kerberos and keep the two in sync. When you migrate just the LDAP password you need some mechanism to authenticate the user and reset the password, therefore creating the kerberos credentials and starting to keep the two in sync. Off the top of my head, you may be able to do something in v1 with a little bit of work: - When you load users via ldif add the krbPrincipalAux objectclass and set krbprincipalname to u...@realm. - Write a simple web page that uses LDAP authentication. On the page itself prompt for a new password and use the LDAP protocol to change the password (this is pretty standard stuff). - This should, in theory, add the kerberos credentials. I can confirm that using an LDAP password reset function will sync both the LDAP and Kerberos passwords. If using Perl website, be sure to use Net::LDAP::Extension::SetPassword. This is critical if your FreeIPA server is connected an Active Directory server. Methods where you insert a pre-hashed value into the LDAP directory can't be propagated to the Windows Domain. It should be pretty easy to verify using ldappasswd. If you get credentials by resetting the password with that then it should work using the more complex web-based procedure I outlined. Actually, when you load your uses via LDIF be sure to configure them using the same objectclasses we use to ensure that the IPA framework is going to see them as IPA users. You'll need to adhere to our tree structure as well. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] userPassword change with ldif
Dmitri Pal wrote: Doug Chapman wrote: I'm working on migrating from SunDS to IPA and I've got everything moved over, but I'm having some issues with userPassword. I'd like users to be able to connect with their existing passwords and set an force a password expiration after our transition is done. I can copy the {SHA} hash from SunDS to IPA and ldap authentication works in IPA, but when I try to use kinit u...@realm it is failing with an 'invalid password'. I've looked through the schema and can't find a separate 'krbPassword' entry, can someone clarify for me why this is failing? Is there another place where the password is stored besides userPassword ? The user password in IPA is not simple hash. If you create a user in IPA and set his password this user will get a kerberos hash not a DS hash. So the problem you are facing is the problem of migrating passwords. It is not easily solvable with IPA 1.2.x. It is solved (as much as we think it can be solved) in v2. In v2 there are two options: 1) You can instruct users to go to a special URL and pass the authentication there. The authentication against that page will allow IPA server to capture user password and generate appropriate kerberos hash 2) Using SSSD as a client. SSSD has special logic that allows it to handle this case behind the scenes. When user logs in and SSSD and IPA are configured is migration mode then SSSD will do everything automatically. What is the version of IPA you are using? Would any of the two options work for you? As Dmitri said, the problem is that kerberos uses a different password attribute than LDAP. For passwords set within IPA we capture password changes from both LDAP and kerberos and keep the two in sync. When you migrate just the LDAP password you need some mechanism to authenticate the user and reset the password, therefore creating the kerberos credentials and starting to keep the two in sync. Off the top of my head, you may be able to do something in v1 with a little bit of work: - When you load users via ldif add the krbPrincipalAux objectclass and set krbprincipalname to u...@realm. - Write a simple web page that uses LDAP authentication. On the page itself prompt for a new password and use the LDAP protocol to change the password (this is pretty standard stuff). - This should, in theory, add the kerberos credentials. It should be pretty easy to verify using ldappasswd. If you get credentials by resetting the password with that then it should work using the more complex web-based procedure I outlined. Actually, when you load your uses via LDIF be sure to configure them using the same objectclasses we use to ensure that the IPA framework is going to see them as IPA users. You'll need to adhere to our tree structure as well. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] userPassword change with ldif
Doug Chapman wrote: > I'm working on migrating from SunDS to IPA and I've got everything > moved over, but I'm having some issues with userPassword. I'd like > users to be able to connect with their existing passwords and set an > force a password expiration after our transition is done. > > I can copy the {SHA} hash from SunDS to IPA and ldap authentication > works in IPA, but when I try to use kinit u...@realm it is failing > with an 'invalid password'. > > I've looked through the schema and can't find a separate 'krbPassword' > entry, can someone clarify for me why this is failing? > > Is there another place where the password is stored besides userPassword ? The user password in IPA is not simple hash. If you create a user in IPA and set his password this user will get a kerberos hash not a DS hash. So the problem you are facing is the problem of migrating passwords. It is not easily solvable with IPA 1.2.x. It is solved (as much as we think it can be solved) in v2. In v2 there are two options: 1) You can instruct users to go to a special URL and pass the authentication there. The authentication against that page will allow IPA server to capture user password and generate appropriate kerberos hash 2) Using SSSD as a client. SSSD has special logic that allows it to handle this case behind the scenes. When user logs in and SSSD and IPA are configured is migration mode then SSSD will do everything automatically. What is the version of IPA you are using? Would any of the two options work for you? > > tia > > DougC > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users