[Freeipa-users] userPassword change with ldif

Rob Crittenden rcritten at redhat.com
Thu Sep 16 02:14:00 UTC 2010 

Dmitri Pal wrote:
> Doug Chapman wrote:
>> I'm working on migrating from SunDS to IPA and I've got everything
>> moved over, but I'm having some issues with userPassword.  I'd like
>> users to be able to connect with their existing passwords and set an
>> force a password expiration after our transition is done.
>>
>> I can copy the {SHA} hash from SunDS to IPA and ldap authentication
>> works in IPA, but when I try to use kinit user at REALM it is failing
>> with an 'invalid password'.
>>
>> I've looked through the schema and can't find a separate 'krbPassword'
>> entry, can someone clarify for me why this is failing?
>>
>> Is there another place where the password is stored besides userPassword ?
>
> The user password in IPA is not simple hash.  If you create  a user in
> IPA and set his password this user will get a kerberos hash not a DS
> hash. So the problem you are facing is the problem of migrating
> passwords. It is not easily solvable with IPA 1.2.x. It is solved (as
> much as we think it can be solved) in v2.
> In v2 there are two options:
> 1) You can instruct users to go to a special URL and pass the
> authentication there. The authentication against that page will allow
> IPA server to capture user password and generate appropriate kerberos hash
> 2) Using SSSD as a client. SSSD has special logic that allows it to
> handle this case behind the scenes. When user logs in and SSSD and IPA
> are configured is migration mode then SSSD will do everything
> automatically.
>
>
> What is the version of IPA you are using? Would any of the two options
> work for you?

As Dmitri said, the problem is that kerberos uses a different password 
attribute than LDAP. For passwords set within IPA we capture password 
changes from both LDAP and kerberos and keep the two in sync.

When you migrate just the LDAP password you need some mechanism to 
authenticate the user and reset the password, therefore creating the 
kerberos credentials and starting to keep the two in sync.

Off the top of my head, you may be able to do something in v1 with a 
little bit of work:

- When you load users via ldif add the krbPrincipalAux objectclass and 
set krbprincipalname to user at REALM.
- Write a simple web page that uses LDAP authentication. On the page 
itself prompt for a new password and use the LDAP protocol to change the 
password (this is pretty standard stuff).
- This should, in theory, add the kerberos credentials.

It should be pretty easy to verify using ldappasswd. If you get 
credentials by resetting the password with that then it should work 
using the more complex web-based procedure I outlined.

Actually, when you load your uses via LDIF be sure to configure them 
using the same objectclasses we use to ensure that the IPA framework is 
going to see them as IPA users. You'll need to adhere to our tree 
structure as well.

rob

More information about the Freeipa-users mailing list