[Freeipa-users] userPassword change with ldif

[James Roman]

  On 09/15/2010 10:14 PM, Rob Crittenden wrote:
>
> As Dmitri said, the problem is that kerberos uses a different password
> attribute than LDAP. For passwords set within IPA we capture password
> changes from both LDAP and kerberos and keep the two in sync.
>
> When you migrate just the LDAP password you need some mechanism to
> authenticate the user and reset the password, therefore creating the
> kerberos credentials and starting to keep the two in sync.
>
> Off the top of my head, you may be able to do something in v1 with a
> little bit of work:
>
> - When you load users via ldif add the krbPrincipalAux objectclass and
> set krbprincipalname to user at REALM.
> - Write a simple web page that uses LDAP authentication. On the page
> itself prompt for a new password and use the LDAP protocol to change
> the password (this is pretty standard stuff).
> - This should, in theory, add the kerberos credentials.
I can confirm that using an LDAP password reset function will sync both 
the LDAP and Kerberos passwords. If using Perl website, be sure to use 
Net::LDAP::Extension::SetPassword. This is critical if your FreeIPA 
server is connected an Active Directory server. Methods where you insert 
a pre-hashed value into the LDAP directory can't be propagated to the 
Windows Domain.
>
> It should be pretty easy to verify using ldappasswd. If you get
> credentials by resetting the password with that then it should work
> using the more complex web-based procedure I outlined.
>
> Actually, when you load your uses via LDIF be sure to configure them
> using the same objectclasses we use to ensure that the IPA framework
> is going to see them as IPA users. You'll need to adhere to our tree
> structure as well.
>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users