[Freeipa-users] Migrating passwd files etc into free-ipa

Rob Crittenden rcritten at redhat.com
Mon Sep 27 15:30:50 UTC 2010 

Steven Jones wrote:
> Ok,
>
> So lets avoid the passwords....
>
> Is there an automatic / scripted way to import the passwd file so I get the UID's, GID's etc into ipa?

We have generally left this as an exercise for the end-user because it 
isn't a technically difficult problem. It is more a policy and config 
problem.

Attached is a simple demonstration of doing this using IPA command-line. 
The tricky part is dealing with names. There is no universal way of 
getting it right. Entries without a gecos are skipped.

It worked fine on my system with 2 password entries. YYMV.

rob

>
> regards
>
> Steven Jones Technical Specialist Linux/Vmware
> Tele 64 4 463 6272
> Victoria University
> Kelburn
> New Zealand
>
>
> -----Original Message-----
> From: Dmitri Pal [mailto:dpal at redhat.com]
> Sent: Friday, 24 September 2010 11:18 p.m.
> To: Steven Jones
> Cc: freeipa-users
> Subject: Re: [Freeipa-users] Migrating passwd files etc into free-ipa
>
> Steven Jones wrote:
>> Is there a method to do this?
>>
>> I tried to use LdapImport.pl from the 389 project and this failed....
>>
>> Giving me all # = entry not added to destination (other error)
>>
>> Possibly the password criteria in freeipa is "too strong"?
>>
>> How can I disable this feature?
>>
>> or is there another way to import?
>>
>>
> Migration of the passwords is a tough problem.
> The issue is that the passwords in the local files are hashed using
> simple hash algorithm while in IPA they are hashed to create kerberos keys.
> Converting from one to another without knowing clear password is not
> possible. If you already have an LDAP server with password you can take
> advantage of our LDAP migration schemes but if you have local files this
> will be a challenge.
> For migrating from LDAP case you can load your users into the IPA and
> then configure SSSD to use migration mode on the client or you can
> instruct users to go to a special migration web page. In both cases you
> already have the password hashed in the LDAP format in the IPA so SSSD
> or Migration page will capture the cleartext password and pass it to IPA
> so that it can use it to generate the Kerberos hashes.
>
> A quick search around migrating passwords from flat files to LDAP showed
> that it is in some cases possible (if the hash that is used by the flat
> file is supported by the DS server, but tricky).
> We do not have any aid here so it is simpler to reset the password. If
> this is not an option, as far as I understand you need to create user
> accounts first with some password and then overwrite the password
> attribute in the LDAP with the properly decorated hash take from the
> password file. And after that you still need the kerberos keys for IPA
> to work so you still need to use Migration page or SSSD. It might be
> less trouble just to bite the bullet and reset passwords as you migrate
> to IPA.
>
> Thanks
> Dmitri
>
>> regards
>>
>>
>> Steven Jones Technical Specialist Linux/Vmware
>> Tele 64 4 463 6272
>> Victoria University
>> Kelburn
>> New Zealand
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: import.py
Type: text/x-python
Size: 1135 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100927/984e59e5/attachment.py>

More information about the Freeipa-users mailing list