[Freeipa-users] Migration to FreeIPA 2 - password update via LDAP
Dan Scott
danieljamesscott at gmail.com
Fri Sep 9 21:20:11 UTC 2011
Hi,
On Thu, Sep 8, 2011 at 21:20, Simo Sorce <simo at redhat.com> wrote:
> On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote:
>> Hi,
>>
>> On Wed, Sep 7, 2011 at 14:59, Dmitri Pal <dpal at redhat.com> wrote:
>> > On 09/07/2011 02:45 PM, Dan Scott wrote:
>> >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After
>> >> migration, the script says:
>> >>
>> >> "Passwords have been migrated in pre-hashed format.
>> >> IPA is unable to generate Kerberos keys unless provided
>> >> with clear text passwords. All migrated users need to
>> >> login at https://your.domain/ipa/migration/ before they
>> >> can use their Kerberos accounts."
>> >>
>> >> I have some users who are authenticated via LDAP. Also I have a Java
>> >> application which allows them to change their password using LDAP.
>> >> Will existing passwords continue to work when using LDAP
>> >> authentication/password changes? It is only Kerberos authentication
>> >> which requires users to re-login on this special page?
>> >>
>> >
>> > If you update the password via LDAP using bind over SSL so that server
>> > has the password in clear the new Kerberos hashes will be generated
>> > automatically and kerberos will become usable for these users once again.
>> >
>> > Also SSSD has a nice feature to migrate user passwords. Read more about
>> > it in the SSSD docs.
>>
>> Excellent, thanks for the repsponse. The LDAP bind must be over SSL,
>> correct? When not using SSL, I get:
>>
>> "javax.security.auth.login.LoginException:
>> javax.security.auth.login.LoginException: LDAP bind failed for
>> uid=djscott,cn=users,cn=compat,dc=..."
>>
>> When using LDAPS, I get:
>>
>> "Exception in LdapRealm when trying to authenticate user.
>> javax.security.auth.login.LoginException:
>> javax.naming.CommunicationException: anonymous bind failed:
>> kelvin.example.com:636 [Root exception is
>> javax.net.ssl.SSLHandshakeException:
>> sun.security.validator.ValidatorException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target]"
>>
>> So I guess I need to add a FreeIPA certificate into my Glassfish
>> keystore. Does this sound right? Should I create a certificate for my
>> service?:
>>
>> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service
>>
>> Or should I be adding the CA of my FreeIPA installation?
>
> You need to add and trust the FreeIPA CA certificate to your glassfish
> CA cert store.
Thanks, I'm getting closer. I now receive the "LDAP bind failed for"
message when attempting LDAPS authentication.
Is there a way I can test LDAPS authentication from the command line?
Dan
More information about the Freeipa-users
mailing list