[Freeipa-users] password migration
Stephen Gallagher
sgallagh at redhat.com
Tue Sep 20 14:18:13 UTC 2011
On Tue, 2011-09-20 at 09:59 -0400, Dmitri Pal wrote:
> 3) After importing users use SSSD in migration mode (special setting in
> SSSD config). In this case for any user without kerberos hash who would
> log via SSSD the SSSD would connect IPA in a special way and trigger the
> Kerberos hash generation.
Migration mode in SSSD is not a client-side configuration. We ask the
FreeIPA server whether migration is active.
Specifically, the way SSSD behaves is as follows:
1) Try to authenticate with Kerberos. If Kerberos responds that there's
no hash for this user,
2) Ask FreeIPA if migration mode is enabled, if it is,
3) Try to bind to FreeIPA LDAP using the same password. If this
succeeds, we know that the password is valid
4) Initiate a kerberos password-change to set the kerberos password
equal to the LDAP password.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110920/c39a95a4/attachment.sig>
More information about the Freeipa-users
mailing list