[Freeipa-users] password migration
Simo Sorce
simo at redhat.com
Fri Sep 23 13:19:22 UTC 2011
On Fri, 2011-09-23 at 10:20 +0200, Jan-Frode Myklebust wrote:
> On Tue, Sep 20, 2011 at 10:18:13AM -0400, Stephen Gallagher wrote:
> >
> > Specifically, the way SSSD behaves is as follows:
> > 1) Try to authenticate with Kerberos. If Kerberos responds that there's
> > no hash for this user,
> > 2) Ask FreeIPA if migration mode is enabled, if it is,
> > 3) Try to bind to FreeIPA LDAP using the same password. If this
> > succeeds, we know that the password is valid
> > 4) Initiate a kerberos password-change to set the kerberos password
> > equal to the LDAP password.
>
> Is it supported to run a mixed ldap bind / kerberos environment? I'm
> thinking of letting all old RHEL4 and RHEL5 systems keep running ldap
> bind authentication, and only enable kerberos/sssd on RHEL6 initially.
Yes, that's ok, ldap auth is there explicit to support clients that
can't do kerb auth for whatever reason.
> After 3 months, or so, all users should have been forced to change their
> passwords trough the password expiry policy. Will then the RHEL4/5
> klients also update kerberos password when they're forced to change their
> LDAP password ?
They should.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list