[Freeipa-users] password migration
Rob Crittenden
rcritten at redhat.com
Fri Sep 23 13:30:10 UTC 2011
Jan-Frode Myklebust wrote:
> On Tue, Sep 20, 2011 at 09:59:16AM -0400, Dmitri Pal wrote:
>>>
>>> Password Hash Algorithm
>>> -------------------------
>>> Indicates the algorithm that the system should use to hash the password.
>>> Currently supported values are SSHA, SHA, SMD5, and MD5. A value of NONE
>>> or no value indicates that the system will not hash passwords. This will
>>> cause cleartext passwords to be stored in LDAP unless the LDAP server
>>> performs the hash (Netscape Directory Server and iPlanet Directory
>>> Server do).
>>>
>>> Will the ipa-migration handle any of these formats ? Which would be the
>>> preferred ?
>>>
>> I am not sure it keeps it in clear internally anywhere. Password is
>> always hashed unless you explicitly set it to be cleartext in the
>> setting above.
>
> Are you stating that based on knowledge of Sun Identity Manager? As far
> as I understand SIM, I should be able to add new managed "resources"
> (directories, databases, servers, etc) at a later point and push my
> userdatabase to. For that to work, SIM will have to either hash to all
> supported hashing methods (including cleartext??) or just keep a
> cleartext version hidden somewhere.
I think he was referring to 389-ds. IPA migration grabs the raw
userPassword attribute from the remote LDAP server to create the entry
in 389-ds.
For the hash types that 389-ds supports look for passwordStorageScheme in
http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/User_Account_Management.html#Configuring_a_Global_Password_Policy_Using_the_Command_Line-Password_Policy_Attributes
rob
More information about the Freeipa-users
mailing list