[Freeipa-users] Transfer user database to FreeIPA LDAP

Joe Linoff jlinoff at tabula.com
Sun Jun 24 22:10:43 UTC 2012 

Hi Mark:

 

I did not find any entries related to passwords in the LDAP record.
There were some entries that looked as though they were related to
Kerberos which might be useful.

% ldapseach -LLL -x -b
"uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb

krbPwdPolicyReference:
cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc=

krbPrincipalName: bigbob at EXAMPLE.COM

krbLastPwdChange: 20120530170153Z

krbPasswordExpiration: 20120828170153Z

krbExtraData:: AAgBAA==

krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A

krbLastSuccessfulAuth: 20120621180658Z

krbLastFailedAuth: 20120620013218Z

krbLoginFailedCount: 0

 

Unfortunately, I am new to IPA so I don't yet understand the internals
for password management. Can you suggest any documentation I can read? I
am fairly familiar with LDAP and Kerberos.

 

Thanks,

 

Joe

 

 

From: Joe Linoff 
Sent: Sunday, June 24, 2012 2:43 PM
To: Mark Reynolds
Cc: freeipa-users at redhat.com; Joe Linoff
Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP

 

Hi Mark:

 

Thank you, that is really helpful. 

 

Regards,

 

Joe

 

From: Mark Reynolds [mailto:mareynol at redhat.com] 
Sent: Sunday, June 24, 2012 12:49 PM
To: Joe Linoff
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP

 

Hi Joe,

I'm not really an IPA guy, but IPA uses 389 directory server as its
backend.  You would need to convert the your DB entries to LDAP entries,
but 389 supports your password type, so it should not be a problem if
you copy & paste the password hashes.  LDAP expects the password to be
something like:

 userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w==

Mark

On 06/24/2012 02:30 PM, Joe Linoff wrote: 

Hi Everybody:

 

We have a legacy web based application (CakePHP) that stores user data
in a DB and I would like to transfer that information to a FreeIPA
Identity Management Server without requiring the users to re-enter their
passwords (if possible).

 

How would I do that?

 

I know that the DB stores the password as a SHA-1 hash with a salt. I
was hoping that there was a way for the administrator to directly copy
the SHA-1 password hash from the DB into the Free-IPA LDAP for the user
but I don't even know if that is a reasonable expectation.

 

Any help would be greatly appreciated.

 

Thanks,

 

Joe

 

 





_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

 

-- 
Mark Reynolds
Senior Software Engineer
Red Hat, Inc
mreynolds at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120624/7d9e50fc/attachment.htm>

More information about the Freeipa-users mailing list