[Freeipa-users] Transfer user database to FreeIPA LDAP
Stephen Gallagher
sgallagh at redhat.com
Mon Jun 25 11:20:14 UTC 2012
On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote:
> Hi Mark:
>
>
>
> I did not find any entries related to passwords in the LDAP record.
> There were some entries that looked as though they were related to
> Kerberos which might be useful.
>
> % ldapseach -LLL -x -b
> "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb
>
> krbPwdPolicyReference:
> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc=
>
> krbPrincipalName: bigbob at EXAMPLE.COM
>
> krbLastPwdChange: 20120530170153Z
>
> krbPasswordExpiration: 20120828170153Z
>
> krbExtraData:: AAgBAA==
>
> krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A
>
> krbLastSuccessfulAuth: 20120621180658Z
>
> krbLastFailedAuth: 20120620013218Z
>
> krbLoginFailedCount: 0
>
>
>
> Unfortunately, I am new to IPA so I don’t yet understand the internals
> for password management. Can you suggest any documentation I can read?
> I am fairly familiar with LDAP and Kerberos.
You do not need to populate the Kerberos password fields directly. Once
you migrate your DB users to LDAP, if you enable IPA's "migration
mode" (see the docs on how), the next time a user binds to LDAP using
their existing password, a pre-bind plugin on FreeIPA will catch the
plaintext password and use it to populate the Kerberos password fields
automatically.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120625/cfe28c0d/attachment.sig>
More information about the Freeipa-users
mailing list