[Freeipa-users] Transfer user database to FreeIPA LDAP

Joe Linoff jlinoff at tabula.com
Mon Jun 25 12:51:36 UTC 2012


> You do not need to populate the Kerberos password fields directly. Once you migrate your DB 
> users to LDAP, if you enable IPA's "migration mode" (see the docs on how), the next time a 
> user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch 
> the plaintext password and use it to populate the Kerberos password fields automatically.

Thank you, that makes sense but my problem is doing the initial migration. How do I get the existing user data into LDAP using the hashed password from the old database?

Regards,

Joe

-----Original Message-----
From: Stephen Gallagher [mailto:sgallagh at redhat.com] 
Sent: Monday, June 25, 2012 4:20 AM
To: Joe Linoff
Cc: Mark Reynolds; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP

On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote:
> Hi Mark:
> 
>  
> 
> I did not find any entries related to passwords in the LDAP record.
> There were some entries that looked as though they were related to 
> Kerberos which might be useful.
> 
> % ldapseach -LLL -x -b
> "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb
> 
> krbPwdPolicyReference:
> cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc=
> 
> krbPrincipalName: bigbob at EXAMPLE.COM
> 
> krbLastPwdChange: 20120530170153Z
> 
> krbPasswordExpiration: 20120828170153Z
> 
> krbExtraData:: AAgBAA==
> 
> krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A
> 
> krbLastSuccessfulAuth: 20120621180658Z
> 
> krbLastFailedAuth: 20120620013218Z
> 
> krbLoginFailedCount: 0
> 
>  
> 
> Unfortunately, I am new to IPA so I don’t yet understand the internals 
> for password management. Can you suggest any documentation I can read?
> I am fairly familiar with LDAP and Kerberos.


You do not need to populate the Kerberos password fields directly. Once you migrate your DB users to LDAP, if you enable IPA's "migration mode" (see the docs on how), the next time a user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch the plaintext password and use it to populate the Kerberos password fields automatically.





More information about the Freeipa-users mailing list