[Freeipa-users] Transfer user database to FreeIPA LDAP

Dmitri Pal dpal at redhat.com
Mon Jun 25 17:51:18 UTC 2012 

On 06/25/2012 12:08 PM, Joe Linoff wrote:
> Hi Simo:
>
> I really appreciate your help.
>
>>> If users authenticate by passing in a username/password combo you have various 
>>> options, in the sense you should be able to modify the cakePHP application to 
>>> recalculate a valid SHA hash and dump it into a file.
> That would be great.
>
>>> If the app db already contains a good hash that is suppoted by 389ds then you 
>>> can simply grab the hashes from there.
> I believe that it does. I perused the CakePHP code and found that it used this algorithm to create the password:
>
>   // PHP
>   $salt = Configure::read('Security.salt');
>   $phpPasswd = sha1( $salt + $plaintext );  // Same as Security::hash($plaintext, 'sha1', true);
>
> Here is the same algorithm in python along with an LDAP encoding using SHA. They are embedding the salt along with the password so it is not SSHA.
>
>   # python
>   import hashlib
>   from base64 import urlsafe_b64encode as encode
>   from base64 import urlsafe_b64decode as decode
>
>   salt = constantValueFromConfigFile()
>
>   # SHA1 hash
>   h = hashlib.sha1(salt + plaintext)
>
>   # PHP password string
>   phpPasswd = h.hexdigest()
>
>   # LDAP password - this won't work for the userPassword field.
>   ldapPasswd = '{SHA}'+encode(h.digest())  # OpenLDAP format
>
>   # LDAP userPassword attribute format is the base64 MIME encoded version of above.
>   # This is what you see when you run a command like:
>   # ldapsearch -LLL -x -w <passwd> -D 'cn=Directory Manager' -b 'cn=user,cn=accounts,dc=example,dc=com' userpassword
>   userPasswd = encode(ldapPasswd)
>
>>> Once you have hashes you can create a script that lists users in cakePHP and for each of 
>>> them create a new freeipa users via ipa user-add
> Ok. That sounds straightforward.
>
>>> Then you switch to migration mode and you can use another script to store the hashes you 
>>> collected in each user's userPassword field.
> That would be perfect but how do I switch to migration mode? 
>
> Can I simply bind as the "Directory Manager" and update the userPassword field using something like ldapmodify or is there a better way?
>
> Is there an example of script like this that I can look at?
>
>>> Finally change your cakePHP app to make an ldap bind to authenticate users instead 
>>> of checkign it's own database.
> Yup. 
>
>>> This procedure requires some advanced scripting ability, and minor segues into firing 
>>> a few ldapmodify commands with a very simple template ldif and a couple substitutions.
>>> However this is a possible solution.
> Yup, I really like it. I am going to give it a try. Should I use the ipalib/plugins/migration.py as a starting point or is there a more relevant module?
>
> Thanks,
>
> Joe
>
> -----Original Message-----
> From: Simo Sorce [mailto:simo at redhat.com] 
> Sent: Monday, June 25, 2012 6:07 AM
> To: Joe Linoff
> Cc: Mark Reynolds; freeipa-users at redhat.com
> Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP
>
> On Mon, 2012-06-25 at 05:57 -0700, Joe Linoff wrote:
>> Unfortunately, the problem I have is that I have the user data and the 
>> hashed password in a standalone database and I want to move it into 
>> FreeIPA without requiring the users to re-authenticate. I do not have 
>> a plaintext password and I do not have an LDAP DB. From what you and 
>> Mark have said, I need to find a way to emulate migration mode for my 
>> setup or, if possible, insert the existing hash directly in Kerberos.
>> Does that make sense?
> Not really.
> A few questions:
> - how do users authenticate to CakePHP at the moment ?
> - how are passwords stored in your current DB ?
>
> If users authenticate by passing in a username/password combo you have various options, in the sense you should be able to modify the cakePHP application to recalculate a valid SHA hash and dump it into a file.
>

Why is it needed if the same hash is already in the database?

> If the app db already contains a good hash that is suppoted by 389ds then you  can simply grab the hashes from there.

AFAIU this is the case.

> Once you have hashes you can create a script that lists users in cakePHP and for each of them create a new freeipa users via ipa user-add
> Then you switch to migration mode and you can use another script to store the hashes you collected in each user's userPassword field.

Please see:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#Migrating_from_a_Directory_Server_to_IPA

Specific command is

# ipa config-mod --enable-migration=TRUE



> Finally change your cakePHP app to make an ldap bind to authenticate users instead of checkign it's own database.

Or use PAM via SSSD. In this case the SSSD will do the trick. See the
documentation about it.

Simo are you sure simple bind is enough? I thought that it should be a
bind over SSL with some specific ext op. Do I recall it wrong?
> This procedure requires some advanced scripting ability, and minor segues into firing a few ldapmodify commands with a very simple template ldif and a couple substitutions.
>
> However this is a possible solution.
>
> Simo.
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list