[Freeipa-users] re-sync passwords after migration from LDAP to IPA ?
Rob Crittenden
rcritten at redhat.com
Wed Jan 2 21:54:22 UTC 2013
Simo Sorce wrote:
> On Wed, 2013-01-02 at 18:36 +0100, Jan-Frode Myklebust wrote:
>> But... where do I find the LDAP passwords in IPA ? I see there's no
>> "userPassword" attribute on each user as I was expecting.., so where
>> is this hidden? And can it be compared against the SSHA from the old
>> directory ?
>
> Passwords are stored in both the userPassword attribute (SHA256 hash by
> deault) and the krbPrincipalKey attribute an opaque and encrypted object
> containing Kerberos Keys (RC4/3DES/AES keys).
> If you enabled trusts or samba integration you will also have RC4 hashes
> in the sambaNTpassword or ipaNThash attributes.
>
> None of these attributes are readable, so you will not see them. Only
> 'cn=Directory Manager' can retrieve them, because that account has super
> powers.
>
> Simo.
>
Right, so you can probably tell who has migrated and already set their
password in IPA by looking for users with both userPassword and
krbPrincipalKey set. If just userPassword is set then they were migrated
but have not set their password yet.
I don't believe there is a way to re-sync just the password entry using
migrate-ds. It will skip over users already loaded. You would have to
either write a small sync routine yourself or delete this subset of
users from ipa and re-migrate.
rob
More information about the Freeipa-users
mailing list