[Freeipa-users] Migration Webpage doesnt work
Alexander Bokovoy
abokovoy at redhat.com
Thu Nov 6 09:52:12 UTC 2014
On Thu, 06 Nov 2014, Andreas Ladanyi wrote:
>Hi,
>
>i migrated user data with the ipa migrate-ds script without problems.
>The users in the old OpenLDAP doesnt have a userPasswort and only the
>kerberos principal from local KRB DB was used for authentification.
>After migration FreeIPA doesnt have a userPassword and there is no
>Kerberos hash.
>
>Know i tried out the /ipa/migration webpage and want to set a
>userPassword/Kerberos hash for a user in FreeIPA. The result was the
>error message i entered the wrong password or/and username.
>
>Now my question is what is the requirement for the migration webpage to
>work ? The documentation says that migration webpage takes a cleartext
>password and generates the kerberos hash. Does the migration page need a
>userPassword entry ?
/ipa/migration page expects that you have a password hash in
userPassword attribute set but no Kerberos hashes. It binds to LDAP
server using the password user entered on the page and then IPA's plugin
performs generation of Kerberos hashes as part of LDAP BIND operation.
>I tried out to reset the pssword of a user in the WebUI and the
>migration webpage works with this password from the manual passwort reset ?!
When you reset the password, all hashes (including Kerberos ones) are
generated and then user can change the password either through main
login page or the migration page.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list