[Freeipa-users] Migrate KRB DB hashes to IPA LDAP

Simo Sorce simo at redhat.com
Wed Oct 8 21:55:30 UTC 2014

On Wed, 08 Oct 2014 12:37:30 -0400
Dmitri Pal <dpal at redhat.com> wrote:

> On 10/08/2014 09:47 AM, Andreas Ladanyi wrote:
> > Hello,
> >
> > i have the following situation:
> >
> > OpenLDAP with user entries. No userPassword hashes are available.
> > MIT Kerberos with principals and password hashes in the KRB DB.
> >
> > I have migrated the user and group accounts via "ipa migrate-ds ..."
> > successfully.
> >
> > Now, is it possible to get out the kerberos user principal password
> > hashes from the KRB own DB to the appropriate krbPassword..... IPA
> > LDAP attribute, so the users could login without any extra user
> > action ?
> >
> > cheers,
> > Andy
> >
> >
> >
> This will be a highly manual process.
> AFAIR it has been done couple times so please search archives 2-3
> years ago. Simo was the person who provided the steps.
> You would need to not only migrate the hashes by extracting the
> fields from DB and loading them into LDAP using raw LDAP commands and
> ldif but also copy over and set the kerberos master key.
> If you are up to it and dig out the instructions we would really 
> appreciate if you can then put them on a wiki as a solution: 
> http://www.freeipa.org/page/HowTos

It can be attempted by dumping, filtering and then re-importing the KDC
The tools to look at are kdb5_util/kdb5_ldap_util depending on what kdb
database you used in the original realm.

for importing in IPA you'd have to use kdb5_util with some additional
options to prevent the driver from discarding your modify operations.

I would strongly advise you to test this in a throwaway setup because
it is likely you'll end up breaking something :-)


Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list