[Freeipa-users] Migrate KRB DB hashes to IPA LDAP
simo at redhat.com
Wed Oct 8 21:55:30 UTC 2014
On Wed, 08 Oct 2014 12:37:30 -0400
Dmitri Pal <dpal at redhat.com> wrote:
> On 10/08/2014 09:47 AM, Andreas Ladanyi wrote:
> > Hello,
> > i have the following situation:
> > OpenLDAP with user entries. No userPassword hashes are available.
> > MIT Kerberos with principals and password hashes in the KRB DB.
> > I have migrated the user and group accounts via "ipa migrate-ds ..."
> > successfully.
> > Now, is it possible to get out the kerberos user principal password
> > hashes from the KRB own DB to the appropriate krbPassword..... IPA
> > LDAP attribute, so the users could login without any extra user
> > action ?
> > cheers,
> > Andy
> This will be a highly manual process.
> AFAIR it has been done couple times so please search archives 2-3
> years ago. Simo was the person who provided the steps.
> You would need to not only migrate the hashes by extracting the
> fields from DB and loading them into LDAP using raw LDAP commands and
> ldif but also copy over and set the kerberos master key.
> If you are up to it and dig out the instructions we would really
> appreciate if you can then put them on a wiki as a solution:
It can be attempted by dumping, filtering and then re-importing the KDC
The tools to look at are kdb5_util/kdb5_ldap_util depending on what kdb
database you used in the original realm.
for importing in IPA you'd have to use kdb5_util with some additional
options to prevent the driver from discarding your modify operations.
I would strongly advise you to test this in a throwaway setup because
it is likely you'll end up breaking something :-)
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users