[Freeipa-users] migrting just pws?

Rob Crittenden rcritten at redhat.com
Mon Sep 15 16:56:38 UTC 2014


Nordgren, Bryce L -FS wrote:
> You can bring over password hashes for LDAP, but not Kerberos...provided your 389-ds is new enough to have a recently added configuration switch. If your system is in "migration mode", then authenticating via LDAP creates Kerberos hashes transparently.
>
> If you're running 4.0.x, see here for some details: https://fedorahosted.org/freeipa/ticket/4450

In his case the user's already exist so they'll be skipped over if you 
re-migrate.

We sort of rely on the behavior of LDAP/389-ds when migrating users and 
passwords: on an add the password policy is not examined. Other than 
that it is difficult to insert a pre-hashed password, even in migration 
mode.

You may be able to do it as Directory Manager. That's where I'd start 
anyway.

rob

>
> Bryce
>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> bounces at redhat.com] On Behalf Of Kat
>> Sent: Sunday, September 14, 2014 3:34 PM
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] migrting just pws?
>>
>> Trying to figure out a way to migrate just the user PWs - since all the users
>> were created with a script in the new layout, but I want to bring over their
>> old PWs,  hashed of course, to the new IPA server.
>>
>> Just thought I would check to see if anyone has tried to do that before?
>>
>> ~k
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>
>
>
>
> This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
>




More information about the Freeipa-users mailing list