[Freeipa-users] Migration to FreeIPA 2 - password update via LDAP
Simo Sorce
simo at redhat.com
Fri Sep 9 01:20:32 UTC 2011
On Thu, 2011-09-08 at 17:29 -0400, Dan Scott wrote:
> Hi,
>
> On Wed, Sep 7, 2011 at 14:59, Dmitri Pal <dpal at redhat.com> wrote:
> > On 09/07/2011 02:45 PM, Dan Scott wrote:
> >> I have a FreeIPA 1 system which is being migrated to FreeIPA 2. After
> >> migration, the script says:
> >>
> >> "Passwords have been migrated in pre-hashed format.
> >> IPA is unable to generate Kerberos keys unless provided
> >> with clear text passwords. All migrated users need to
> >> login at https://your.domain/ipa/migration/ before they
> >> can use their Kerberos accounts."
> >>
> >> I have some users who are authenticated via LDAP. Also I have a Java
> >> application which allows them to change their password using LDAP.
> >> Will existing passwords continue to work when using LDAP
> >> authentication/password changes? It is only Kerberos authentication
> >> which requires users to re-login on this special page?
> >>
> >
> > If you update the password via LDAP using bind over SSL so that server
> > has the password in clear the new Kerberos hashes will be generated
> > automatically and kerberos will become usable for these users once again.
> >
> > Also SSSD has a nice feature to migrate user passwords. Read more about
> > it in the SSSD docs.
>
> Excellent, thanks for the repsponse. The LDAP bind must be over SSL,
> correct? When not using SSL, I get:
>
> "javax.security.auth.login.LoginException:
> javax.security.auth.login.LoginException: LDAP bind failed for
> uid=djscott,cn=users,cn=compat,dc=..."
>
> When using LDAPS, I get:
>
> "Exception in LdapRealm when trying to authenticate user.
> javax.security.auth.login.LoginException:
> javax.naming.CommunicationException: anonymous bind failed:
> kelvin.example.com:636 [Root exception is
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target]"
>
> So I guess I need to add a FreeIPA certificate into my Glassfish
> keystore. Does this sound right? Should I create a certificate for my
> service?:
>
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/managing-services.html#request-service-service
>
> Or should I be adding the CA of my FreeIPA installation?
You need to add and trust the FreeIPA CA certificate to your glassfish
CA cert store.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list