[Freeipa-users] Transfer user database to FreeIPA LDAP

Joe Linoff jlinoff at tabula.com
Mon Jun 25 12:57:13 UTC 2012 

Hi Simo:

> Normally this is not actually allowed, the reason is that kerberos needs keys generated, 
> and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword 
> and reject any attempt that does not involve a clear text password.

That makes sense. Thank you for clearing that up.

> However if you enable the migration mode we do allow to set the hash, what we expect then 
> is to have either users or some application to authenticate via an ldap bind that sends a 
> clear text password. While in migration mode, a bind will check if the password is valid, 
> and if it is it will generate the kerberos keys out of it.

That also makes sense and it is a great way to transfer users from an existing LDAP to FreeIPA.

Unfortunately, the problem I have is that I have the user data and the hashed password in a standalone database and I want to move it into FreeIPA without requiring the users to re-authenticate. I do not have a plaintext password and I do not have an LDAP DB. From what you and Mark have said, I need to find a way to emulate migration mode for my setup or, if possible, insert the existing hash directly in Kerberos. Does that make sense?

Regards,

Joe

-----Original Message-----
From: Simo Sorce [mailto:simo at redhat.com] 
Sent: Monday, June 25, 2012 4:50 AM
To: Mark Reynolds
Cc: Joe Linoff; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP

On Sun, 2012-06-24 at 15:49 -0400, Mark Reynolds wrote:
> Hi Joe,
> 
> I'm not really an IPA guy, but IPA uses 389 directory server as its 
> backend.  You would need to convert the your DB entries to LDAP 
> entries, but 389 supports your password type, so it should not be a 
> problem if you copy & paste the password hashes.  LDAP expects the 
> password to be something like:
> 
> userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w==
> Mark

Normally this is not actually allowed, the reason is that kerberos needs keys generated, and can't work with the userPasswrod hash, so we prevent storing any hash in userPassword and reject any attempt that does not involve a clear text password.

However if you enable the migration mode we do allow to set the hash, what we expect then is to have either users or some application to authenticate via an ldap bind that sends a clear text password. While in migration mode, a bind will check if the password is valid, and if it is it will generate the kerberos keys out of it.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list