On Fri, May 22, 2020 at 04:36:15PM +0200, Pierre Ossman via FreeIPA-users wrote:
On 22/05/2020 16:20, Pierre Ossman via FreeIPA-users wrote:
> Hi,
>
> We're in the process of migrating from an OpenLDAP server to FreeIPA. As
> such the issue of password migration of course shows up. Unfortunately
> the automatic migration in sssd is not working and we could use some
> help.
>
Managed to find it on my own in this thread:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
TL;DR: migration mode needs to be enabled on the IPA server
It isn't 100% clear what other effects this has though. What risks are we
exposing ourselves to in this mode? How much of a rush should we be in to
get everyone migrated?
Hi,
yes, migration mode has to be enabled until all users have logged in
once.
If the migration mode is enabled SSSD will try LDAP authentication is
Kerberos authentication fails with specific errors. During the LDAP bind
the user password is send in clear text in a TLS tunnel. So it cannot be
read from the network but the IPA server now knows the clear text
password and can generate the needed Kerberos keys with the help of the
clear text password after the LDAP bind was successful. Since the
Kerberos keys are stored in the directory server as well a directory
server plugin is handling this if migration mode is enabled. After the
Kerberos keys are set for the given user the next time the user will log
in Kerberos authentication is used.
HTH
bye,
Sumit
Regards
--
Pierre Ossman Software Development
Cendio AB
https://cendio.com
Teknikringen 8
https://twitter.com/ThinLinc
583 30 Linköping
https://facebook.com/ThinLinc
Phone: +46-13-214600
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...