Hi
I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another.
I wasn't able to find any docs on what enabling migration mode actually does, exactly.
Can anyone supply details please?
Thanks.
Roderick Johnstone
On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote:
Hi
I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another.
I wasn't able to find any docs on what enabling migration mode actually does, exactly.
Can anyone supply details please?
Thanks.
Roderick Johnstone _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the migration mode allows to add an entry with a pre-hashed password.
When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys.
HTH, Flo
On 09/03/2018 09:13, Florence Blanc-Renaud wrote:
On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote:
Hi
I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another.
I wasn't able to find any docs on what enabling migration mode actually does, exactly.
Can anyone supply details please?
Thanks.
Roderick Johnstone _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the migration mode allows to add an entry with a pre-hashed password.
When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys.
HTH, Flo
Hi Flo
So, why wouldn't you want to have that enabled all the time.
ie are there any other consequences of having this enabled.
Thanks.
Roderick
On 03/09/2018 10:26 AM, Roderick Johnstone via FreeIPA-users wrote:
On 09/03/2018 09:13, Florence Blanc-Renaud wrote:
On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote:
Hi
I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another.
I wasn't able to find any docs on what enabling migration mode actually does, exactly.
Can anyone supply details please?
Thanks.
Roderick Johnstone _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the migration mode allows to add an entry with a pre-hashed password.
When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys.
HTH, Flo
Hi Flo
So, why wouldn't you want to have that enabled all the time.
ie are there any other consequences of having this enabled.
When migration mode is enabled, the ldap server accepts to modify a password using a pre-hashed value (the userPassword attribute of the user entry). As the value is not clear-text, it is not possible to run password policy checks (for instance does it contain enough characters, was it already in the password history...) => not as secure as the sysadmin intended.
The second issue is that the kerberos keys (stored in the krbprincipalkey of the user attribute) cannot be generated from a hash value, the algorithm needs a clear value. As a consequence, kerberos authentication would not succeed because it is based on krbprincipalkey.
This is why the migration procedure requires to instruct users to login to the migration web page, so that they enter a new password that will re-generate their kerberos keys (see step 10 in [1]).
Hope this clarifies, Flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
Thanks.
Roderick _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Florence Blanc-Renaud via FreeIPA-users wrote:
On 03/09/2018 10:26 AM, Roderick Johnstone via FreeIPA-users wrote:
On 09/03/2018 09:13, Florence Blanc-Renaud wrote:
On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote:
Hi
I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another.
I wasn't able to find any docs on what enabling migration mode actually does, exactly.
Can anyone supply details please?
Thanks.
Roderick Johnstone _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
the migration mode allows to add an entry with a pre-hashed password.
When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys.
HTH, Flo
Hi Flo
So, why wouldn't you want to have that enabled all the time.
ie are there any other consequences of having this enabled.
When migration mode is enabled, the ldap server accepts to modify a password using a pre-hashed value (the userPassword attribute of the user entry). As the value is not clear-text, it is not possible to run password policy checks (for instance does it contain enough characters, was it already in the password history...) => not as secure as the sysadmin intended.
The second issue is that the kerberos keys (stored in the krbprincipalkey of the user attribute) cannot be generated from a hash value, the algorithm needs a clear value. As a consequence, kerberos authentication would not succeed because it is based on krbprincipalkey.
This is why the migration procedure requires to instruct users to login to the migration web page, so that they enter a new password that will re-generate their kerberos keys (see step 10 in [1]).
Hope this clarifies, Flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
SSSD also checks this value and will authenticate over LDAP then set the Kerberos credentials. This is similar in practice to using the web page but without requiring user intervention. Without this flag enabled having only and LDAP password will fail authentication.
rob
freeipa-users@lists.fedorahosted.org