Hi Mark:
I did not find any entries related to passwords in the LDAP record. There were some entries that looked as though they were related to Kerberos which might be useful. % ldapseach -LLL -x -b "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb krbPwdPolicyReference: cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= krbPrincipalName: [email protected] krbLastPwdChange: 20120530170153Z krbPasswordExpiration: 20120828170153Z krbExtraData:: AAgBAA== krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A krbLastSuccessfulAuth: 20120621180658Z krbLastFailedAuth: 20120620013218Z krbLoginFailedCount: 0 Unfortunately, I am new to IPA so I don't yet understand the internals for password management. Can you suggest any documentation I can read? I am fairly familiar with LDAP and Kerberos. Thanks, Joe From: Joe Linoff Sent: Sunday, June 24, 2012 2:43 PM To: Mark Reynolds Cc: [email protected]; Joe Linoff Subject: RE: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Mark: Thank you, that is really helpful. Regards, Joe From: Mark Reynolds [mailto:[email protected]] Sent: Sunday, June 24, 2012 12:49 PM To: Joe Linoff Cc: [email protected] Subject: Re: [Freeipa-users] Transfer user database to FreeIPA LDAP Hi Joe, I'm not really an IPA guy, but IPA uses 389 directory server as its backend. You would need to convert the your DB entries to LDAP entries, but 389 supports your password type, so it should not be a problem if you copy & paste the password hashes. LDAP expects the password to be something like: userpassword: {SSHA}cchzM+LrPCvbZdthOC8e62d4h7a4CfoNvl6d/w== Mark On 06/24/2012 02:30 PM, Joe Linoff wrote: Hi Everybody: We have a legacy web based application (CakePHP) that stores user data in a DB and I would like to transfer that information to a FreeIPA Identity Management Server without requiring the users to re-enter their passwords (if possible). How would I do that? I know that the DB stores the password as a SHA-1 hash with a salt. I was hoping that there was a way for the administrator to directly copy the SHA-1 password hash from the DB into the Free-IPA LDAP for the user but I don't even know if that is a reasonable expectation. Any help would be greatly appreciated. Thanks, Joe _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users -- Mark Reynolds Senior Software Engineer Red Hat, Inc [email protected]
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
