On Sun, 2012-06-24 at 15:10 -0700, Joe Linoff wrote: > Hi Mark: > > > > I did not find any entries related to passwords in the LDAP record. > There were some entries that looked as though they were related to > Kerberos which might be useful. > > % ldapseach -LLL -x -b > "uid=bigbob,cn=users,cn=accounts,dc=example,dc=com" | grep ^krb > > krbPwdPolicyReference: > cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=sw,dc= > > krbPrincipalName: [email protected] > > krbLastPwdChange: 20120530170153Z > > krbPasswordExpiration: 20120828170153Z > > krbExtraData:: AAgBAA== > > krbExtraData:: AAKBUsZPc3Nob3J0QFNXLlRBQlVMQS5DT00A > > krbLastSuccessfulAuth: 20120621180658Z > > krbLastFailedAuth: 20120620013218Z > > krbLoginFailedCount: 0 > > > > Unfortunately, I am new to IPA so I don’t yet understand the internals > for password management. Can you suggest any documentation I can read? > I am fairly familiar with LDAP and Kerberos.
You do not need to populate the Kerberos password fields directly. Once you migrate your DB users to LDAP, if you enable IPA's "migration mode" (see the docs on how), the next time a user binds to LDAP using their existing password, a pre-bind plugin on FreeIPA will catch the plaintext password and use it to populate the Kerberos password fields automatically.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
