On Wed, 08 Oct 2014 12:37:30 -0400 Dmitri Pal <[email protected]> wrote:
> On 10/08/2014 09:47 AM, Andreas Ladanyi wrote: > > Hello, > > > > i have the following situation: > > > > OpenLDAP with user entries. No userPassword hashes are available. > > MIT Kerberos with principals and password hashes in the KRB DB. > > > > I have migrated the user and group accounts via "ipa migrate-ds ..." > > successfully. > > > > Now, is it possible to get out the kerberos user principal password > > hashes from the KRB own DB to the appropriate krbPassword..... IPA > > LDAP attribute, so the users could login without any extra user > > action ? > > > > cheers, > > Andy > > > > > > > This will be a highly manual process. > AFAIR it has been done couple times so please search archives 2-3 > years ago. Simo was the person who provided the steps. > > You would need to not only migrate the hashes by extracting the > fields from DB and loading them into LDAP using raw LDAP commands and > ldif but also copy over and set the kerberos master key. > If you are up to it and dig out the instructions we would really > appreciate if you can then put them on a wiki as a solution: > http://www.freeipa.org/page/HowTos It can be attempted by dumping, filtering and then re-importing the KDC database. The tools to look at are kdb5_util/kdb5_ldap_util depending on what kdb database you used in the original realm. for importing in IPA you'd have to use kdb5_util with some additional options to prevent the driver from discarding your modify operations. I would strongly advise you to test this in a throwaway setup because it is likely you'll end up breaking something :-) Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
