1

We want to setup FreeIPA to work with our legacy user management system, we can output an ldif file and alter it into a FreeIPA compatible format and import it. Everything works nicely except for the hashed passwords, our ldif file includes the password pre-hashed, but when I import it with the account it does not work.

The imported users can connect to linux servers that are given permission for with their ssh key, but they cannot use passwords, I even manually altered the password with a SHA512 and tested it but it didn't work.

The admin user has been given the permission to change user passwords but to not expire them as part of the migration process (a dedicated user will be setup latter).

Is there a way to import hashed passwords or migrate them from another ldap into FreeIPA?

Alternatively, can I edit the user record with ldapmodify and add the hashed password?

Michael Angel P.
  • 31
  • 5

1 Answers1

1

If you have pre-hashed passwords in the entries but don't have Kerberos keys for these accounts, you should switch FreeIPA into a migration mode. SSSD on IPA clients will then notice this and will use LDAP bind instead of Kerberos to perform user authentication first time it logs in. This will cause to re-generate the password hashes serverside and generate Kerberos keys for the user principal.

For more details see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrating-from-an-ldap-directory-to-idm_migrating-to-idm-from-external-sources#planning-password-migration-when-migrating-from-ldap-to-idm_migrating-from-an-ldap-directory-to-idm

abbra
  • 1,085
  • 5
  • 8