[Freeipa-users] Re: What does migration mode actually do?

Fri, 09 Mar 2018 04:21:30 -0800 

On 03/09/2018 10:26 AM, Roderick Johnstone via FreeIPA-users wrote:

On 09/03/2018 09:13, Florence Blanc-Renaud wrote:

On 03/09/2018 09:41 AM, Roderick Johnstone via FreeIPA-users wrote:

Hi
I'm using migration mode (ipa config-mod --enable-migration=true) to help migrate from one freeipa instance to another.
I wasn't able to find any docs on what enabling migration mode actually does, exactly. 

Can anyone supply details please?

Thanks.

Roderick Johnstone
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org 

Hi,

the migration mode allows to add an entry with a pre-hashed password.
When this mode is disabled, this operation would be refused because IPA needs a clear-text password in order to run password policy checks and generate kerberos keys. 

HTH,
Flo


Hi Flo

So, why wouldn't you want to have that enabled all the time.

ie are there any other consequences of having this enabled.
When migration mode is enabled, the ldap server accepts to modify a password using a pre-hashed value (the userPassword attribute of the user entry). As the value is not clear-text, it is not possible to run password policy checks (for instance does it contain enough characters, was it already in the password history...) => not as secure as the sysadmin intended.
The second issue is that the kerberos keys (stored in the krbprincipalkey of the user attribute) cannot be generated from a hash value, the algorithm needs a clear value. As a consequence, kerberos authentication would not succeed because it is based on krbprincipalkey.
This is why the migration procedure requires to instruct users to login to the migration web page, so that they enter a new password that will re-generate their kerberos keys (see step 10 in [1]). 

Hope this clarifies,
Flo
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/mig-ldap-to-idm 
Thanks.

Roderick
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to