Thank you Alexander.
If the previous password is not used, I could set an impossible-hash
password (such as "{crypt}*") and let users login authenticating trhough
PAM?
Or I could put the "user-add" in the pam_exec script (but only if the
user does not already exists).
I'll test both ways.
Nicola
Il 09/07/15 14:44, Alexander Bokovoy ha scritto:
On Thu, 09 Jul 2015, Nicola Canepa wrote:
OK, I'm sorry for the little information provided: I can't do
migrate-ds, since I'm not coming from a "DS" (which can only be
another LDAP server, I guess).
The only thing I can expect is that users will login to one of the
applicazions which I put under FreeIPA authentication.
So I mixed the "NIS migration" documentation (maintaining passwords)
with the "migration mode", hoping it was what I was looking for.
If you did create your users the same way as proposed with NIS
migration, then they wouldn't be different from what would have happened
with 'ipa migrate-ds'. End result, you have user entries in LDAP with
passwords set to their hashes in the previous system and no Kerberos
attributes.
Is there a way so that users are created in FreeIPA once they login in
this way?
*You* need to create them.
http://www.freeipa.org/page/NIS_accounts_migration_preserving_Passwords
walks you through that:
--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8--->8
From your export file, import the users into IPA using the admin tools
and set the original hashed password:
# ipa user-add [username] --setattr userpassword={crypt}yourencryptedpass
---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---8<---
--
Nicola Canepa
Tel: +39-0522-399-3474
canep...@mmfg.it
---
Il contenuto della presente comunicazione è riservato e destinato
esclusivamente ai destinatari indicati. Nel caso in cui sia ricevuto da persona
diversa dal destinatario sono proibite la diffusione, la distribuzione e la
copia. Nel caso riceveste la presente per errore, Vi preghiamo di informarci e
di distruggerlo e/o cancellarlo dal Vostro computer, senza utilizzare i dati
contenuti. La presente comunicazione (comprensiva dei documenti allegati) non
avrà valore di proposta contrattuale e/o accettazione di proposte provenienti
dal destinatario, nè rinuncia o riconoscimento di diritti, debiti e/o crediti,
nè sarà impegnativa, qualora non sia sottoscritto successivo accordo da chi può
validamente obbligarci. Non deriverà alcuna responsabilità precontrattuale a
ns. carico, se la presente non sia seguita da contratto sottoscritto dalle
parti.
The content of the above communication is strictly confidential and reserved
solely for the referred addressees. In the event of receipt by persons
different from the addressee, copying, alteration and distribution are
forbidden. If received by mistake we ask you to inform us and to destroy and/or
delete from your computer without using the data herein contained. The present
message (eventual annexes inclusive) shall not be considered a contractual
proposal and/or acceptance of offer from the addressee, nor waiver recognizance
of rights, debts and/or credits, nor shall it be binding when not executed as
a subsequent agreement by persons who could lawfully represent us. No
pre-contractual liability shall apply to us when the present communication is
not followed by any binding agreement between the parties.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
