Chris Whittle wrote:
We are looking at ONELogin as well as OKTA for our SSO to work with
FreeIPA.
The way they integrate with LDAP is a little different.
The question I have is how does FreeIPA support SHA or SSHA for password
encryption?
*From One Login's help doc on LDAP*
*--password-crypt: *Defines the cryptographic method used to store new
passwords to your Ldap Server when a user changes his password on the
OneLogin Web UI. Currently only SHA an SSHA are supported, SHA is the
default value
This sounds rather strange to me. It sounds like it is going to
pre-encrypt the password and send the hash. For IPA to work it would
need to send the password in the clear (over GSSAPI or TLS of course) so
that we can generate the Kerberos keys as well.
389-ds only accepts pre-encrypted hashes in certain cases anyway (it
differs by version).
You can look in cn=Password Storage Schemes,cn=plugins,cn=config for the
list of available password hashes. Both SSHA and SHA are included by
default.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project
