Hi all:
After I migrated to new Servers .using migrateds command..I used server.com:389 connect and embedded in 3 rd opensource.
I found user can login successfully ...but
the http://server.com/ipa/ui cannot ...
user have to use http://server.com/ipa/migration then can success login the UI.
So what are the difference is these password migration ? actually at 3 rd part opensource user use ldap password login successfully but the UI fail..
Hi there,
UI uses Kerberos...
Regards,
---
EZajko @root.ba
On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all:
After I migrated to new Servers .using migrateds command..I used server.com:389 connect and embedded in 3 rd opensource.
I found user can login successfully ...but
the http://server.com/ipa/ui cannot ...
user have to use http://server.com/ipa/migration then can success login the UI.
So what are the difference is these password migration ? actually at 3 rd part opensource user use ldap password login successfully but the UI fail..
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Dear barrykfl,
you may find nicely documented procedure at [1]:
cheers, --- Ernedin ZAJKO ezajko@root.ba
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko ezajko@root.ba wrote:
Hi there,
UI uses Kerberos...
Regards,
EZajko @root.ba
On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all:
After I migrated to new Servers .using migrateds command..I used server.com:389 connect and embedded in 3 rd opensource.
I found user can login successfully ...but
the http://server.com/ipa/ui cannot ...
user have to use http://server.com/ipa/migration then can success login the UI.
So what are the difference is these password migration ? actually at 3 rd part opensource user use ldap password login successfully but the UI fail..
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
Yes I read the point knew they are difference ..But if most users 90% no need access httsps://myserver.com/ipa/UI and just use ldap authorization ...so I don't need ask user migration or change password ? our users 90% use 3rd party open source and LDAP Auth. ??? actual what example of Kerberos auth affecting user in such situation? users don't self edit UI info even password they ask administartor to reset for them.
Point 6 in document: It is possible to use LDAP authentication in Identity Management instead of Kerberos authentication, which means that Kerberos hashes are not required for users. However, this limits the capabilities of Identity Management and is not recommended.
2018-05-31 14:26 GMT+08:00 Ernedin Zajko ezajko@root.ba:
Dear barrykfl,
you may find nicely documented procedure at [1]:
cheers, --- Ernedin ZAJKO ezajko@root.ba
[1] https://access.redhat.com/documentation/en-us/red_hat_ enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ guide/migrating_from_a_directory_server_to_ipa
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko ezajko@root.ba wrote:
Hi there,
UI uses Kerberos...
Regards,
EZajko @root.ba
On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Hi all:
After I migrated to new Servers .using migrateds command..I used
server.com:389 connect and embedded in
3 rd opensource.
I found user can login successfully ...but
the http://server.com/ipa/ui cannot ...
user have to use http://server.com/ipa/migration then can success
login the UI.
So what are the difference is these password migration ? actually at 3
rd part opensource user use ldap password login successfully but the UI fail..
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-
users@lists.fedorahosted.org/message/D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/
Dear barrykfl,
one of the issues that will emerge - users updating (changing) passwords (if you want them to use ipa ui)
regards, --- Ernedin ZAJKO ezajko@root.ba
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 9:06 AM barrykfl@gmail.com wrote:
Yes I read the point knew they are difference ..But if most users 90% no need access httsps://myserver.com/ipa/UI and just use ldap authorization ...so I don't need ask user migration or change password ? our users 90% use 3rd party open source and LDAP Auth. ??? actual what example of Kerberos auth affecting user in such situation? users don't self edit UI info even password they ask administartor to reset for them.
Point 6 in document: It is possible to use LDAP authentication in Identity Management instead of Kerberos authentication, which means that Kerberos hashes are not required for users. However, this limits the capabilities of Identity Management and is not recommended.
2018-05-31 14:26 GMT+08:00 Ernedin Zajko ezajko@root.ba:
Dear barrykfl,
you may find nicely documented procedure at [1]:
cheers, --- Ernedin ZAJKO ezajko@root.ba
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko ezajko@root.ba wrote:
Hi there,
UI uses Kerberos...
Regards,
EZajko @root.ba
On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi all:
After I migrated to new Servers .using migrateds command..I used server.com:389 connect and embedded in 3 rd opensource.
I found user can login successfully ...but
the http://server.com/ipa/ui cannot ...
user have to use http://server.com/ipa/migration then can success login the UI.
So what are the difference is these password migration ? actually at 3 rd part opensource user use ldap password login successfully but the UI fail..
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
yes but we use third party passwd manager to allow user change password on anther site different address .( But most users ask admin reset for them) Users won't touch any ldap server address UI.
2018-05-31 15:43 GMT+08:00 Ernedin Zajko ezajko@root.ba:
Dear barrykfl,
one of the issues that will emerge - users updating (changing) passwords (if you want them to use ipa ui)
regards, --- Ernedin ZAJKO ezajko@root.ba
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 9:06 AM barrykfl@gmail.com wrote:
Yes I read the point knew they are difference ..But if most users 90% no
need access httsps://myserver.com/ipa/UI and just use ldap authorization ...so I don't need ask user migration or change password ? our users 90% use 3rd party open source and LDAP Auth. ??? actual what example of Kerberos auth affecting user in such situation? users don't self edit UI info even password they ask administartor to reset for them.
Point 6 in document: It is possible to use LDAP authentication in Identity Management instead
of Kerberos authentication, which means that Kerberos hashes are not required for users. However, this limits the capabilities of Identity Management and is not recommended.
2018-05-31 14:26 GMT+08:00 Ernedin Zajko ezajko@root.ba:
Dear barrykfl,
you may find nicely documented procedure at [1]:
cheers, --- Ernedin ZAJKO ezajko@root.ba
enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ guide/migrating_from_a_directory_server_to_ipa
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko ezajko@root.ba wrote:
Hi there,
UI uses Kerberos...
Regards,
EZajko @root.ba
On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Hi all:
After I migrated to new Servers .using migrateds command..I used
server.com:389 connect and embedded in
3 rd opensource.
I found user can login successfully ...but
the http://server.com/ipa/ui cannot ...
user have to use http://server.com/ipa/migration then can success
login the UI.
So what are the difference is these password migration ? actually at
3 rd part opensource user use ldap password login successfully but the UI fail..
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/
wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.
org/archives/list/freeipa-users@lists.fedorahosted.org/message/ D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/
ys but we use third party passwd manager to allow user change password on anther site different address .( But most users ask admin reset for them) Users won't touch any ldap server address UI.
2018-05-31 15:43 GMT+08:00 Ernedin Zajko ezajko@root.ba:
Dear barrykfl,
one of the issues that will emerge - users updating (changing) passwords (if you want them to use ipa ui)
regards, --- Ernedin ZAJKO ezajko@root.ba
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 9:06 AM barrykfl@gmail.com wrote:
Yes I read the point knew they are difference ..But if most users 90% no
need access httsps://myserver.com/ipa/UI and just use ldap authorization ...so I don't need ask user migration or change password ? our users 90% use 3rd party open source and LDAP Auth. ??? actual what example of Kerberos auth affecting user in such situation? users don't self edit UI info even password they ask administartor to reset for them.
Point 6 in document: It is possible to use LDAP authentication in Identity Management instead
of Kerberos authentication, which means that Kerberos hashes are not required for users. However, this limits the capabilities of Identity Management and is not recommended.
2018-05-31 14:26 GMT+08:00 Ernedin Zajko ezajko@root.ba:
Dear barrykfl,
you may find nicely documented procedure at [1]:
cheers, --- Ernedin ZAJKO ezajko@root.ba
enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_ guide/migrating_from_a_directory_server_to_ipa
340282366920938463463374607431768211456
On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko ezajko@root.ba wrote:
Hi there,
UI uses Kerberos...
Regards,
EZajko @root.ba
On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Hi all:
After I migrated to new Servers .using migrateds command..I used
server.com:389 connect and embedded in
3 rd opensource.
I found user can login successfully ...but
the http://server.com/ipa/ui cannot ...
user have to use http://server.com/ipa/migration then can success
login the UI.
So what are the difference is these password migration ? actually at
3 rd part opensource user use ldap password login successfully but the UI fail..
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.
fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/
wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.
org/archives/list/freeipa-users@lists.fedorahosted.org/message/ D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/
barrykfl--- via FreeIPA-users wrote:
Yes I read the point knew they are difference ..But if most users 90% no need access httsps://myserver.com/ipa/UI http://myserver.com/ipa/UI and just use ldap authorization ...so I don't need ask user migration or change password ? our users 90% use 3rd party open source and LDAP Auth. ??? actual what example of Kerberos auth affecting user in such situation? users don't self edit UI info even password they ask administartor to reset for them.
Point 6 in document: It is possible to use LDAP authentication in Identity Management instead of Kerberos authentication, which means that Kerberos hashes are not required for users. However, this limits the capabilities of Identity Management and is not recommended.
If you authenticate only using LDAP then yes, there is no need to go through the migration page. The migration page is for generating the Kerberos keys.
An LDAP password can be migrated because it is just a hash. A Kerberos key cannot because it depends on a number of factors, including the Kerberos master key, which cannot be migrated. On the migration page the user authenticates with their existing password, we confirm it is valid, then take the provided cleartext password to generate the Kerberos keys. That's it.
rob
2018-05-31 14:26 GMT+08:00 Ernedin Zajko <ezajko@root.ba mailto:ezajko@root.ba>:
Dear barrykfl, you may find nicely documented procedure at [1]: cheers, --- Ernedin ZAJKO ezajko@root.ba <mailto:ezajko@root.ba> [1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating_from_a_directory_server_to_ipa <https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrating_from_a_directory_server_to_ipa> > 340282366920938463463374607431768211456 On Thu, May 31, 2018 at 6:47 AM Ernedin Zajko <ezajko@root.ba <mailto:ezajko@root.ba>> wrote: > > Hi there, > > UI uses Kerberos... > > Regards, > > --- > > EZajko > @root.ba <http://root.ba> > > On Thu, May 31, 2018, 05:48 barrykfl--- via FreeIPA-users <freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org>> wrote: >> >> Hi all: >> >> After I migrated to new Servers .using migrateds command..I used server.com:389 <http://server.com:389> connect and embedded in >> 3 rd opensource. >> >> I found user can login successfully ...but >> >> the http://server.com/ipa/ui cannot ... >> >> user have to use http://server.com/ipa/migration <http://server.com/ipa/migration> then can success login the UI. >> >> So what are the difference is these password migration ? actually at 3 rd part opensource user use ldap password login successfully but the UI fail.. >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> >> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html <https://getfedora.org/code-of-conduct.html> >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines <https://fedoraproject.org/wiki/Mailing_list_guidelines> >> List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/ <https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/D22RHB3ORJ7FHOJKEDUDSEPPJQKUXVPD/>
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
freeipa-users@lists.fedorahosted.org