On Чцв, 09 сту 2025, Ronald Wimmer wrote:
So. Let me summarize this information for me personally. If we create a new user in the staging area via LDAP with a clear-text password it is impossible that the user can login using IPA's WebGUI as it requires Kerberos and the krbPrincipalKey is not available until an implicit or explicit LDAP bind is done with this exact user, right?

If you provided IPA-specific LDAP objectclasses (and their required
attributes) when creating via LDAP, then you'll get Kerberos attributes
created automatically and it will not require use of the migration mode.

Basically, it is fully controlled by your side -- if you are able to
extend what is added to LDAP entry template, you can make it working.

Just look at how this entry looks after 'ipa stageuser-add' and model
your LDAP update around it.
But regarding my question... it can't be that we create a user with a minimal set of attributes and it can login to the WebGUI as it is missing the krbPrincipalKey (which would be created after an LDAP bind), right?

Without seeing what is being done to the entries and by whom, it is
impossible to answer. Enable 389-ds audit log, create a stage user via
your mechanism, activate it, and then you'll see all the details in the
audit log, including who (which plugin or client) made what changes.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to