#4182 Authentication mechanism: PKCS5S2
Closed: wontfix 5 years ago Opened 10 years ago by tvdbrande.

Provided this is the list of supported mechanisms:
https://git.fedorahosted.org/cgit/freeipa.git/tree/daemons/ipa-sam/ipa_sam.c
For migrating a userbase ( +400 users ) which have {PKCS5S2}kUaE/OC...
password-hashes, PKCS support in ipa would come in handy.
Depending if this is possible, it would make the decision to move to or away from ipa


I did some search on the matter. The algorithm is created by RSA but is an RFE. It is recommended by NIST. There are some recommendations to use it. However I do not see a lot of implementations of it. It seems that OpenSSL provides an implementation of PBKDF2-HMAC-SHA1. I am not sure about NSS.
In either case it is quite a change in DS so I am not sure it justifies an effort. It might be simpler to take the LDIF from the old system and run an ipa add command in a script setting user password to a random value and mailing it to user to use and change right away.

Anyone who would like to migrate from Atlassian's authentication systems (e.g. Crowd) will have a number of existing user-entries in this format. Depending on how large their install is, it may be impractical to request a password reset for migration.

Metadata Update from @tvdbrande:
- Issue assigned to someone
- Issue set to the milestone: Tickets Deferred

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata