Hey,
to expand why you cannot simply hand over existing hashes: in UCS domains passwords are required to be stored in three different places with three different types of hashing:
- The regular Unix password hashes (LDAP attribute
userPassword
)
- The old Windows NT-style hashed password (LDAP attribute
sambaNTPassword
)
- The Kerberos password (LDAP attribute
krb5Key
)
The system can only create (hash with the corresponding algorithm) all of them from the plain text, unencrypted, unhashed password.
Migrating from a system that doesn’t provide all three attributes therefore requires setting new passwords for all users.
Kind regards,
mosu