[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.

Rob Crittenden rcritten at redhat.com
Mon Nov 2 15:31:31 UTC 2009 

Pavel Zuna wrote:
> Everyone wrote:
> ...
> A LOT and Thunderbird isn't able to display a thread on a mailing list 
> properly.
> 
> I did some testing on how much time does it take to migrate "a few" 
> users. I started with 10000, but unfortunately my VM can't handle that 
> much (always running out of space and I already deleted /usr/share/doc :D).
> 
> Anyway, I successfully migrated about ~4200 users in 27 minutes using 
> the current method. I didn't test it using the IPA commands yet, because 
> I ran into the problem of making LDAP data valid for IPA commands - it's 
> actually not that easy. We can't pass user passwords to them and we also 
> cannot set attributes the command don't support, so we have to manually 
> set them using ldap2.update_entry anyway. I know that the numbers at the 
> beginning of this paragraph mean nothing if I have nothing to compare 
> them to, but I thought you might be interested anyway. I'll keep you 
> updated.

Yes, something we need in baseldap.py is a way to pass in arbitrary 
attributes to Add and Modify. There are several modes we need:

Add a new value to an attribute (this attr may or may not be in the entry)
Set an attribute to a value (a replace operation)
Remove a value from an attribute. Removing the last value should remove 
the attribute from the entry.

We had the first two options in v1, delete was there but a bit flaky IIRC.

> Another thing: with user friendliness/experience. I think users will 
> actually suffer a little after being migrated, because they will have to 
> take all of these steps:
> 
> 1) login to the migration page
> 2) use kinit
> 3) if their password doesn't meet IPA password policy, change their 
> password
> 4) go to ipa page, probably won't work
> 5) configure their browsers
> 6) go to ipa page again, this time it will work :)
> 
> Just saying.
> 
> Pavel

Yes, though perhaps in the migration page we should add the "configure 
Firefox" button so they set their password, configure their browser, 
quit, kinit, restart and done.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091102/687d68ac/attachment.bin>

More information about the Freeipa-devel mailing list