[Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.
Rob Crittenden
rcritten at redhat.com
Fri Oct 30 14:54:31 UTC 2009
Pavel Zuna wrote:
> Example output of migration plugin:
>
> I have a DS server setup on a VM at 192.168.122.4 and I made a few
> tweaks to show how errors are reported.
>
> # ipa migrate-ds ldap://192.168.122.4:389
> Password:
> Enter password again to verify:
> -----------
> migrate-ds:
> -----------
> Migrated:
> users: pzuna, mnagy
> groups: skupina1, skupina2, skupina3
> Errors:
> user: mnagy: Kerberos principal mnagy at PZUNA already exists. Use 'ipa
> user-mod' to set it manually.
> group: accounting managers: This entry already exists
> group: hr managers: This entry already exists
> group: qa managers: This entry already exists
> group: pd managers: This entry already exists
> ----------
> Passwords have been migrated in pre-hashed format. IPA is unable to
> generate Kerberos keys unless provided with clean text passwords. All
> migrated users need to login at http://your.domain/ipa/migration/ before
> they can use their Kerberos accounts.
>
> I didn't try it yet, but this might also work for IPAv1->IPAv2 migration.
>
> Pavel
I have some concerns with this. Rather than presenting a user password
change page this enables basic-auth like kerberos negotiate fallback and
uses the username/password presented there to do the password reset. I
thought we had discussed actually presenting a form to the user to
prompt for this information.
One of our goals is to promote the usage of single sign-on using
kerberos. Enabling the password fallback can be practical and needed in
some cases but I think by default we want to leave it off.
The function get_base_dn() needs some error handling. I'm not sure how
this will blow up if the LDAP server is down but it won't be pretty, it
assumes that a namingcontext is returned, etc.
For the migration there is a typo in pwd_migration_msg, "clean text"
instead of "clear text".
Why are you duplicating the user_add functionality instead of calling
api.Command['user_add']?
Same with groups, why not user the gropu_add and group_add_member methods?
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091030/50b32dd2/attachment.bin>
More information about the Freeipa-devel
mailing list