[Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI
Rob Crittenden
rcritten at redhat.com
Tue Nov 2 03:24:40 UTC 2010
Jakub Hrozek wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> https://fedorahosted.org/freeipa/ticket/154
>
> The second patch removes the /ipatest section that has been commented
> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore :-)
Migration doesn't seem to be working. The migration page itself comes up
fine and prompts for data but when I enter the password of a migrated
user I don't seem to be getting valid kerberos keys. kinit doesn't work
in any case. It could also be that I'm tired. Does a migrated account
work for you?
This could be related to redoing the 389-ds password plugin as I did all
previous testing before we did the file split.
>
> I also have two questions:
> 1) how should exceptions be handled? In the patch, I only explicitly
> handle exceptions that could happen very easily (like, password being
> wrong, or the LDAP server down..). Anything else would just trigger 500
> Server Error..
I think that's ok as long as we provide enough logging to point the
admin in the right direction.
>
> 2) When playing with the migration command line plugin, I noticed that
> it can only handle RFC2307bis groups (member: dn) and has the
> objectclass for groups hardcoded to
> "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think
> it would be worthwile (and easy, too!) to modify the plugin to accept
> also RFC2307 schema and allow specifying a different objectclass
> (posixGroup might come handy..). Thoughts?
Yes, that sounds like a good enhancement. Great idea.
rob
More information about the Freeipa-devel
mailing list