[Freeipa-devel] [PATCH 0197] re-set canonical principal name on migrated users
Florence Blanc-Renaud
flo at redhat.com
Fri Jul 29 12:42:25 UTC 2016
On 07/28/2016 10:56 AM, Martin Babinsky wrote:
> Fixes https://fedorahosted.org/freeipa/ticket/6101
>
> I have also noticed that the principal aliases are not preserved during
> migration from FreeIPA 4.4.
>
> That, however, requires more powerful runes to transform the realm of
> all values and warrants a separate ticket if we even want to support
> migration of user aliases.
>
>
>
Hi Martin,
thanks for your patch. From a technical standpoint, it looks good to me
as I tested the following scenarios:
1/ without --user-ignore-attribute
- call ipa migrate-ds without specifying any attributes to ignore
The user entries are migrated, and contain a migrated krbprincipalname
and krbcanonicalname.
At this point kinit fails but this is expected as the krb attributes
were not re-generated. Login to the web https://hostname/ipa/ui also
fails as expected.
- login to https://hostname/ipa/migration with the user credentials
- perform kinit => OK
- login to https://hostname/ipa/ui => OK
2/ with --user-ignore-attribute={krbPrincipalName,krbextradata,...} as
explained in the Migration page [1]
At this point kinit fails as expected, as well as login to the web ipa/ui.
- login to https://hostname/ipa/migration with the user credentials
- perform kinit => OK
- login to https://hostname/ipa/ui => OK
But the patch produces new pep8 complaints:
./ipaserver/plugins/migration.py:39:1: E402 module level import not at
top of file
Flo.
----
[1]
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
More information about the Freeipa-devel
mailing list