[Freeipa-devel] ds-migrate feature enhancements

Martin Kosek mkosek at redhat.com
Wed Nov 26 10:52:05 UTC 2014 

On 11/24/2014 11:24 PM, Alan Evans wrote:
> I am in the midst of preparing for a migration from OpenLDAP to FreeIPA.
> ds-migrate wasn't going to fill all of my needs so I thought I would use it
> for most and then make up some LDIF's and massage them to do the last bit
> of migration.
> 
> I have instead decided to extend ds-migrate and I think that my features
> might be of use to others so I would like to contribute them.

Great idea! :-) IMO, enhancing FreeIPA migration capability and making it more
even more pleasant experience for user users is a good goal.

> Before I get
> too for I wanted to get some input from the community.
> 
> Here are MY original goals:
> * Migrate ssh public keys
>   The openssh-lpk schema is used in my tree so objectClass: ldapPublicKey
> attribute: sshPublicKey
> * Migrate disabled accounts as disabled
>   We 'disable' usere by setting their shadowExpire to a date in the past
> and setting their shell to /bin/false
> 
> I realized that the ssh-public key problem is more generally an attribute
> mapping problem and dealing with disabled users could be more generalized
> too.
> 
> Here are instead the new features I would provide.
> 
> * Attribute mapping
>   Feature should check the new syntax exists and is the same as the old
> syntax (perhaps further check for compatible syntax)
>   --user-attribute-map=oldAttribute=newAttribute
>   --group-attribute-map=foo=bar
>   Should I drop user/group and just make it --attribute-map and apply it to
> both?
>   Should certain attributes be mapped by default, i.e.
> sshPublicKey=ipaSSHPubKey (this means we also need to ignore the
> objectClass ldapPublicKey by default)  Maybe make a separate switch
> --with-ssh-keys that automatically adds a map and an ignore?

If the mapping sshPublicKey -> ipaSSHPubKey is clear, I would do it by default
and maybe add a switch to skip these advanced migrations. Just make sure the
expected format matches (ipa requires all 3 pieces of the public key, not just
the blob)

I think it would be very useful to combine user attribute mapping with the
ideas from

https://fedorahosted.org/freeipa/ticket/3709

i.e. filling attribute with values from original entry or a default. This may
lead to following syntax:

--user-attribute-default "sn=notdefined" --user-attribute-default
"description=User with cn $cn"

which would only use the pattern if attribute is not defined in original entry

and

--user-attribute-map "sn=$cn"

which would fill overwrite the attribute even if it was defined in the original
entry.

> 
> * Handling disabled users
>   1. How to identify disabled users?
>     a. shadowExpire < now()
>         --use-disable-shadow-expire

How would you like to disable users then? With nsAccountLock attribute?
Wouldn't it be better to instead map shadowExpire to krbPrincipalExpiration
attribute which should have sematically the same meaning?

>     b. loginShell is one of configurable shells
>         --use-disable-login-shell
>         --disabled-shell=/bin/false --disabled-shell=/sbin/nologin (these

Is this really a general mechanism? I think Kerberos principal expiration is
the way to go:

# ipa user-mod fbar --principal-expiration 20140101000000Z

# ssh fbar@`hostname`
fbar at vm-067.idm.lab.bos.redhat.com's password:
Permission denied, please try again.

# tail /var/log/krb5kdc.log
...
Nov 26 04:56:51 vm-067.idm.lab.bos.redhat.com krb5kdc[19615](info): AS_REQ (6
etypes {18 17 16 23 25 26}) 10.16.78.67: CLIENT EXPIRED:
fbar at IDM.LAB.BOS.REDHAT.COM for
krbtgt/IDM.LAB.BOS.REDHAT.COM at IDM.LAB.BOS.REDHAT.COM, Client's entry in
database has expired

It is respected by Kerberos authentication and SSSD logins, at minimum.


> two would be the defaults)
>     c. nsAccountLocked (though that would be straight copied by the
> migrator anyway

+1 for copying.

>     d. From Open DJ the attribute ds-pwp-account-disabled can be used to
> identify disabled users
>     (are there others?)
>   2.  What do do with disabled users (in my case migrate and disable)
>     a. Migrate them and don't touch nsAccountLocked
>     b. Migrate them and set nsAccountLocked = true
>        --disable-users
>     c. Do not migrate them
>        --skip-disabled-users
>     d. Which is the default?  Migrate and disable?  If so which are the
> default methods for identifying them?  All methods?

I may be missing something, but to me following would make sense:

- properly migrate and fill krbPrincipalExpiration and nsACcountLock attributes
- optionally implement --skip-disabled-users. Though it may be challenging to
implement the "is_user_disabled" function right so that it works on all sort of
DS schemes.

> So is there anything I'm missing?  Any suggestions on the switches? I'm not
> entirely sure I like them the way they are.
> 
> I have code to cover about 60% of the above already.  The user-attr-map
> feature is working and the --disabled-users and disabled-shells options are
> working.
> 
> Regards,
> -Alan

HTH,
Martin

More information about the Freeipa-devel mailing list