[Freeipa-users] feature request

Dmitri Pal dpal at redhat.com
Fri Aug 8 20:09:48 UTC 2014 

On 07/20/2014 06:37 PM, Rob Crittenden wrote:
> sergey ivanov wrote:
>> Dear IPA developers, I'd like to describe what we are doing and ask
>> about existing ways to do it easier, or if there is no such ways - to
>> propose creating some tools to ease such way of migration.
>>
>> We are preparing for migration to IPA. In our organization we were
>> using kerberos servers for authentication together with /etc/passwd
>> files for managing user access to hosts. In our organization we also
>> are using kerberos together with .htacces files for web
>> authentication. And kerberos with pam for mail services, - both IMAP
>> and SMTP via dovecot.
>>
>> I asked some time ago and got reply here in this mailing list, that
>> there is no way to use kdb_util to dump kerberos database and get from
>> the dump values for inserting into IPA's ldap kerberos principle
>> fields for user entries. So, we ended up using special web page, which
>> authenticate our users against existing kerberos servers and after
>> successful authentication reset password for this user in IPA.
>>
>> We did not want password in IPA to be in "expired" state, so that
>> users must change once more at first login.  As a workaround we are
>> using 2 different kerberos connection caches for each session: one for
>> administrator for setting up user password to something unique, and
>> second - for authenticating with this unique password as a user, just
>> to reset it to the value he requested by user though web form.
>>
>> I think there would be pretty many similar cases. May be having
>> customizable web form on IPA server itself, authenticating for user
>> against some old external authentication system from which the
>> migration is being performed would be the best.
>>
>> If not, than at least some standard way to drop privileges from
>> administrator to user, for setting up password or maybe even other
>> fields, would be great.
>>
> I take it that the LDAP connection used by your migration page isn't
> using the credentials provided by the user, but binding using some
> service account? Binding as the user would be ideal, but if you can't
> you can add the dn for that service account dn to the
> passSyncManagersDNs list to have it not cause a reset.
>
> % ldapmodify -x -D "cn=Directory Manager" -W
> Enter LDAP Password: *******
> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
> changetype: modify
> add: passSyncManagersDNs
> passSyncManagersDNs: uid=webadmin,cn=users,cn=accounts,dc=example,dc=com
>
> rob
>
Should we turn it into HOWTO?


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list