[Freeipa-users] feature request

Rob Crittenden rcritten at redhat.com
Sun Jul 20 22:37:47 UTC 2014 

sergey ivanov wrote:
> Dear IPA developers, I'd like to describe what we are doing and ask
> about existing ways to do it easier, or if there is no such ways - to
> propose creating some tools to ease such way of migration.
> 
> We are preparing for migration to IPA. In our organization we were
> using kerberos servers for authentication together with /etc/passwd
> files for managing user access to hosts. In our organization we also
> are using kerberos together with .htacces files for web
> authentication. And kerberos with pam for mail services, - both IMAP
> and SMTP via dovecot.
> 
> I asked some time ago and got reply here in this mailing list, that
> there is no way to use kdb_util to dump kerberos database and get from
> the dump values for inserting into IPA's ldap kerberos principle
> fields for user entries. So, we ended up using special web page, which
> authenticate our users against existing kerberos servers and after
> successful authentication reset password for this user in IPA.
> 
> We did not want password in IPA to be in "expired" state, so that
> users must change once more at first login.  As a workaround we are
> using 2 different kerberos connection caches for each session: one for
> administrator for setting up user password to something unique, and
> second - for authenticating with this unique password as a user, just
> to reset it to the value he requested by user though web form.
> 
> I think there would be pretty many similar cases. May be having
> customizable web form on IPA server itself, authenticating for user
> against some old external authentication system from which the
> migration is being performed would be the best.
> 
> If not, than at least some standard way to drop privileges from
> administrator to user, for setting up password or maybe even other
> fields, would be great.
> 

I take it that the LDAP connection used by your migration page isn't
using the credentials provided by the user, but binding using some
service account? Binding as the user would be ideal, but if you can't
you can add the dn for that service account dn to the
passSyncManagersDNs list to have it not cause a reset.

% ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: *******
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=webadmin,cn=users,cn=accounts,dc=example,dc=com

rob

More information about the Freeipa-users mailing list