Pavel Zuna wrote:
Example output of migration plugin:I have a DS server setup on a VM at 192.168.122.4 and I made a few tweaks to show how errors are reported.# ipa migrate-ds ldap://192.168.122.4:389 Password: Enter password again to verify: ----------- migrate-ds: ----------- Migrated: users: pzuna, mnagy groups: skupina1, skupina2, skupina3 Errors:user: mnagy: Kerberos principal mn...@pzuna already exists. Use 'ipa user-mod' to set it manually.group: accounting managers: This entry already exists group: hr managers: This entry already exists group: qa managers: This entry already exists group: pd managers: This entry already exists ----------Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clean text passwords. All migrated users need to login at http://your.domain/ipa/migration/ before they can use their Kerberos accounts.I didn't try it yet, but this might also work for IPAv1->IPAv2 migration. Pavel
I have some concerns with this. Rather than presenting a user password change page this enables basic-auth like kerberos negotiate fallback and uses the username/password presented there to do the password reset. I thought we had discussed actually presenting a form to the user to prompt for this information.
One of our goals is to promote the usage of single sign-on using kerberos. Enabling the password fallback can be practical and needed in some cases but I think by default we want to leave it off.
The function get_base_dn() needs some error handling. I'm not sure how this will blow up if the LDAP server is down but it won't be pretty, it assumes that a namingcontext is returned, etc.
For the migration there is a typo in pwd_migration_msg, "clean text" instead of "clear text".
Why are you duplicating the user_add functionality instead of calling api.Command['user_add']?
Same with groups, why not user the gropu_add and group_add_member methods? rob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
