-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (resending to the list, I accidentally replied to Rob only before..)
On 11/02/2010 04:24 AM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> https://fedorahosted.org/freeipa/ticket/154 >> >> The second patch removes the /ipatest section that has been commented >> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore >> :-) > > Migration doesn't seem to be working. The migration page itself comes up > fine and prompts for data but when I enter the password of a migrated > user I don't seem to be getting valid kerberos keys. kinit doesn't work > in any case. It could also be that I'm tired. Does a migrated account > work for you? > It does for me -- or at least I think it's working. This is how I tested: 1) migrate users from LDAP using the migrate-ds plugin. 2) try kinit - preauth will fail 3) go to the migration page, enter username/password This redirects me to the ui page if the credentials are correct. 4) kinit for the user works now This is on the current master + the two patches under review, on a F13 host migrating from 389 DS on another F13 machine. > This could be related to redoing the 389-ds password plugin as I did all > previous testing before we did the file split. > >> >> I also have two questions: >> 1) how should exceptions be handled? In the patch, I only explicitly >> handle exceptions that could happen very easily (like, password being >> wrong, or the LDAP server down..). Anything else would just trigger 500 >> Server Error.. > > I think that's ok as long as we provide enough logging to point the > admin in the right direction. > >> >> 2) When playing with the migration command line plugin, I noticed that >> it can only handle RFC2307bis groups (member: dn) and has the >> objectclass for groups hardcoded to >> "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think >> it would be worthwile (and easy, too!) to modify the plugin to accept >> also RFC2307 schema and allow specifying a different objectclass >> (posixGroup might come handy..). Thoughts? > > Yes, that sounds like a good enhancement. Great idea. > OK: https://fedorahosted.org/freeipa/ticket/429 (taken, since I was already poking at the plugin anyway) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzQJwgACgkQHsardTLnvCXu+ACgvMTxMPP8YpmwwzvCiMKpPp35 RQgAnA0CTuBxDI0hZzfZDDu50wunYRqP =++oI -----END PGP SIGNATURE----- _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel