Re: [Freeipa-users] migration user passwords from openldap to freeipa

2016-05-02 Thread siology.io 
ok, after looking again at this, i've found that even with the admin users
it's not working how i'd like.


With the admin user what seems to be happening is that the users after
import *must* go to the /ipa/migration/ url and then enter their password.
Although it does now let them login unlike before (so i guess before i
hadnt used the admin ldap user to import from and hence didnt have
permissions as you suggested) However, i'd really like to avoid that
because we've got hundreds of users, mostly external to the company in
different timezones, and coordinating getting people to go to the portal
(and making it available to the internet!) sounds like a nightmare.

These users don't need kerberos credentials (afaik) as i just want them to
be able to bind against the freeipa ldap server. I'm happy for users that
need kerberos to have to go to the migration page.

Is there any way to avoid a user needing to go to the migration page after
importing the user ?


On 27 April 2016 at 19:45, David Kreitschmann  wrote:

> Are you sure that your bind dn has read access userPassword? A default
> OpenLDAP installation usually has a admin user.
> Gosa ACLs are only applied when using the web interface, they are not used
> for direct access via LDAP.
>
>
> > Am 27.04.2016 um 03:43 schrieb siology.io :
> >
> > I'm having issues migrating from an openldap directory (which has gosa
> schema) to freeipa.
> >
> > To migrate i'm doing (and yes, i know);
> >
> > ipa migrate-ds ldap://old.server.com:389 --bind-dn
> "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup
> --user-objectclass=inetOrgPerson --group-overwrite-gid
> --user-ignore-objectclass=gosaAccount
> --user-ignore-objectclass=gosaMailAccount
> --user-ignore-attribute=gosaMailDeliveryMode
> --user-ignore-attribute=gosaMailServer
> --user-ignore-attribute=gosaSpamSortLevel
> --user-ignore-attribute=gosaSpamMailbox
> --user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl
> --user-ignore-attribute=sshpublickey
> --user-ignore-attribute=sambaLMPassword
> --user-ignore-attribute=sambaBadPasswordTime
> --user-ignore-attribute=gosaaclentry
> --user-ignore-attribute=sambaBadPasswordCount
> --user-ignore-attribute=sambaNTPassword
> --user-ignore-attribute=sambaPwdLastSet
> >
> > Which seems to work to import all those users which have posix settings
> set, however i have two problems:
> >
> > - Am i right in thinking there's no way to auto-assign a gid/uid/home
> dir for the non-posix users at migration time ? That's not a deal breaker
> per se, but i'd need to spin up a new copy of the old ldap and then add
> those attributes to every user, then migrate to ipa from that source, which
> is a real pain.
> >
> > - The migration seems to be successful for the users that do have posix
> attributes, and ends with:
> >
> >  Passwords have been migrated in pre-hashed format.
> > IPA is unable to generate Kerberos keys unless provided
> > with clear text passwords. All migrated users need to
> > login at https://your.domain/ipa/migration/ before they
> > can use their Kerberos accounts.
> >
> > ...but i'm unable to login to that page as any of my migrated users, or
> bind as them with ldapsearch. It seems like the passwords were not migrated
> ?
> >
> > Because 90% of my ~350 users are only going to be using freeipa insomuch
> as using services which are making use of the ipa server's ldap i was
> hoping that i wouldn't need to make kerberos tickets for those users, and
> hence avoid needing every user to login to the migration page. At the
> moment however i'm not able to get any migrated users at all to be able to
> bind to ldap or login to that page.
> >
> > Any tips or gotchas i should know ? I've no idea how to begin debugging
> this.
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] migration user passwords from openldap to freeipa

2016-04-27 Thread David Kreitschmann 
Are you sure that your bind dn has read access userPassword? A default OpenLDAP 
installation usually has a admin user.
Gosa ACLs are only applied when using the web interface, they are not used for 
direct access via LDAP.


> Am 27.04.2016 um 03:43 schrieb siology.io :
> 
> I'm having issues migrating from an openldap directory (which has gosa 
> schema) to freeipa.
> 
> To migrate i'm doing (and yes, i know);
> 
> ipa migrate-ds ldap://old.server.com:389 --bind-dn 
> "cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup 
> --user-objectclass=inetOrgPerson --group-overwrite-gid 
> --user-ignore-objectclass=gosaAccount 
> --user-ignore-objectclass=gosaMailAccount 
> --user-ignore-attribute=gosaMailDeliveryMode 
> --user-ignore-attribute=gosaMailServer 
> --user-ignore-attribute=gosaSpamSortLevel 
> --user-ignore-attribute=gosaSpamMailbox --user-ignore-objectclass=sshaccount 
> --user-ignore-objectclass=gosaacl --user-ignore-attribute=sshpublickey 
> --user-ignore-attribute=sambaLMPassword 
> --user-ignore-attribute=sambaBadPasswordTime 
> --user-ignore-attribute=gosaaclentry 
> --user-ignore-attribute=sambaBadPasswordCount 
> --user-ignore-attribute=sambaNTPassword 
> --user-ignore-attribute=sambaPwdLastSet
> 
> Which seems to work to import all those users which have posix settings set, 
> however i have two problems:
> 
> - Am i right in thinking there's no way to auto-assign a gid/uid/home dir for 
> the non-posix users at migration time ? That's not a deal breaker per se, but 
> i'd need to spin up a new copy of the old ldap and then add those attributes 
> to every user, then migrate to ipa from that source, which is a real pain.
> 
> - The migration seems to be successful for the users that do have posix 
> attributes, and ends with:
> 
>  Passwords have been migrated in pre-hashed format.
> IPA is unable to generate Kerberos keys unless provided
> with clear text passwords. All migrated users need to
> login at https://your.domain/ipa/migration/ before they
> can use their Kerberos accounts.
> 
> ...but i'm unable to login to that page as any of my migrated users, or bind 
> as them with ldapsearch. It seems like the passwords were not migrated ?
> 
> Because 90% of my ~350 users are only going to be using freeipa insomuch as 
> using services which are making use of the ipa server's ldap i was hoping 
> that i wouldn't need to make kerberos tickets for those users, and hence 
> avoid needing every user to login to the migration page. At the moment 
> however i'm not able to get any migrated users at all to be able to bind to 
> ldap or login to that page.
> 
> Any tips or gotchas i should know ? I've no idea how to begin debugging this.
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] migration user passwords from openldap to freeipa

2016-04-26 Thread siology.io 
I'm having issues migrating from an openldap directory (which has gosa
schema) to freeipa.

To migrate i'm doing (and yes, i know);

ipa migrate-ds ldap://old.server.com:389 --bind-dn
"cn=my_user,ou=people,dc=domain,dc=com" --group-objectclass=posixGroup
--user-objectclass=inetOrgPerson --group-overwrite-gid
--user-ignore-objectclass=gosaAccount
--user-ignore-objectclass=gosaMailAccount
--user-ignore-attribute=gosaMailDeliveryMode
--user-ignore-attribute=gosaMailServer
--user-ignore-attribute=gosaSpamSortLevel
--user-ignore-attribute=gosaSpamMailbox
--user-ignore-objectclass=sshaccount --user-ignore-objectclass=gosaacl
--user-ignore-attribute=sshpublickey
--user-ignore-attribute=sambaLMPassword
--user-ignore-attribute=sambaBadPasswordTime
--user-ignore-attribute=gosaaclentry
--user-ignore-attribute=sambaBadPasswordCount
--user-ignore-attribute=sambaNTPassword
--user-ignore-attribute=sambaPwdLastSet

Which seems to work to import all those users which have posix settings
set, however i have two problems:

- Am i right in thinking there's no way to auto-assign a gid/uid/home dir
for the non-posix users at migration time ? That's not a deal breaker per
se, but i'd need to spin up a new copy of the old ldap and then add those
attributes to every user, then migrate to ipa from that source, which is a
real pain.

- The migration seems to be successful for the users that do have posix
attributes, and ends with:

 Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.

...but i'm unable to login to that page as any of my migrated users, or
bind as them with ldapsearch. It seems like the passwords were not migrated
?

Because 90% of my ~350 users are only going to be using freeipa insomuch as
using services which are making use of the ipa server's ldap i was hoping
that i wouldn't need to make kerberos tickets for those users, and hence
avoid needing every user to login to the migration page. At the moment
however i'm not able to get any migrated users at all to be able to bind to
ldap or login to that page.

Any tips or gotchas i should know ? I've no idea how to begin debugging
this.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project