I was thinking more about the solution to fix migration in FreeIPA 4.0 as
proposed in
and I realized it will be more complicated.

Conditionally enabling nsslapd-allow-hashed-passwords in cn=config when
migration mode is enabled is tricky as this setting is not replicated, compared
to ipamigrationenabled.

So enabling the migration on one server would still leave it broken on other
servers. The same applies for disabling it again.

Any ideas how to solve the issue? I am thinking we may need to unconditionally
enable this cn=config setting for now to unblock migration (thus effectively
revert https://fedorahosted.org/389/ticket/47389). Any other solution I can
think of would be too complicated.


Martin Kosek <mko...@redhat.com>
Supervisor, Software Engineering - Identity Management Team
Red Hat Inc.

Freeipa-devel mailing list

Reply via email to