I am in the midst of preparing for a migration from OpenLDAP to FreeIPA.
ds-migrate wasn't going to fill all of my needs so I thought I would use it
for most and then make up some LDIF's and massage them to do the last bit
of migration.
I have instead decided to extend ds-migrate and I think that my features
might be of use to others so I would like to contribute them. Before I get
too for I wanted to get some input from the community.
Here are MY original goals:
* Migrate ssh public keys
The openssh-lpk schema is used in my tree so objectClass: ldapPublicKey
attribute: sshPublicKey
* Migrate disabled accounts as disabled
We 'disable' usere by setting their shadowExpire to a date in the past
and setting their shell to /bin/false
I realized that the ssh-public key problem is more generally an attribute
mapping problem and dealing with disabled users could be more generalized
too.
Here are instead the new features I would provide.
* Attribute mapping
Feature should check the new syntax exists and is the same as the old
syntax (perhaps further check for compatible syntax)
--user-attribute-map=oldAttribute=newAttribute
--group-attribute-map=foo=bar
Should I drop user/group and just make it --attribute-map and apply it to
both?
Should certain attributes be mapped by default, i.e.
sshPublicKey=ipaSSHPubKey (this means we also need to ignore the
objectClass ldapPublicKey by default) Maybe make a separate switch
--with-ssh-keys that automatically adds a map and an ignore?
* Handling disabled users
1. How to identify disabled users?
a. shadowExpire < now()
--use-disable-shadow-expire
b. loginShell is one of configurable shells
--use-disable-login-shell
--disabled-shell=/bin/false --disabled-shell=/sbin/nologin (these
two would be the defaults)
c. nsAccountLocked (though that would be straight copied by the
migrator anyway
d. From Open DJ the attribute ds-pwp-account-disabled can be used to
identify disabled users
(are there others?)
2. What do do with disabled users (in my case migrate and disable)
a. Migrate them and don't touch nsAccountLocked
b. Migrate them and set nsAccountLocked = true
--disable-users
c. Do not migrate them
--skip-disabled-users
d. Which is the default? Migrate and disable? If so which are the
default methods for identifying them? All methods?
So is there anything I'm missing? Any suggestions on the switches? I'm not
entirely sure I like them the way they are.
I have code to cover about 60% of the above already. The user-attr-map
feature is working and the --disabled-users and disabled-shells options are
working.
Regards,
-Alan
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
