I am in the midst of preparing for a migration from OpenLDAP to FreeIPA. ds-migrate wasn't going to fill all of my needs so I thought I would use it for most and then make up some LDIF's and massage them to do the last bit of migration.
I have instead decided to extend ds-migrate and I think that my features might be of use to others so I would like to contribute them. Before I get too for I wanted to get some input from the community. Here are MY original goals: * Migrate ssh public keys The openssh-lpk schema is used in my tree so objectClass: ldapPublicKey attribute: sshPublicKey * Migrate disabled accounts as disabled We 'disable' usere by setting their shadowExpire to a date in the past and setting their shell to /bin/false I realized that the ssh-public key problem is more generally an attribute mapping problem and dealing with disabled users could be more generalized too. Here are instead the new features I would provide. * Attribute mapping Feature should check the new syntax exists and is the same as the old syntax (perhaps further check for compatible syntax) --user-attribute-map=oldAttribute=newAttribute --group-attribute-map=foo=bar Should I drop user/group and just make it --attribute-map and apply it to both? Should certain attributes be mapped by default, i.e. sshPublicKey=ipaSSHPubKey (this means we also need to ignore the objectClass ldapPublicKey by default) Maybe make a separate switch --with-ssh-keys that automatically adds a map and an ignore? * Handling disabled users 1. How to identify disabled users? a. shadowExpire < now() --use-disable-shadow-expire b. loginShell is one of configurable shells --use-disable-login-shell --disabled-shell=/bin/false --disabled-shell=/sbin/nologin (these two would be the defaults) c. nsAccountLocked (though that would be straight copied by the migrator anyway d. From Open DJ the attribute ds-pwp-account-disabled can be used to identify disabled users (are there others?) 2. What do do with disabled users (in my case migrate and disable) a. Migrate them and don't touch nsAccountLocked b. Migrate them and set nsAccountLocked = true --disable-users c. Do not migrate them --skip-disabled-users d. Which is the default? Migrate and disable? If so which are the default methods for identifying them? All methods? So is there anything I'm missing? Any suggestions on the switches? I'm not entirely sure I like them the way they are. I have code to cover about 60% of the above already. The user-attr-map feature is working and the --disabled-users and disabled-shells options are working. Regards, -Alan
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel