Dear IPA developers, I'd like to describe what we are doing and ask about existing ways to do it easier, or if there is no such ways - to propose creating some tools to ease such way of migration.
We are preparing for migration to IPA. In our organization we were using kerberos servers for authentication together with /etc/passwd files for managing user access to hosts. In our organization we also are using kerberos together with .htacces files for web authentication. And kerberos with pam for mail services, - both IMAP and SMTP via dovecot. I asked some time ago and got reply here in this mailing list, that there is no way to use kdb_util to dump kerberos database and get from the dump values for inserting into IPA's ldap kerberos principle fields for user entries. So, we ended up using special web page, which authenticate our users against existing kerberos servers and after successful authentication reset password for this user in IPA. We did not want password in IPA to be in "expired" state, so that users must change once more at first login. As a workaround we are using 2 different kerberos connection caches for each session: one for administrator for setting up user password to something unique, and second - for authenticating with this unique password as a user, just to reset it to the value he requested by user though web form. I think there would be pretty many similar cases. May be having customizable web form on IPA server itself, authenticating for user against some old external authentication system from which the migration is being performed would be the best. If not, than at least some standard way to drop privileges from administrator to user, for setting up password or maybe even other fields, would be great. -- Regards, Sergey Ivanov | [email protected] http://www.linkedin.com/pub/sergey-ivanov/8/270/a09 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
