On 07/20/2014 06:37 PM, Rob Crittenden wrote:
sergey ivanov wrote:
Dear IPA developers, I'd like to describe what we are doing and ask
about existing ways to do it easier, or if there is no such ways - to
propose creating some tools to ease such way of migration.

We are preparing for migration to IPA. In our organization we were
using kerberos servers for authentication together with /etc/passwd
files for managing user access to hosts. In our organization we also
are using kerberos together with .htacces files for web
authentication. And kerberos with pam for mail services, - both IMAP
and SMTP via dovecot.

I asked some time ago and got reply here in this mailing list, that
there is no way to use kdb_util to dump kerberos database and get from
the dump values for inserting into IPA's ldap kerberos principle
fields for user entries. So, we ended up using special web page, which
authenticate our users against existing kerberos servers and after
successful authentication reset password for this user in IPA.

We did not want password in IPA to be in "expired" state, so that
users must change once more at first login.  As a workaround we are
using 2 different kerberos connection caches for each session: one for
administrator for setting up user password to something unique, and
second - for authenticating with this unique password as a user, just
to reset it to the value he requested by user though web form.

I think there would be pretty many similar cases. May be having
customizable web form on IPA server itself, authenticating for user
against some old external authentication system from which the
migration is being performed would be the best.

If not, than at least some standard way to drop privileges from
administrator to user, for setting up password or maybe even other
fields, would be great.

I take it that the LDAP connection used by your migration page isn't
using the credentials provided by the user, but binding using some
service account? Binding as the user would be ideal, but if you can't
you can add the dn for that service account dn to the
passSyncManagersDNs list to have it not cause a reset.

% ldapmodify -x -D "cn=Directory Manager" -W
Enter LDAP Password: *******
dn: cn=ipa_pwd_extop,cn=plugins,cn=config
changetype: modify
add: passSyncManagersDNs
passSyncManagersDNs: uid=webadmin,cn=users,cn=accounts,dc=example,dc=com


Should we turn it into HOWTO?

Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to