Dmitri Pal wrote:
> On 07/20/2014 06:37 PM, Rob Crittenden wrote:
>> sergey ivanov wrote:
>>> Dear IPA developers, I'd like to describe what we are doing and ask
>>> about existing ways to do it easier, or if there is no such ways - to
>>> propose creating some tools to ease such way of migration.
>>> We are preparing for migration to IPA. In our organization we were
>>> using kerberos servers for authentication together with /etc/passwd
>>> files for managing user access to hosts. In our organization we also
>>> are using kerberos together with .htacces files for web
>>> authentication. And kerberos with pam for mail services, - both IMAP
>>> and SMTP via dovecot.
>>> I asked some time ago and got reply here in this mailing list, that
>>> there is no way to use kdb_util to dump kerberos database and get from
>>> the dump values for inserting into IPA's ldap kerberos principle
>>> fields for user entries. So, we ended up using special web page, which
>>> authenticate our users against existing kerberos servers and after
>>> successful authentication reset password for this user in IPA.
>>> We did not want password in IPA to be in "expired" state, so that
>>> users must change once more at first login.  As a workaround we are
>>> using 2 different kerberos connection caches for each session: one for
>>> administrator for setting up user password to something unique, and
>>> second - for authenticating with this unique password as a user, just
>>> to reset it to the value he requested by user though web form.
>>> I think there would be pretty many similar cases. May be having
>>> customizable web form on IPA server itself, authenticating for user
>>> against some old external authentication system from which the
>>> migration is being performed would be the best.
>>> If not, than at least some standard way to drop privileges from
>>> administrator to user, for setting up password or maybe even other
>>> fields, would be great.
>> I take it that the LDAP connection used by your migration page isn't
>> using the credentials provided by the user, but binding using some
>> service account? Binding as the user would be ideal, but if you can't
>> you can add the dn for that service account dn to the
>> passSyncManagersDNs list to have it not cause a reset.
>> % ldapmodify -x -D "cn=Directory Manager" -W
>> Enter LDAP Password: *******
>> dn: cn=ipa_pwd_extop,cn=plugins,cn=config
>> changetype: modify
>> add: passSyncManagersDNs
>> passSyncManagersDNs: uid=webadmin,cn=users,cn=accounts,dc=example,dc=com
>> rob
> Should we turn it into HOWTO?

I believe this is already in the documentation.


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to