subject:"\[Freeipa\-devel\] \[PATCH\] Add DS to IPA migration plugin and password migration page."

Re: [Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.

2009-10-30 Thread Dmitri Pal

Pavel Zuna wrote:
 Rob Crittenden wrote:
 Pavel Zuna wrote:
 Example output of migration plugin:

 I have a DS server setup on a VM at 192.168.122.4 and I made a few
 tweaks to show how errors are reported.

 # ipa migrate-ds ldap://192.168.122.4:389
 Password:
 Enter password again to verify:
 ---
 migrate-ds:
 ---
 Migrated:
   users: pzuna, mnagy
   groups: skupina1, skupina2, skupina3
 Errors:
   user: mnagy: Kerberos principal mn...@pzuna already exists. Use
 'ipa user-mod' to set it manually.
   group: accounting managers: This entry already exists
   group: hr managers: This entry already exists
   group: qa managers: This entry already exists
   group: pd managers: This entry already exists
 --
 Passwords have been migrated in pre-hashed format. IPA is unable to
 generate Kerberos keys unless provided with clean text passwords.
 All migrated users need to login at
 http://your.domain/ipa/migration/ before they can use their Kerberos
 accounts.

 I didn't try it yet, but this might also work for IPAv1-IPAv2
 migration.

 Pavel

 I have some concerns with this. Rather than presenting a user
 password change page this enables basic-auth like kerberos negotiate
 fallback and uses the username/password presented there to do the
 password reset. I thought we had discussed actually presenting a form
 to the user to prompt for this information.
 
  One of our goals is to promote the usage of single sign-on using
  kerberos. Enabling the password fallback can be practical and needed in
  some cases but I think by default we want to leave it off.
 

 According to this page, we need to use form base authentication to
 replay the password:
 https://wiki.idm.lab.bos.redhat.com/export/idmwiki/Migration_from_DS_server_to_IPA


 At first, I thought that form base authentication is a normal HTML
 form, but the term is actually pretty ambiguous and there is no way to
 replay HTML form data.

 Without the kerberos negotiate fallback on, replaying the password is
 useless. There's no replaying going on actually.

 So, either:
 1) we set negotiate fallback ON and use password replaying, after
 migration page, the user is redirected to his kerberos protected
 self-service page without the need to enter his password twice

But this should be done once during his migration.
Next time he gets to this page if he does not have a ticket and tries to
log in using password the server should say: you already migrated use
use kinit to obtain kerberos ticket.
Next time he tries to get to this page already having a ticket the page
should not be displayed at all and he should be redirected to to the
self service screen.

Agree?

 2) we only use the password migration page to generate kerberos keys
 and tell users to use kinit from then on.

 The function get_base_dn() needs some error handling. I'm not sure
 how this will blow up if the LDAP server is down but it won't be
 pretty, it assumes that a namingcontext is returned, etc.
 
 For the migration there is a typo in pwd_migration_msg, clean text
 instead of clear text.


 Ok, I'm going to fix those asap.

 Why are you duplicating the user_add functionality instead of calling
 api.Command['user_add']?

 Same with groups, why not user the gropu_add and group_add_member
 methods?

 Because it would be too much overhead.

 Migrating a single user would mean:
 - extract data from DS and convert it to the format accepted by IPA
 commands
 - user_add (2 ldap operations: RETRIEVE ipaConfig, ADD)
 - user_mod (2 ldap operations: RETRIEVE, MODIFY)

 Now that's 4 operations instead of 1 and a lot of needless processing.
 It's even worst for groups, because we also have to do group_add_member.

 On the other hand, migration is a one-shot process, so we don't have
 to be concerned about speed/server load that much and using IPA
 commands has its advantages.


 rob

 Pavel

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.

2009-10-30 Thread Dmitri Pal

Rob Crittenden wrote:
 Dmitri Pal wrote:
 Simo Sorce wrote:
 On Fri, 2009-10-30 at 15:56 -0400, Dmitri Pal wrote:
  
 But then you have to update it on all replicas and will definitely
 forget to do it.
 Is it really a hassle to have it in the DS?
 
 Yes it means you have to build a UI to manage that attribute, create
 it,
 find a place where to store it in the tree etc.. and adds cruft to the
 tree.

   
 There are a lot of other things that we put in the cn=config replicate
 but do not provide UI.
 Admin will just run ldapmodify command for this attribute and this is
 it.

 I agree with Simo. I think it would require more development time than
 user's would benefit.

 We can always include this static file when we create replicas (just
 won't help those replica's already created). It is simple enough to
 copy a file around.

 Plus in order to store it in an LDAP attribute it means that whatever
 page displays the message needs to be a separate server-side program
 that reads and displays the data. Not difficult, again just seems like
 overkill.


I agree that file is easier. But I though that on the grand scale of
things we want to reduce the amount of things that are configured in the
files
and not natively replicated by DS.
We talked about moving part of the kdc configuration into the DS for
example so I was thinking that if we plan to do it eventually why create
other pieces scattered around that we would have to put into DS later.
Why not do it right away.
A bit of upfront work now, not huge though, but paves a road for better
config param centralization and elimination of the scattered config files.

But if you say it is not worth it and too much a can understand.
 


 A file is a simple drop in and admins can easily change it at any time.

 True, if they forget to replicate it on other servers it will get
 out of
 sync, but it is also easy to fix that if it happens. We can put a
 comment in the template that reminds admins to always replicate it to
 all servers.
   
 Why it should be limited to a server. This IMO will be an artificaial
 limitation.
 Any server can perform migration and replicate the created kerberos keys
 so why limit?

 I agree with you here. No reason any IPA server can't assist with the
 migration.


 However do you think admins will set it up on all servers ? 
 Yes. I do not see set. Functionality is just there available from any
 server.
  They do not need to do anything to set it up.

 I agree.

 rob


 I was
 thinking they would set up the migration stuff only on one server and
 give out only one server URL, so I don't think we should care about
 replicating it to other servers normally.

 Simo.

   



 

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.

Re: [Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.

2 matches

Site Navigation

Mail list logo

Footer information