Dmitri Pal wrote: > On 07/20/2014 06:37 PM, Rob Crittenden wrote: >> sergey ivanov wrote: >>> Dear IPA developers, I'd like to describe what we are doing and ask >>> about existing ways to do it easier, or if there is no such ways - to >>> propose creating some tools to ease such way of migration. >>> >>> We are preparing for migration to IPA. In our organization we were >>> using kerberos servers for authentication together with /etc/passwd >>> files for managing user access to hosts. In our organization we also >>> are using kerberos together with .htacces files for web >>> authentication. And kerberos with pam for mail services, - both IMAP >>> and SMTP via dovecot. >>> >>> I asked some time ago and got reply here in this mailing list, that >>> there is no way to use kdb_util to dump kerberos database and get from >>> the dump values for inserting into IPA's ldap kerberos principle >>> fields for user entries. So, we ended up using special web page, which >>> authenticate our users against existing kerberos servers and after >>> successful authentication reset password for this user in IPA. >>> >>> We did not want password in IPA to be in "expired" state, so that >>> users must change once more at first login. As a workaround we are >>> using 2 different kerberos connection caches for each session: one for >>> administrator for setting up user password to something unique, and >>> second - for authenticating with this unique password as a user, just >>> to reset it to the value he requested by user though web form. >>> >>> I think there would be pretty many similar cases. May be having >>> customizable web form on IPA server itself, authenticating for user >>> against some old external authentication system from which the >>> migration is being performed would be the best. >>> >>> If not, than at least some standard way to drop privileges from >>> administrator to user, for setting up password or maybe even other >>> fields, would be great. >>> >> I take it that the LDAP connection used by your migration page isn't >> using the credentials provided by the user, but binding using some >> service account? Binding as the user would be ideal, but if you can't >> you can add the dn for that service account dn to the >> passSyncManagersDNs list to have it not cause a reset. >> >> % ldapmodify -x -D "cn=Directory Manager" -W >> Enter LDAP Password: ******* >> dn: cn=ipa_pwd_extop,cn=plugins,cn=config >> changetype: modify >> add: passSyncManagersDNs >> passSyncManagersDNs: uid=webadmin,cn=users,cn=accounts,dc=example,dc=com >> >> rob >> > Should we turn it into HOWTO?
I believe this is already in the documentation. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
