[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] [PATCH] Add DS to IPA migration plugin and password migration page.



Pavel Zuna wrote:
Rob Crittenden wrote:
Pavel Zuna wrote:
Example output of migration plugin:

I have a DS server setup on a VM at 192.168.122.4 and I made a few tweaks to show how errors are reported.

# ipa migrate-ds ldap://192.168.122.4:389
Password:
Enter password again to verify:
-----------
migrate-ds:
-----------
Migrated:
  users: pzuna, mnagy
  groups: skupina1, skupina2, skupina3
Errors:
user: mnagy: Kerberos principal mnagy PZUNA already exists. Use 'ipa user-mod' to set it manually.
  group: accounting managers: This entry already exists
  group: hr managers: This entry already exists
  group: qa managers: This entry already exists
  group: pd managers: This entry already exists
----------
Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clean text passwords. All migrated users need to login at http://your.domain/ipa/migration/ before they can use their Kerberos accounts.

I didn't try it yet, but this might also work for IPAv1->IPAv2 migration.

Pavel

I have some concerns with this. Rather than presenting a user password change page this enables basic-auth like kerberos negotiate fallback and uses the username/password presented there to do the password reset. I thought we had discussed actually presenting a form to the user to prompt for this information.
 >
 > One of our goals is to promote the usage of single sign-on using
 > kerberos. Enabling the password fallback can be practical and needed in
 > some cases but I think by default we want to leave it off.
 >

According to this page, we need to use form base authentication to replay the password: https://wiki.idm.lab.bos.redhat.com/export/idmwiki/Migration_from_DS_server_to_IPA

At first, I thought that "form base authentication" is a normal HTML form, but the term is actually pretty ambiguous and there is no way to replay HTML form data.

Without the kerberos negotiate fallback on, replaying the password is useless. There's no replaying going on actually.

So, either:
1) we set negotiate fallback ON and use password replaying, after migration page, the user is redirected to his kerberos protected self-service page without the need to enter his password twice 2) we only use the password migration page to generate kerberos keys and tell users to use kinit from then on.

#2 is the way to go. We need to put up a simple form that has fields for username, old password and 2 new passwords and a submit button. We can't redirect them to the UI once we're done, as you point out. This is fine IMHO as it is unlikely their browser is set up to use kerberos anyway. We could redirect them to the login page, which will fail and contain instructions on how to set up their browser and do a kinit. We may need to modify the message on that page to contain specific info for those migrating.

The function get_base_dn() needs some error handling. I'm not sure how this will blow up if the LDAP server is down but it won't be pretty, it assumes that a namingcontext is returned, etc.
 >
For the migration there is a typo in pwd_migration_msg, "clean text" instead of "clear text".


Ok, I'm going to fix those asap.

Why are you duplicating the user_add functionality instead of calling api.Command['user_add']?

Same with groups, why not user the gropu_add and group_add_member methods?

Because it would be too much overhead.

Migrating a single user would mean:
- extract data from DS and convert it to the format accepted by IPA commands
- user_add (2 ldap operations: RETRIEVE ipaConfig, ADD)
- user_mod (2 ldap operations: RETRIEVE, MODIFY)

Now that's 4 operations instead of 1 and a lot of needless processing. It's even worst for groups, because we also have to do group_add_member.

On the other hand, migration is a one-shot process, so we don't have to be concerned about speed/server load that much and using IPA commands has its advantages.

The risk is maintaining the same code in 2 places. If we end up finding some critical bug in user_add it is very likely to get overlooked here.

Might be worth knowing how much this will really affect things. I think we should generate a ton of LDAP entries (say several thousand, if not more) and migrate using both methods to see what overhead is involved. Unless it is significantly faster I think I'd rather go with code re-use.

I'd guess that the guys in 389 have a script to auto-generate entries.

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]