[Freeipa-devel] [PATCH] 0002 Rewrite the migration page using WSGI

Jakub Hrozek jhrozek at redhat.com
Tue Nov 2 14:58:16 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(resending to the list, I accidentally replied to Rob only before..)

On 11/02/2010 04:24 AM, Rob Crittenden wrote:
> Jakub Hrozek wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> https://fedorahosted.org/freeipa/ticket/154
>>
>> The second patch removes the /ipatest section that has been commented
>> out in ipa.conf anyway..plus, we don't ship /usr/share/ipatest anymore
>> :-)
> 
> Migration doesn't seem to be working. The migration page itself comes up
> fine and prompts for data but when I enter the password of a migrated
> user I don't seem to be getting valid kerberos keys. kinit doesn't work
> in any case. It could also be that I'm tired. Does a migrated account
> work for you?
> 

It does for me -- or at least I think it's working. This is how I tested:
1) migrate users from LDAP using the migrate-ds plugin.
2) try kinit - preauth will fail
3) go to the migration page, enter username/password  This redirects me
to the ui page if the credentials are correct.
4) kinit for the user works now

This is on the current master + the two patches under review, on a F13
host migrating from 389 DS on another F13 machine.

> This could be related to redoing the 389-ds password plugin as I did all
> previous testing before we did the file split.
> 
>>
>> I also have two questions:
>>   1) how should exceptions be handled? In the patch, I only explicitly
>> handle exceptions that could happen very easily (like, password being
>> wrong, or the LDAP server down..). Anything else would just trigger 500
>> Server Error..
> 
> I think that's ok as long as we provide enough logging to point the
> admin in the right direction.
> 
>>
>>   2) When playing with the migration command line plugin, I noticed that
>> it can only handle RFC2307bis groups (member: dn) and has the
>> objectclass for groups hardcoded to
>> "(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))". I think
>> it would be worthwile (and easy, too!) to modify the plugin to accept
>> also RFC2307 schema and allow specifying a different objectclass
>> (posixGroup might come handy..). Thoughts?
> 
> Yes, that sounds like a good enhancement. Great idea.
> 

OK:
https://fedorahosted.org/freeipa/ticket/429

(taken, since I was already poking at the plugin anyway)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzQJwgACgkQHsardTLnvCXu+ACgvMTxMPP8YpmwwzvCiMKpPp35
RQgAnA0CTuBxDI0hZzfZDDu50wunYRqP
=++oI
-----END PGP SIGNATURE-----

More information about the Freeipa-devel mailing list