Menu
▾
▴
Re: [Unity-idm-discuss] Unity upgrade 1.9.6 to 2.4.0, password issues
|
From: Willem E. <wi...@cl...> - 2018-12-17 09:53:37
|
Hi Krzysztof,
thanks for the reply. Your suggestion in point 2 was the solution for our
issue.
Our restore procedure is now the following:
1. start a fresh instance of unity 2.4.2 or 2.6.0 with all authenticators
using "sys:password" credential
2. restore database backup
3. update all authenticators to use the "Password credential" credential
Our main goal was to test the ldapEndpoint in the 2.6.x release. Now having
to invalidate all users password is a big plus when updating our production
instance so I will also have a look at porting the ldap endpoint to the
2.7.x branch. Anything I should be aware of when doing this?
Best,
Willem
On Tue, Dec 11, 2018 at 9:13 PM Krzysztof Benedyczak <kb...@un...>
wrote:
> Hi Willem,
>
>
> W dniu 11.12.2018 o 13:59, Willem Elbers pisze:
> > Hi Krzysztof,
> >
> > we are trying to upgrade our unity instance to a recent 2.x version
> > (2.6.x preferably).
> >
> > The upgrade from 1.9.6 to 2.0.0 seems to go fine, but then upgrading
> > to 2.4.0 or anything higher results in users without password. As far
> > as I can see in section 4.2.4 of the upgrade documentation there is no
> > specific action required with respect to existing password, even
> > though a new sys:password credential has been introduced. I've also
> > noticed that on a fresh 2.4.0 test installation our admin user is
> > requested to update the credential because of the credential
> requirements.
> >
> > In our 1.9.6 installation we are using a custom password credential,
> > but this is included in the database export:
> >
> Yes, this should in general work, thought it is a huge jump, over
> something like 2 years, so hard to make bold statements.
>
> Some hints how to investigate the issue:
>
> 1. I'd try to configure the default admin user (admin2x or something
> like this with some password in unityServer.conf) + change your web
> authenticator used by admin endpoint to use sys:password credential.
> This temporal change should allow you to login to adminUI, so that you
> can more easily inspect what is really set (or is not) for your users.
> For each user you can see the internal attribute storing password (check
> 'internal' attributes in attributes panel), also credential details will
> show details of credentials.
>
> After getting into admin UI you may check the credential definitions, do
> JSON export and check if it is all right.
>
> 2. Different path (maybe the most promising?): It may happen that
> credentials are all right, but your admin endpoint or its authenticator
> configuration was not migrated properly (or even was but is overwritten
> by your new config from file). Make sure that your endpoint is using the
> proper password credential ("Password credential" literal), not for
> instance sys:password, which obviously was not defined in 1.9 but is a
> default now. For this case you would also get errors like you got.
>
> 3. Have you carefully checked migration logs? Any issues there?
>
>
> BTW: I'd strongly encourage you to go with the latest version. 2.7.3
> introduced a feature that will help you a lot: passwords stored with
> legacy hashing mechanism used in 1.9 can be rehashed automatically,
> without a need for a user to reset it.
>
>
> HTH,
>
> Krzysztof
>
>
|
