NO-PUSH: TODO and 2.0->3.0 upgrade notes

2 files changed, 22 insertions, 0 deletions

diff --git a/UPGRADES.TODO b/UPGRADES.TODO
new file mode 100644
index 000000000..74074af9c
--- /dev/null
+++ b/UPGRADES.TODO
@@ -0,0 +1,5 @@
+- krb5.conf changes from kldap to ipakdd.so
+- dirsrv changes to cn=config for EXTERNAL auth
+- krbMkey change of format, from single value to multivalue
+- changes to config to start kadmin instead of ipa_kpasswd
+- add new schema
diff --git a/daemons/ipa-kdb/TODO b/daemons/ipa-kdb/TODO
new file mode 100644
index 000000000..5bcdd6ca7
--- /dev/null
+++ b/daemons/ipa-kdb/TODO
@@ -0,0 +1,17 @@
+
+* Handle KRB5_KDB_REQUIRES_PWCHANGE in entry->attributes so that ipa-pwd-extop
+  can use it too.
+
+* Change ipa-pwd-extop to be able to properly read a krbMKey with multiple values
+* In change_pwd properly handle keepold if mkvno differs
+
+Pwd change behavior and kadmind/kadmin.local:
+* How to detect/allow password changes for users based on ACIs in LDAP ?
+    CANNOT, Only own password changes will be allowed
+* How to allow admin to always change pw but mark the pw as expired ?
+    NOT via kadmin
+
+FUTURE:
+add code to handle change of masterkey by adding new krbMKey and having
+ipa-pwd-extop start a task to re-encode keys. Possibly do that with a special
+extended operation.