From 8b7eb0424217a7d272c426d82dfe4ee30ac2c096 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Wed, 8 Jun 2011 18:36:34 -0400
Subject: NO-PUSH: TODO and 2.0->3.0 upgrade notes

---
 UPGRADES.TODO        |  5 +++++
 daemons/ipa-kdb/TODO | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 UPGRADES.TODO
 create mode 100644 daemons/ipa-kdb/TODO

diff --git a/UPGRADES.TODO b/UPGRADES.TODO
new file mode 100644
index 000000000..74074af9c
--- /dev/null
+++ b/UPGRADES.TODO
@@ -0,0 +1,5 @@
+- krb5.conf changes from kldap to ipakdd.so
+- dirsrv changes to cn=config for EXTERNAL auth
+- krbMkey change of format, from single value to multivalue
+- changes to config to start kadmin instead of ipa_kpasswd
+- add new schema
diff --git a/daemons/ipa-kdb/TODO b/daemons/ipa-kdb/TODO
new file mode 100644
index 000000000..5bcdd6ca7
--- /dev/null
+++ b/daemons/ipa-kdb/TODO
@@ -0,0 +1,17 @@
+
+* Handle KRB5_KDB_REQUIRES_PWCHANGE in entry->attributes so that ipa-pwd-extop
+  can use it too.
+
+* Change ipa-pwd-extop to be able to properly read a krbMKey with multiple values
+* In change_pwd properly handle keepold if mkvno differs
+
+Pwd change behavior and kadmind/kadmin.local:
+* How to detect/allow password changes for users based on ACIs in LDAP ?
+    CANNOT, Only own password changes will be allowed
+* How to allow admin to always change pw but mark the pw as expired ?
+    NOT via kadmin
+
+FUTURE:
+add code to handle change of masterkey by adding new krbMKey and having
+ipa-pwd-extop start a task to re-encode keys. Possibly do that with a special
+extended operation.
-- 
cgit