SInce the last time the import script was updated, there have been a few attributes added and updated to freeipa-fas fasuser.

Need to change this import script to include these changes

Discussed today with @abompard so creating issue here to track the request.
As we'll have also to migrate CentOS users (from the https://accounts.centos.org FAS instance), we should verify in case of name conflict that user from one side is indeed user from the other side.
Let's assume that we have user1 existing in FAS and then we try to import CentOS Account, but that we also have user user1 in FAS/IPA, we should verify/confirm that it's indeed same user before just adding existing user into groups that were also migrated.

There is indeed no nickname protection, so the only "primary key" to validate that same nickname is the same user is to validate that email address (validated on each side) is indeed the same, and if not, not do anything (not adding existing user in groups) but mark these in a "to be processed later" state.

From that report, we can reach out to users in such state and ask them to change/update their email address to match in both FAS and ACO and then put users into correct groups. If not, (and same nickname mismatch, aka same nickname for different users), we should discuss how to handle that, but probably just put new nickname in correct groups

There's a case of a user with a fullname attribute in CentOS, but no fullname in FAS, that ends up with no firstname/lastname in IPA (they have the standard "unset" fillers). See user carlwgeorge. The fullname sync should be additive.

Since fedora-infra/freeipa-fas#104, groups have attributes in FreeIPA, so they should be migrated.

If a user doesn't have a locale or timezone setup, the dropdown boxes default to af-ZA and Africa/Abidjan respectively.
Maybe it's a good idea to put an empty value as option for these fields.

Now we have agreements in freeipa-fas, we need to migrate the FPCA over to ipa. and make everyone that has previously signed the agreement, signed in the new system

FAS2IPA could be made a lot faster if we disable the memberOf plugin in IPA. See this email.

To test it, we need to remove all the users and all the groups from the current staging database and do a full import run again.

Currently, they are just reported. If a conflicting user is processed, group membership can be applied to the wrong user.

During meeting with @abompard this morning, I discussed one idea that we had discussed already in the past, but that doesn't seem to be implemented (yet).
As we'll have to merge groups from both Fedora and CentOS FAS instances, ideally when we'll migrate groups from these instances, we'll use a prefix (at least on on source) so that we don't have conflicts/overlaps.
Example : sig-cloud group on https://accounts.centos.org would be imported like centos-sig-cloud (assuming that we use the 'centos' prefix)

Right now, the placeholders for unset first (<fnu>) and last (<lnu) names aren't very speaking. If these values leak (e.g. some service accesses user information directly from FreeIPA), it'll confuse users. It'd be better to spell this out, e.g. use <first-name-unset> and <last-name-unset>, respectively.

Checking for conflicts should be on by default, especially if the conflicts file has been specified.

FAS contains many many groups (well over 1000). The question is are all of these still in use? who do we contact to find out?

There are a whole bunch of git* cvs* and svn* groups which i think are leftover from the old fedora hosted days. are these worth importing in?