<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Hi Thu, Rob, and All, Have you made the necessary migration to FreeIPA. I too have migrated from an OpenLDAP to freeipa but have encountered some problems. After I have imported all the users from the OpenLDAP server to FreeIPA, I can't seem to get a Kerberos ticket. Is there any workaround on how I can make this migration work. All the entries have been successfully added and bind to the FreeIPA server works but doing kinit doesn't. TIA. John Robert Mendoza --- On Fri, 8/14/09, Thu Nguyen Thi Anh <thunta@tma.com.vn> wrote: <blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> From: Thu Nguyen Thi Anh <thunta@tma.com.vn> Subject: RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA To: "Rob Crittenden" <rcritten@redhat.com>, "Thu Nguyen" <ntathu@tma.com.vn> Cc: freeipa-users@redhat.com Date: Friday, 14 August, 2009, 6:56 PM <div id="yiv1646538487"> <title>RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA</title> Thanks Rob very much. I will try of course on the test system :) -----Original Message----- From: Rob Crittenden [<a rel="nofollow" ymailto="mailto:rcritten@redhat.com" target="_blank" href="mailto:rcritten@redhat.com">mailto:rcritten@redhat.com</a>] Sent: Tue 6/30/2009 12:58 AM To: Thu Nguyen Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA Thu Nguyen wrote: > Dear all, > > > > I did use OpenLDAP for our system which used to authenticate all web > services (bugzilla, svn,..) and mail service (dovecot) . Now I would > like to replace it by FreeIPA. Would you please instruct (step-by-step > if possible) how to migrate all data/structures from OpenLDAP to FreeIPA? > We don't currently have instructions on how to do this. Basically what you need to do is: - install freeIPA - get an ldif dump of your OpenLDAP server - remove any unneeded structural and configuration options from the ldif - convert this ldif to the IPA DIT - load the ldif You can see the DIT we use at <a rel="nofollow" target="_blank" href="http://freeipa.org/page/UsingRhdsWithIpa">http://freeipa.org/page/UsingRhdsWithIpa</a> When converting to our DIT you'll also need to ensure that the user entries are set up properly. This means having: - the krbprincipalname attribute set to <uid>@<REALM> - update the objectclass list - set gidnumber to the ipausers group You'll end up with a bunch of users that will work with simple auth but don't have kerberos keys yet so kinit will fail. You'll need to create some mechanism where they authenticate using their user password in order to get kerberos keys. And of course, do this on a test system first to make sure I haven't missed something :-) rob </div> -----Inline Attachment Follows----- <div class="plainMail">_______________________________________________ Freeipa-users mailing list <a ymailto="mailto:Freeipa-users@redhat.com" href="/mc/compose?to=Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></div></blockquote></td></tr></table> <hr size=1> <a href="http://us.rd.yahoo.com/SIG=11dea1p2c/**http%3A%2F%2Fwww.trueswitch.com%2Fyahoo-ph"> Importing contacts has never been easier.</a> Bring your friends over to Yahoo! Mail today!