<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Thanks Rob for your reply. I'll keep you all updated on my migration. Bert John Robert Mendoza --- On Tue, 9/15/09, Rob Crittenden <rcritten@redhat.com> wrote: <blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> From: Rob Crittenden <rcritten@redhat.com> Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA To: "John Robert Mendoza" <jrobertm8@yahoo.com> Cc: "Thu Nguyen" <ntathu@tma.com.vn>, "Thu Nguyen Thi Anh" <thunta@tma.com.vn>, freeipa-users@redhat.com Date: Tuesday, 15 September, 2009, 8:30 PM <div class="plainMail">John Robert Mendoza wrote: > Hi Thu, Rob, and All, > > Have you made the necessary migration to FreeIPA. I too have migrated from an OpenLDAP to freeipa but have encountered some problems. After I have imported all the users from the OpenLDAP server to FreeIPA, I can't seem to get a Kerberos ticket. Is there any workaround on how I can make this migration work. All the entries have been successfully added and bind to the FreeIPA server works but doing kinit doesn't. > You're probably lacking at least kerberos keys. Did you set the krbprinicpalname on each entry? In order to generate the kerberos keys you need a cleartext password which is why it isn't as simple as loading an LDIF. If you change the password of your users that should generate the keys assuming they have the appropriate object class (krbprincipalaux). We are working on a mechanism where a user will be able to authenticate using their migrated password and this will generate the kerberos keys but it isn't quite finished yet. rob > TIA. > > John Robert Mendoza > > --- On *Fri, 8/14/09, Thu Nguyen Thi Anh /<<a ymailto="mailto:thunta@tma.com.vn" href="/mc/compose?to=thunta@tma.com.vn">thunta@tma.com.vn</a>>/* wrote: > > > From: Thu Nguyen Thi Anh <<a ymailto="mailto:thunta@tma.com.vn" href="/mc/compose?to=thunta@tma.com.vn">thunta@tma.com.vn</a>> > Subject: RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA > To: "Rob Crittenden" <<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>>, "Thu Nguyen" > <<a ymailto="mailto:ntathu@tma.com.vn" href="/mc/compose?to=ntathu@tma.com.vn">ntathu@tma.com.vn</a>> > Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a> > Date: Friday, 14 August, 2009, 6:56 PM > > Thanks Rob very much. I will try of course on the test system :) > > > -----Original Message----- > From: Rob Crittenden [mailto:<a ymailto="mailto:rcritten@redhat.com" href="/mc/compose?to=rcritten@redhat.com">rcritten@redhat.com</a>] > Sent: Tue 6/30/2009 12:58 AM > To: Thu Nguyen > Cc: <a ymailto="mailto:freeipa-users@redhat.com" href="/mc/compose?to=freeipa-users@redhat.com">freeipa-users@redhat.com</a> > Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA > > Thu Nguyen wrote: > > Dear all, > > > > > > > I did use OpenLDAP for our system which used to authenticate all web > > services (bugzilla, svn,..) and mail service (dovecot) . Now I would > > like to replace it by FreeIPA. Would you please instruct > (step-by-step > > if possible) how to migrate all data/structures from OpenLDAP to > FreeIPA? > > > > We don't currently have instructions on how to do this. > > Basically what you need to do is: > > - install freeIPA > - get an ldif dump of your OpenLDAP server > - remove any unneeded structural and configuration options from the ldif > - convert this ldif to the IPA DIT > - load the ldif > > You can see the DIT we use at <a href="http://freeipa.org/page/UsingRhdsWithIpa" target="_blank">http://freeipa.org/page/UsingRhdsWithIpa</a> > > When converting to our DIT you'll also need to ensure that the user > entries are set up properly. This means having: > > - the krbprincipalname attribute set to <uid>@<REALM> > - update the objectclass list > - set gidnumber to the ipausers group > > You'll end up with a bunch of users that will work with simple auth but > don't have kerberos keys yet so kinit will fail. You'll need to create > some mechanism where they authenticate using their user password in > order to get kerberos keys. > > And of course, do this on a test system first to make sure I haven't > missed something :-) > > rob > > > > -----Inline Attachment Follows----- > > _______________________________________________ > Freeipa-users mailing list > <a ymailto="mailto:Freeipa-users@redhat.com" href="/mc/compose?to=Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> </mc/compose?to=<a ymailto="mailto:Freeipa-users@redhat.com" href="/mc/compose?to=Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>> > <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> > > > ------------------------------------------------------------------------ > Importing contacts has never been easier. <<a href="http://us.rd.yahoo.com/SIG=11dea1p2c/**http%3A%2F%2Fwww.trueswitch.com%2Fyahoo-ph" target="_blank">http://us.rd.yahoo.com/SIG=11dea1p2c/**http%3A%2F%2Fwww.trueswitch.com%2Fyahoo-ph</a>> > Bring your friends over to Yahoo! Mail today! </div></blockquote></td></tr></table> <hr size=1> <a href="http://us.lrd.yahoo.com/_ylc=X3oDMTFnNHZxc2k1BHRtX2RtZWNoA1RleHQgTGluawR0bV9sbmsDVTExMDM0NjUEdG1fbmV0A1lhaG9vIQ--/SIG=11k7khaee/**http%3A//downloads.yahoo.com/sg/internetexplorer/"> Open emails faster. </a> Yahoo! recommends that you upgrade your browser to the new Internet Explorer 8 optimized for Yahoo!.<a href="http://us.lrd.yahoo.com/_ylc=X3oDMTFnNHZxc2k1BHRtX2RtZWNoA1RleHQgTGluawR0bV9sbmsDVTExMDM0NjUEdG1fbmV0A1lhaG9vIQ--/SIG=11k7khaee/**http%3A//downloads.yahoo.com/sg/internetexplorer/">Get it here! (It's free)</a>