<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/05/2012 06:27 PM, Sylvain Angers wrote:
<blockquote
cite="mid:CABn0Hjt0P8X+bqoWBvwabon8uj2UJJsrFpmjxsSQzdS6Ym8nTw@mail.gmail.com"
type="cite">
<div>
<div>Hi again, </div>
<div><br>
</div>
<div>by moving away from local account, to freeipa do we affect
any of these numbers?: </div>
<div><br>
</div>
<div>-group name length limits</div>
<div><span style="background-color: rgb(255, 255, 255); color:
rgb(34, 34, 34); font-family: Arial,Helvetica,sans-serif;
font-size: 16px; line-height: 20px;">-group membership
limits</span></div>
<div><span style="background-color: rgb(255, 255, 255); color:
rgb(34, 34, 34); font-family: Arial,Helvetica,sans-serif;
font-size: 16px; line-height: 20px;"><br>
</span></div>
<div><span style="background-color: rgb(255, 255, 255); color:
rgb(34, 34, 34); font-family: Arial,Helvetica,sans-serif;
font-size: 16px; line-height: 20px;">or they remain the same
/ as the under limit of the local os?</span></div>
<div><span style="background-color: rgb(255, 255, 255);"><font
color="#222222" size="3" face="Arial, Helvetica,
sans-serif"><span style="line-height: 20px;">On linux, I
believe there will still be a limitation of 16 id per
group, right?</span></font></span></div>
</div>
</blockquote>
<br>
This is a very old limitation that is no longer a problem for quite
a while.<br>
AFAIR starting AIX5.3 AIX has a decent PAM stack and one can use
pam_ldap and nss_ldap with it.<br>
5.2 does not have proper capabilities. What version do you use?<br>
<br>
The limitations you are concerned are really dictated by the
capabilities of the OS and client software.<br>
AFAIK nss_ldap has no limit on number of the users in a group.<br>
IPA assumes that there are no such limitations and allows any number
of users in a group.<br>
<br>
<blockquote
cite="mid:CABn0Hjt0P8X+bqoWBvwabon8uj2UJJsrFpmjxsSQzdS6Ym8nTw@mail.gmail.com"
type="cite">
<div>
<div>
<div>If anyone has some past experience with AIX, feel free to
share with me</div>
</div>
<div><br>
</div>
<div>I am really interested to ear about it</div>
<div><br>
</div>
<div><span style="background-color: rgb(255, 255, 255); color:
rgb(34, 34, 34); font-family: Arial,Helvetica,sans-serif;
font-size: 16px; line-height: 20px;">Thank you!</span></div>
</div>
<div><span style="background-color: rgb(255, 255, 255); color:
rgb(34, 34, 34); font-family: Arial,Helvetica,sans-serif;
font-size: 16px; line-height: 20px;"><br>
</span></div>
<div><span style="background-color: rgb(255, 255, 255); color:
rgb(34, 34, 34); font-family: Arial,Helvetica,sans-serif;
font-size: 16px; line-height: 20px;">Sylvain Angers</span></div>
<div><br>
<div class="gmail_quote">2012/1/5 Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div> On 01/05/2012 04:20 PM, Sylvain Angers wrote:
<blockquote type="cite">Hello
<div><br>
</div>
<div>We have a mixed environment of AIX, and linux
servers</div>
<div>All our user accounts are still set locally - no
NIS, and we do not have unique uid/gid toward our
hosts!!!</div>
<div>I am evaluating the possibility of using Redhat
Identity management in our environment</div>
<div>I have to figure out what AIX will be able to
support - we would at least want to be able to limit
who could access what on aix</div>
<div>so if you have dealt with AIX, let me knows</div>
<div><br>
</div>
<div>but here my main question</div>
<div><br>
</div>
<div>My question is how do I deal with our current
local users? <br>
</div>
</blockquote>
<br>
</div>
This is a tough one... The assumption was that some kind
of identity system is already in place.
<div><br>
<br>
<blockquote type="cite">
<div>When user DAVE get freeipa id 10000000567, do you
have to chown every files he has on a local machine
while he might has uid/gid 501 ?</div>
</blockquote>
<br>
<br>
</div>
Yes.
<div><br>
<br>
<blockquote type="cite">
<div><br>
</div>
<div>I guess we will have to byte the bullet and have
a unique id for every users - right?</div>
</blockquote>
<br>
</div>
Correct
<div><br>
<br>
<blockquote type="cite">
<div>
<div>Is there a simple migration plan from local to
freeipa?</div>
</div>
</blockquote>
<br>
</div>
You pretty much outlined it here. There is nothing better
I know of.<br>
You user IDs are probably low enough that there is no
overlap with user IDs from IdM.
<div><br>
<br>
<blockquote type="cite">
<div>
<div>do we have to migrate an account at the time do
an account at the time, so if account doe not
exist locally, it will check remote?</div>
</div>
</blockquote>
<br>
</div>
This is usually the case when you use files in the
nsswitch.conf first and then ldap or sss.<br>
So logic would be:<br>
1) Create a user in IdM with same name as a local user (if
it is not already exists)<br>
2) Find all files owned by local user and replace UID/GID
with the ones from IPA user with the same name<br>
3) Remove local user<br>
4) Repeat for all local users<br>
5) Repeat on every machine<br>
<br>
Step 1) might be a challenge from AIX machine so you might
consider creating a list of all users first, precreating
the users in IdM and then running a script that would do
the rest on each of the machines you need to convert.<br>
<br>
<blockquote type="cite">
<div>
<div>
<div><br>
</div>
<div>I am missing the big picture</div>
<div><br>
</div>
<div>thanks in advance</div>
-- <br>
Sylvain Angers<br>
<br>
</div>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span><font color="#888888"> </font></span></blockquote>
<span><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Sylvain Angers<br>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>