[Freeipa-users] Migrate data from OpenLdap to FreeIPA
Rob Crittenden
rcritten at redhat.com
Mon Jun 29 17:58:12 UTC 2009
Thu Nguyen wrote:
> Dear all,
>
>
>
> I did use OpenLDAP for our system which used to authenticate all web
> services (bugzilla, svn,..) and mail service (dovecot) . Now I would
> like to replace it by FreeIPA. Would you please instruct (step-by-step
> if possible) how to migrate all data/structures from OpenLDAP to FreeIPA?
>
We don't currently have instructions on how to do this.
Basically what you need to do is:
- install freeIPA
- get an ldif dump of your OpenLDAP server
- remove any unneeded structural and configuration options from the ldif
- convert this ldif to the IPA DIT
- load the ldif
You can see the DIT we use at http://freeipa.org/page/UsingRhdsWithIpa
When converting to our DIT you'll also need to ensure that the user
entries are set up properly. This means having:
- the krbprincipalname attribute set to <uid>@<REALM>
- update the objectclass list
- set gidnumber to the ipausers group
You'll end up with a bunch of users that will work with simple auth but
don't have kerberos keys yet so kinit will fail. You'll need to create
some mechanism where they authenticate using their user password in
order to get kerberos keys.
And of course, do this on a test system first to make sure I haven't
missed something :-)
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090629/d109e757/attachment.bin>
More information about the Freeipa-users
mailing list