[Freeipa-users] Import LDIF file to FreeIPA
Rob Crittenden
rcritten at redhat.com
Tue Oct 20 13:49:48 UTC 2009
Michael Kang wrote:
> Dear all,
>
> I got a LDIF file which is exported from Fedora 389 Directory Server. I
> want to import those user info into FreeIPA. What should I do? I just
> need the group,username and passwd information which is exported from
> another Fedora 389 Directory Server.
You won't be able to import it without some changes. You'll need to
match the IPA DIT (http://freeipa.org/page/UsingRhdsWithIpa) to begin
with. You'll probably want to update the objectclasses in each user
entry as well to include: top, organizationalperson, inetorgperson,
inetuser, posixaccount and krbprincipalaux.
You'll need to set krbprincipalname to uid at REALM in each user entry.
The existing userPassword entry can be imported but you won't have
usable kerberos credentials (it will probably generate keys but it will
use the pre-hashed password so the keys will be unusable).
As you can see, directly importing the LDIF would be quite a bit of work.
> As far as I considered, I need to write a shell script to read user name
> from LDIF file and use */ipa-useradd/* command to archive my goal.
This is probably a better way, you'll just need to set a password on
each user. The first time the user logs in they will need to reset the
password (so only they know it)
> FreeIPA also use 389 ds. Can I use */389-console/* java platform to
> manage FreeIPA?
This is not recommended. Someone figured out how to do this at one point
and posted instructions to either freeipa-devel or freeipa-users, I
can't recall at this point.
It isn't recommended because you can easily create users outside of the
IPA DIT, create non-posix users, etc. It will probably end up causing
more problems in the long-run. We recommend using the IPA tools.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20091020/f8413e0a/attachment.bin>
More information about the Freeipa-users
mailing list