[Freeipa-users] migrate from LDAP to FreeIPA ?

Dmitri Pal dpal at redhat.com
Mon Apr 4 13:59:27 UTC 2011 

On 04/04/2011 04:12 AM, Jan-Frode Myklebust wrote:
> On Fri, Mar 25, 2011 at 05:14:02PM -0400, Rob Crittenden wrote:
>> Shouldn't be too bad. Here is our beta documentation on migration:
>>
>> http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA
> Ok, good, that looks like it should cover the bulk of our migration.
>
> The other problems I'm looking at are probably more of design issues.
> Are there a deployment guide somewhere as well ?

No not yet. This manual is what we have.
But we will be very interested in hearing your opinion on what topics
other than those we already have in the manual we should cover.

> Currently we use netgroups for servers and users, mainly to manage who
> can log in to which server trough pam_access/access.conf plus for sudo
> rules. Should we continue using netgroups, or will the "user groups" and
> "host groups" in IPA cover this ? 

We recommend using groups and host groups. Both support nesting.
For the migration purposes a netgroup with the same name is created by
default for any host group you create. This netgroup is jusr a pointer
to the host group sort of a shell.
This would allow you to use host groups in the admin model while the
clients can continue to leverage notgroups until they get smart to use
host groups directly. At that moment you would be able to turn off the
automatic creation of the netgroups.  But this will be a quite distant
future.

> Does the user groups allow nesting of
> posix groups ? I.e. user1 is member of group1 which automatically make him
> member of group2 and group3?

Yes the groups are nested and you can mix posix and nonposix groups.
> Some guides for configuring roles/privileges would be very interesting. 
> We want to have "group admins" who are allowed to add/remove members of 
> the groups this admin admins... Also we might want to allow team leaders
> to add new users..
We do not have enough "solutions" worked out yet.
Any contributions about your experience with IPA will be valuable.


> Oh.. and are there any training available/planned for IPA (v2)? 

We will be giving presentation on the Summit.
The training schedule is not yet worked out.

>
>   -jf
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list