[Freeipa-users] migration plan from local accounts

Dmitri Pal dpal at redhat.com
Thu Jan 5 22:28:46 UTC 2012 

On 01/05/2012 04:20 PM, Sylvain Angers wrote:
> Hello
>
> We have a mixed environment of AIX, and linux servers
> All our user accounts are still set locally - no NIS, and we do not
> have unique uid/gid toward our  hosts!!!
> I am evaluating the possibility of using Redhat Identity management in
> our environment
> I have to figure out what AIX will be able to support - we would at
> least want to be able to limit who could access what on aix
> so if you have dealt with AIX, let me knows
>
> but here my main question
>
> My question is how do I deal with our current local users?

This is a tough one... The assumption was that some kind of identity
system is already in place.

> When user DAVE get freeipa id 10000000567, do you have to chown every
> files he has on a local machine while he might has uid/gid 501 ?


Yes.

>
> I guess we will have to byte the bullet and have a unique id for every
> users - right?

Correct

> Is there a simple migration plan from local to freeipa?

You pretty much outlined it here. There is nothing better I know of.
You user IDs are probably low enough that there is no overlap with user
IDs from IdM.

> do we have to migrate an account at the time do an account at the
> time, so if account doe not exist locally, it will check remote?

This is usually the case when you use files in the nsswitch.conf first
and then ldap or sss.
So logic would be:
1) Create a user in IdM with same name as a local user (if it is not
already exists)
2) Find all files owned by local user and replace UID/GID with the ones
from IPA user with the same name
3) Remove local user
4) Repeat for all local users
5) Repeat on every machine

Step 1) might be a challenge from AIX machine so you might consider
creating a list of all users first, precreating the users in IdM and
then running a script that would do the rest on each of the machines you
need to convert.

>
> I am missing the big picture
>
> thanks in advance
> -- 
> Sylvain Angers
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120105/42eea376/attachment.htm>

More information about the Freeipa-users mailing list