[Freeipa-users] Migration from LDAP to IPA

[Dmitri Pal]

On 03/17/2012 06:24 AM, Marco Pizzoli wrote:
> Hi,
> by looking at the RHEL6 IPA documentation I can find instructions on
> how migrate from an existing LDAP server to IPA.
>
> It's cited the step:
> ipa config-mod --enable-migration=TRUE
>
> Please, could you explain to me what is the internal scope of this
> command?
>
> Also, is it normal that (always in the doc) after executing "ipa
> migrate-ds" I don't have to revert to
> ipa config-mod  --enable-migration=FALSE
>

This enables password migration using SSSD or a special web page. It
turns on migration mode.
The issue is when you load the LDIF form the external DS you still need
to to generate kerberos hashes for every user's password. But to do this
you need to have password in clear. So you options are: to force users
to change their password (which is not pleasant), give users a page to
authenticate (it gets enabled when you enable migration), allow SSSD to
perform a seeming-less migration by realizing that the user does not
have a kerberos hash, authenticating via ldap causing to create a hash
and then authenticating using Kerberos (turned on by this migration flag).

So the last two migration methods are enabled when you execute the command.
You need to turn it off when all users have kerberos passwords. 


Deon, if this is not clear in the documentation, I think we should add
this clarification.

>
> Thanks again
> Marco
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120318/219c1119/attachment.htm>