[Freeipa-users] Starting from scratch & migrating users?

[Dmitri Pal]

On 01/22/2013 06:28 PM, Matthew Barr wrote:
> On Jan 22, 2013, at 5:15 PM, Dmitri Pal <dpal at redhat.com> wrote:
>> Which exactly LDAP method?
>> ldif dump and load? This would not work well unless you also manage to move certs and kerberos master key over which is really hard.
> I was assuming the ipa migrate-ds.    
>
>
>>> Thoughts?  I don't anticipate moving any hardware that's enrolled from site to site, so certs & the like shouldn't be a factor.
>>>
>> If you are instead of dump and load will install a new IPA server it will not have any old data and will have new certs and kerberos keys.
>> You would have to re-enroll all your clients once again. Users would have to deal with the password change after you read in users using ipa migrate-ds.
>> Other information also would have be precreated using ipa commands but this can be scripted by taking an LDIF and creating a series of ipa commands to add data into the new instance.
>
> I intend to re-enroll all clients.  Only clients in the new site will be in the system.  
>
> Most of my users (25 users) use linux, and sssd will take care of most of the kerberos hashes.  The rest - 10 -15 users - can be told to login to the migrate LDAP page, later on in the migration.
>
> We've got very little other information in IPA, so it's not a huge issue.
>
>
> I thought this might be easier than trying to clean up old crud, and moving the master IPA server.  There doesn't seem to be a very good process for moving all the components to a new master easily.
>
>
>
> Thanks!
You are correct. There is no good process to move data over but it seems
that you thought through things very well.
You described the same sequence as I would recommend at the moment to
anyone who wants to move from one IPA instance into a completely new one.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/