[Freeipa-users] migrating FreeIPA to another domain name (was: Re: IPA, Samba and AD)

[Petr Spacek]

On 23.9.2013 09:54, Fred van Zwieten wrote:
> Suppose we would "bite the bullet" and*move*  IPA to another domain. This
> would be a subdomain (IPA.MYCOMP.EDU). I have to install 2 new IPA servers.
> No problems there. However, I have to migrate the data. That is a real
> problem, I think. For HBAC rules, SUDO rules, etc we can do this manually.
> However Users and DNS is quit a lot*and*  we want to migrate the user
> passwords.
>
> For DNS we could use zone transfers
FreeIPA stores all the data in LDAP, it would be better to do this:
1) export whole DNS sub-tree to LDIF (via ldapsearch)
2) change LDAP DNs (add dc=ipa to the DN components)
3) import all the data back (via ldapadd)

SRV & FreeIPA host records will need some manual work, but basically you just 
need to add '.ipa.' component to all host names and references to them. Don't 
forget to add/change delegation NS+A records in the parent DNS zone (MYCOMP.EDU).

Let us know if you need any assistance.

> But for user passwords?
Guys, could migrate-ds script help?

>
> Is there IPA export import type of functionality (in RHEL64) that can
> provide this?

-- 
Petr^2 Spacek