[Freeipa-users] export users/groups from one ipa server to another

[Dmitri Pal]

On 01/17/2014 09:36 AM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 01/17/2014 07:24 AM, Les Stott wrote:
>>> Hi All,
>>>
>>> Looking for the quickest and easiest way to export users from one
>>> freeipa server and install on another.
>>>
>>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR
>>> environment.
>>> I am setting up an identical freeipa server in a Production
>>> Environment.
>>>
>>> The two environments will not be configured to talk to each other.
>>> They will both have there own replicas.
>>>
>>> I simply want to export the users and groups I created in freeipa in
>>> DR, and import them (preserving details and passwords) into the
>>> freeipa server in Production.
>>>
>>> What is the recommendation? Is there an ipa tool? Or will ldif
>>> exports suffice?
>>>
>>> Thanks in advance,
>>>
>>> Les
>>
>> I think the best way would be to use the "ipa migrate-ds" command. It
>> should
>> work both with stand alone Directory Servers and IPA too. You may
>> just need to
>> play with --userignoreobjectclass amd userignoreattribute to not migrate
>> Kerberos related attributes and objectclasses if for example your
>> other DS has
>> a different realm.
>
> Kerberos attributes are already excluded by default.
>
> You'll need to enable password migration mode on the production IPA
> server, ipa config-mod --enable-migration=true
>
> The first time your migrated production users authenticate with their
> password their Kerberos credentials will be generated.

If users authenticate using sssd. ^

>
> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/