[Freeipa-users] export users/groups from one ipa server to another
Martin Kosek
mkosek at redhat.com
Fri Jan 17 15:02:33 UTC 2014
On 01/17/2014 03:58 PM, Dmitri Pal wrote:
> On 01/17/2014 09:36 AM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 01/17/2014 07:24 AM, Les Stott wrote:
>>>> Hi All,
>>>>
>>>> Looking for the quickest and easiest way to export users from one
>>>> freeipa server and install on another.
>>>>
>>>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR
>>>> environment.
>>>> I am setting up an identical freeipa server in a Production
>>>> Environment.
>>>>
>>>> The two environments will not be configured to talk to each other.
>>>> They will both have there own replicas.
>>>>
>>>> I simply want to export the users and groups I created in freeipa in
>>>> DR, and import them (preserving details and passwords) into the
>>>> freeipa server in Production.
>>>>
>>>> What is the recommendation? Is there an ipa tool? Or will ldif
>>>> exports suffice?
>>>>
>>>> Thanks in advance,
>>>>
>>>> Les
>>>
>>> I think the best way would be to use the "ipa migrate-ds" command. It
>>> should
>>> work both with stand alone Directory Servers and IPA too. You may
>>> just need to
>>> play with --userignoreobjectclass amd userignoreattribute to not migrate
>>> Kerberos related attributes and objectclasses if for example your
>>> other DS has
>>> a different realm.
>>
>> Kerberos attributes are already excluded by default.
>>
>> You'll need to enable password migration mode on the production IPA
>> server, ipa config-mod --enable-migration=true
>>
>> The first time your migrated production users authenticate with their
>> password their Kerberos credentials will be generated.
>
> If users authenticate using sssd. ^
If they do not use SSSD, they can also use a special page for password migration:
https://ipa.example.com/ipa/migration/
Martin
More information about the Freeipa-users
mailing list