[Freeipa-users] export users/groups from one ipa server to another
Sankar Ramlingam
sramling at redhat.com
Mon Jan 20 05:09:21 UTC 2014
On 01/20/2014 09:51 AM, Les Stott wrote:
> Thanks Martin.
>
> Ipa migrate-ds worked a treat. I'll get users to login to an ipa client so that it generates the Kerberos hash (like I had to originally)
>
> For reference I did have to specify the correct containers for users and groups...
>
> ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --with-compat ldap://dr-ipa.mydomain.com:389
>
> I still would like a way to dump users out to a file, for backup purposes, such as an ldif file. If anyone has a script to do that I'd appreciate it.
Please refer to this link -
http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html#Exporting_Data-Exporting_to_LDIF_from_the_Command_Line
Thanks,
-Sankar R
>
> Regards,
>
> Les
>
>
> -----Original Message-----
> From: Martin Kosek [mailto:mkosek at redhat.com]
> Sent: Friday, 17 January 2014 6:46 PM
> To: Les Stott; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] export users/groups from one ipa server to another
>
> On 01/17/2014 07:24 AM, Les Stott wrote:
>> Hi All,
>>
>> Looking for the quickest and easiest way to export users from one freeipa server and install on another.
>>
>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
>> I am setting up an identical freeipa server in a Production Environment.
>>
>> The two environments will not be configured to talk to each other. They will both have there own replicas.
>>
>> I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production.
>>
>> What is the recommendation? Is there an ipa tool? Or will ldif exports suffice?
>>
>> Thanks in advance,
>>
>> Les
> I think the best way would be to use the "ipa migrate-ds" command. It should work both with stand alone Directory Servers and IPA too. You may just need to play with --userignoreobjectclass amd userignoreattribute to not migrate Kerberos related attributes and objectclasses if for example your other DS has a different realm.
>
> Martin
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list