[Freeipa-users] export users/groups from one ipa server to another
Dmitri Pal
dpal at redhat.com
Mon Jan 20 16:37:18 UTC 2014
On 01/20/2014 11:12 AM, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 20.1.2014 12:27, Petr Spacek wrote:
>>> On 20.1.2014 09:21, Martin Kosek wrote:
>>>> On 01/17/2014 11:06 PM, Dmitri Pal wrote:
>>>>> On 01/17/2014 03:59 PM, Rob Crittenden wrote:
>>>>>> Les Stott wrote:
>>>>>>>> The first time your migrated production users authenticate with
>>>>>>>> their
>>>>>>>> password their Kerberos credentials will be generated.
>>>>>>>
>>>>>>> Is there a way to avoid this?
>>>>>>>
>>>>>>> I had to do that for importing shadow files originally in DR. now,
>>>>>>> i'm going from freeipa to freeipa. if i export kerberos attributes
>>>>>>> will that avoid users having to regenerate the kerberos
>>>>>>> credentials?
>>>>>>
>>>>>> No. The kerberos master keys are different.
>>>>>
>>>>> Unless you want to copy master keys over.
>>>>> This is a complex manual procedure. You can probably find it in the
>>>>> archives as we helped people with it couple times but it is not
>>>>> recommended.
>>>>>
>>>>> May be we should open an RFE to develop a tool that would do
>>>>> ipa-migrate-ipa and can be used to move data from POC to production.
>>>>
>>>> We have a RFE open for that feature already:
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3656
>>>>
>>>> I added a reference to this discussion on the list. Contributions or
>>>> other
>>>> ideas are very welcome!
>>>
>>> It sounds like creating a new replica and then disconnecting the new
>>> replica
>>> from the old replica.
>>>
>>> This procedure will copy all keys etc., so be sure you understand
>>> security
>>> implications for your environment! (Who can get root access to old
>>> environment? Who can get root access to the new environment? What will
>>> you do
>>> if one of them was compromised...?)
>>
>> I should clarify this:
>>
>> May be that we could provide a tool for FreeIPA domain rename, so you
>> can create replica, disconnect the replica and then rename the FreeIPA
>> domain to something else (renaming would include master-key regeneration
>> etc.).
>>
>> This solves two problems at once:
>> - FreeIPA-to-FreeIPA migration
>> - FreeIPA domain renaming
>>
>
> There could be some weird side-effects. The certificate subject base
> is not changable post-install so you could end up issuing certs with
> the subject of the old realm.
>
> rob
There is a set of tickets to be able to change the chaining and rename
the root CA. Once this is available I guess we would need to call that
too to change the subject and chaining.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list