[Freeipa-users] Using 389-console with FreeIPA 3

[Dmitri Pal]

On 09/04/2014 11:24 PM, Andrew Krause wrote:
> I realize this question has been brought forth previously, but I am 
> unable to find a clear answer.  I have a 389-ds environment that is 
> serving as an authentication back end for a python application.  The 
> plan was to use this as a kind of SSO for other future applications 
> and we have MANY users/groups/OUs and different policies involved 
> already.  Since it's not really feasible to re-create everything, and 
> it will not integrate directly with FreeIPA I would like to be able to 
> import my subtree to the 389-ds instance within my new FreeIPA install 
> and manage that subtree separately from all my hosts and POSIX users.
>
> The short question, how can I manage to get the admin console working 
> with the 389-ds that is included in FreeIPA?
>
> I'd really like to use FreeIPA for all my host based authentication, 
> but it becomes a non-option if we have to run multiple directory 
> clusters.
>
>
The best way is to use ipa migrate-ds command to load the users from the 
external LDAP server.
You can connect a console to IPA DS instance but we do not recommend 
doing modifications via it because IPA creates all sorts of object 
classes on the entries on top of usual posix account. You can use the 
console to validate on the low level that all data has been properly 
migrated.
But again ipa has ipa user-find and user-show commands that allow you to 
validation too so console might actually not be needed.

Please refer to ipa help and online downstream manuals on how to use 
migrate-ds command.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140905/437c7b68/attachment.htm>