[Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated?
Christopher Lamb
christopher.lamb at ch.ibm.com
Wed Jun 10 14:11:45 UTC 2015
Hi Martin and Tamas
My source was a different one, i found a hint in a ipa python file!
Luckily I documented what we did in our internal wiki. I have found the
following section:
Migration from FreeIPA 3.0.0 to FreeIPA 4.1.0
> kinit admin
> ipa config-mod --enable-migration=TRUE
> ipa-compat-manage disable
> ipactl restart
The migration function uses the script
/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py. This contains
some useful comments, including the parameters for an IPA to IPA migration!
> ipa migrate-ds --group-overwrite-gid
--user-container='cn=users,cn=accounts'
--group-container='cn=groups,cn=accounts' ldap://<url of old FreeIPA
server>:389
> ipa-compat-manage enable
> ipactl restart
This copies all the users, and the groups - other than admin. This means
that users that were members of the admins group on the old instance will
not be added to admins group on the new instance. They must be readded,
either via the Web UI, or CLI:
> su - admin,
> ipa group-add-member admins --users=bilbo
Note that at the time we makng things up as we went along, so very possibly
this was not the best way 8-) but it worked for us.
Chris
From: Martin Kosek <mkosek at redhat.com>
To: Christopher Lamb/Switzerland/IBM at IBMCH, Tamas Papp
<tompos at martos.bme.hu>
Cc: freeipa-users at redhat.com
Date: 10.06.2015 15:35
Subject: Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not
migrated?
On 06/10/2015 03:32 PM, Christopher Lamb wrote:
> Hi Tamas
>
> I think the general advice is to replicate rather than to migrate. I am
> sure Martin K will jump in on this.
Yes :-)
> However some weeks ago, when doing a very similar move to yours, we chose
> to migrate (we were misled by some very old FreeIPA docus that have since
> been archived).
>
> In our case passwords were successfully migrated, so the users were able
to
> use the same user / password combo as before.
>
>
> I will see if I can dig out the migrate command we used at the time.
Did you use the migration command advised in
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
?
>
> Chris
>
>
>
> From: Tamas Papp <tompos at martos.bme.hu>
> To: freeipa-users at redhat.com
> Date: 10.06.2015 15:19
> Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not
migrated?
> Sent by: freeipa-users-bounces at redhat.com
>
>
>
> hi,
>
> Currently there are CentOS 6.5 servers and IPA 3.0.
>
> The goal is migrating users to CentOS 7.1 and IPA 4.1.
>
> This is the command I use:
>
>
> $ ipa migrate-ds ldap://ipa11
> --user-container=cn=users,cn=accounts,dc=foo
> --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo
> --with-compat < ~/.pw.manager
>
>
> Users are migrated successfully but password must be reset, otherwise
> they cannot logon. Any idea, what's going on?
>
>
>
>
> I also have a bonus question.
> How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to
> export/import it as ldif and that's all?
>
>
> Thanks,
> tamas
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
More information about the Freeipa-users
mailing list