[Freeipa-users] What todo when a company/domain name should be changed ?
Simo Sorce
ssorce at redhat.com
Wed Sep 30 13:30:52 UTC 2015
On 30/09/15 07:57, Martin Kosek wrote:
> On 09/27/2015 01:34 PM, Matt . wrote:
>> Hi All,
>>
>> I'm investigating what the possibillities are when you have a existing
>> domain/realm and the company name is changed, so the domain should be
>> also. I came on this idea because of I wanted to know how flexible the
>> integration is here.
>>
>> As we use in my opinion a very simple and dumb node setup, we are very
>> able to move around as we want, but how is this done at other
>> companies ?
>>
>> To start with DNS I would setup a new IPA server with the new domain
>> and forward this domain from te old ipa server and start moving over
>> servers and create a new hostkey for them. As loadbalancers are in
>> place in lost of setups this very easy todo witout downtime.
>>
>> I'm more wondered about how the users and their related groups an be
>> moved over, or would this be done using migrate-ds or something ? As
>> the domain changes, so the dc= string too... the reference of the
>> groups is missing.
>>
>> I hope someone can make this more clear as I think this is good
>> knowledge to have upfront anything and any case.
>>
>> Thanks!
>>
>> matt
>
> Good question. From technical point of view, I think the biggest issue may be
> Kerberos principals/realm and Certificates subject/issuer as both are not that
> easy to change. CCing Simo in case he has a good idea how to do that.
We can't rename a domain, but you can move all servers to a different
DNS domain.
> I assume there are 2 ways how to approach the problem:
> 1) Keep using old realm and main domain and simply add aliases where needed,
> use the new DNS domain with old realm or old Certificate subject base
>
> 2) Start new FreeIPA with fixed Kerberos realm and CA - this is a clean start
> though rather brutal one. We have plans to provide some tooling to help, as for
> now there is only the possibility to migrate the users:
My suggestion would be to go with 1 and/or wait for trust support in
IPA, at that point migration from one domain to another will be much
easier as it will be possible to do it one machine/user at a time
(caveat, 2 distinct FreeIPA realms will probably not be able to share
the same DNS namespace).
HTH,
Simo.
> http://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
>
> Lenka was already investigating https://fedorahosted.org/freeipa/ticket/3656,
> so some updates may happen.
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list