[Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0

Tue Apr 26 08:02:40 UTC 2016

On 04/25/2016 11:33 PM, Anthony Cheng wrote:
> So I went ahead and ran the migrate-ds command; ran into issue that was 
> described here: 
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when 
> trying to change password
> 
> I re-ran migrate-ds option; but I actually don't see the user accounts being 
> migrated at all when I run a "ipa user-show user_name --all"
> 
> I supposed manual option/script is the only option at this point?
> 
> Anthony
> 
> On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng <anthony.wan.cheng at gmail.com 
> <mailto:anthony.wan.cheng at gmail.com>> wrote:
> 
>     Hi list,
> 
>     Currently in the midst of doing a migration of FreeIPA from v3.0.0 to
>     v4.2.0; I have setup the new IPA instances and I am looking at migrate the data.

I'd assume that by v3.0.0 you mean RHEL 6.7 and by v 4.2.0 RHEL 7.2. For
such migration you can use a method by creating a replica

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

With IPA upgraded from version 2.x, make sure that internal CA users has
correct certificates and that all certificates are valid. Details are in
thread "7.x replica install from 6.x master fails" Especially:
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00046.html
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html

> 
>     Based on the section under 'Migrating from other FreeIPA to FreeIPA' here
>     (http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment),
>     it is suggested to run the following sample command:
> 
>     echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
>     --user-container=cn=users,cn=accounts
>     --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
>     --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
>     --user-ignore-objectclass=mepOriginEntry --with-compat
>     ldap://migrated.freeipa.server.test

Migrate DS was designed to be used for migration from general LDAP
server to IPA but it can be used also for IPA-IPA migration given that
IPA has also LDAP server.

> 
>     My questions are:
>     1) Will this work as my new domain has changed (so realm is different)

Yes

>     2) Will this work for migration from 3.0.0 to 4.2.0?

Yes, but see the link above - it is the recommended method if you want
to just "upgrade".

>     3) Is this command safe to run from a production box?

The command doesn't do any changes on source machine. It's always better
to try it first in testing environment.

>     4) If it fails or is not safe to run, what is the alternative/process?
>     (details would be appreciated)

Depends how it fails.

> 
>     Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS,
>     ...) have to be migrated manually, by exporting the LDIF from old FreeIPA
>     instance, selecting the records to be migrated, updating the attributes in
>     batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA."

Yes, automatic migration of other records than users and groups was not
yet implented: we have an RFE for such migration:
https://fedorahosted.org/freeipa/ticket/3656

> 
>     I have some idea how to do LDIF import/export but is this process documented
>     anywhere (on the freeipa.org <http://freeipa.org>)?

I'm not aware of any such document.
-- 
Petr Vobornik