[Freeipa-users] How to migrate from freeipa distribution to separate components

Loris Santamaria loris at lgs.com.ve
Wed Jan 13 15:19:05 UTC 2016 

El mié, 13-01-2016 a las 15:57 +0100, bahan w escribió:
> Re.
> 
> Thanks both of you for your answers.
> 
> Simo, MIT Kerberos and OpenLDAP can work on their own and provide the
> same kind of service that we want from IPA, even if it is not
> embedded in integrated solution like IPA.
> 
> I totally agree that IPA provides a lot of things but I am quite sure
> the isolated softwares like MIT Kerberos for Kerberos, OpenLDAP for
> LDAP and a cache client like sssd or nscd/nslcd can work.
Yes, they work. I installed some similar solutions ten years ago. Then
i began using freeipa and never looked back.
> Alexander, when I mention migration, I think of the following actions
> :> 1. Take the principals that we have for the KDC and recreate them in an MIT Kerberos KDC architecture> 2. Take the users/groups/pwpolicies in the LDAP and recreate them in an openLDAP architecture> 
> 
You should first setup openldap following their various howto, then
setup kerberos with the ldap kdb driver, then dump ldap data from IPA,
massage it in something acceptable for openldap and your chosen schema,
then add it using ldapadd or slapadd. After that you'll want to tune
openldap and add all the needed indexes. You should think about
replication. You should think about security. You should think about
ldap administration.
Good luck, you will need it.
> Do you know if there is other things necessary to recreate in the
> LDAP or in the KDC ?> 
> Additionnaly, do you have a list of points which could help to convince to keep the freeipa architecture ?> > Best regards.> 
> Bahan

> On Wed, Jan 13, 2016 at 3:33 PM, Alexander Bokovoy > <abokovoy at redhat.com>>  wrote:
> > On Wed, 13 Jan 2016, bahan w wrote:
> > 
> > > 
> > > Hello Simo !
> > > 

> > > 
> > > For the reason :
> > > 
> > > The production team wants to use only the two components openLDAP and MIT
> > > 
> > > Kerberos, possibily on different servers.
> > > 

> > > 
> > > For the explanation :
> > > 
> > > They want to install only MIT Kerberos and openLDAP.
> > > 
> > > We already have an existing FreeIPA installation, with users, groups,
> > > 
> > > principals, pwpolicies.
> > > 
> > > We would like to migrate this to an openLDAP for the users, groups and
> > > 
> > > pwpolicies, and to another MIT Kerberos for the principals (hope I'm not
> > > 
> > > forgetting anything).
> > > 
> > 
> > FreeIPA provides own LDAP driver for MIT Kerberos that relies on IPA
> > 
> > LDAP schema. Standard MIT Kerberos LDAP driver does not support IPA
> > 
> > schema.
> > 

> > 
> > Additionally, 389-ds LDAP server FreeIPA uses is coupled with about two
> > 
> > dozen additional plugins. These plugins either don't exist for OpenLDAP
> > 
> > at all or have different behavior and rely on different LDAP schema.
> > 

> > 
> > In short, if you move the data from 389-ds to OpenLDAP, it wouldn't be
> > 
> > used by MIT Kerberos LDAP driver because it doesn't know about that
> > 
> > data, and OpenLDAP server will not have the same behavior as expected by
> > 
> > IPA clients (SSSD) for IPA-specific mode.
> > 

> > 
> > Whatever your production team is thinking about this move, it is most
> > 
> > certainly not properly thought out.
> > 

> > 
> > -- 
> > Manage your subscription for the Freeipa-users mailing list:
> > 
https://www.redhat.com/mailman/listinfo/freeipa-users
> > 
> > Go to http://freeipa.org for more info on the project
-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/d9e5b716/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5693 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160113/d9e5b716/attachment.bin>

More information about the Freeipa-users mailing list