[Freeipa-users] Migrating to FreeIPA from an existing Heimdal Kerberos and 389-ds deployment
Petr Vobornik
pvoborni at redhat.com
Thu Jul 14 14:40:56 UTC 2016
On 07/14/2016 07:13 AM, Grant Wu wrote:
> Hi all,
>
> I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has been a
> pain point for quite some time. I've heard that FreeIPA might be a solution
> worth exploring.
>
> I would like to try to avoid user visible disruption if possible, however. This
> means that we would like to keep our Kerberos realm name, keep AFS cross-realm
> authentication working, etc. UIDs remaining the same would be good; I'd have to
> think about
Users and groups can be migrated by
`ipa migrate-ds` command.
It allows you to keep UIDs and GIDs but one must make sure that IPA
servers are configured to issue new UIDs and GIDs which doesn't overlap
with the migrated ones. There are options in ipa-server-install and
ipa-replica-manage tools for that.
This can be evaluated in an isolated network against a clone of your
LDAP server.
Cross realm trust with AFS is a challenge though. IPA now supports only
cross realm trust with Active Directory. Trusts with other general KDCs
are not yet supported.
Other migration challenge might be migration of services. It is not done
by the above mentioned `ipa migrate-ds`. When the service accounts are
added to IPA, you would have to obtain new keytabs for the services.
>
> Essentially all of our clients are various flavors of Debian; mostly Jessie (we
> have an unfortunate number of older machines that I hope to upgrade soon).
A possibility is to use SSSD as client on Debian.
>
> Has anyone done something like this before? Anyone have any ideas what the
> migration path would look like or whether this is even possible?
>
> Thanks,
>
> Grant Wu
> grantwu at andrew.cmu.edu <mailto:grantwu at andrew.cmu.edu>
>
--
Petr Vobornik
More information about the Freeipa-users
mailing list