<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"> <META NAME="Generator" CONTENT="MS Exchange Server version 6.5.6944.0"> <TITLE>RE: [Freeipa-users] Migrate data from OpenLdap to FreeIPA</TITLE> </HEAD> <BODY>  Thanks Rob very much. I will try of course on the test system :) -----Original Message----- From: Rob Crittenden [<A HREF="mailto:rcritten@redhat.com">mailto:rcritten@redhat.com</A>] Sent: Tue 6/30/2009 12:58 AM To: Thu Nguyen Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Migrate data from OpenLdap to FreeIPA Thu Nguyen wrote: > Dear all, > > > > I did use OpenLDAP for our system which used to authenticate all web > services (bugzilla, svn,..) and mail service (dovecot) . Now I would > like to replace it by FreeIPA. Would you please instruct (step-by-step > if possible) how to migrate all data/structures from OpenLDAP to FreeIPA? > We don't currently have instructions on how to do this. Basically what you need to do is: - install freeIPA - get an ldif dump of your OpenLDAP server - remove any unneeded structural and configuration options from the ldif - convert this ldif to the IPA DIT - load the ldif You can see the DIT we use at <A HREF="http://freeipa.org/page/UsingRhdsWithIpa">http://freeipa.org/page/UsingRhdsWithIpa</A> When converting to our DIT you'll also need to ensure that the user entries are set up properly. This means having: - the krbprincipalname attribute set to <uid>@<REALM> - update the objectclass list - set gidnumber to the ipausers group You'll end up with a bunch of users that will work with simple auth but don't have kerberos keys yet so kinit will fail. You'll need to create some mechanism where they authenticate using their user password in order to get kerberos keys. And of course, do this on a test system first to make sure I haven't missed something :-) rob </BODY> </HTML>