Finn Fysj via FreeIPA-users wrote: >> On Wed, 21 Jun 2023, Finn Fysj via FreeIPA-users wrote: >> >> I would actually address this one, not the original question. >> >> You are conflating two different actions into one. 'Migrating' from a >> particular OS version in existing IPA deployment to another one is not a >> migration, from IPA point of view. In this case, even if you are adding >> new replicas using an updated OS version, the data in LDAP stays the >> same and is replicated in its entirety across the topology. >> >> When we say that an upgrade to RHEL9 from RHEL7 deployment should be >> done by adding an intermediary RHEL8 replica, this is the case. >> >> In the case where you are using 'ipa migrate-ds', you are creating a >> totally separate environment which shares no LDAP data directly with the >> old one. Here you are adding users/groups from the old setup (be that an >> older IPA deployment or some OpenLDAP setup, or may be Active Directory, >> or something else) to the new setup. Only a subset of information is >> tranferred. >> >> Coming back to your question, are you passing a bind DN and password to >> be able to see all information in the old IPA deployment? bind DN >> defaults to 'cn=Directory Manager', so that one should see all user >> and group details. > > Thank you for your repose, Alexander. > > I'm indeed creating a separate IPA servers, who're NOT intended to be part of > the "old" one, at least not in a Replica setup. > > Yes. This line is being run in ansible so the DS password is being passed to > the command, correct.
I'm assuming that Ansible is eating the output of the migration command? Any failures to migrate users/groups would be shown there. migrate-ds is not a great way to do IPA-to-IPA migration for a number of reasons, mainly because it only migrates users and groups and nothing else. It was designed to help migrate from LDAP-based systems to IPA. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
