On 01/17/2014 09:36 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 01/17/2014 07:24 AM, Les Stott wrote: >>> Hi All, >>> >>> Looking for the quickest and easiest way to export users from one >>> freeipa server and install on another. >>> >>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR >>> environment. >>> I am setting up an identical freeipa server in a Production >>> Environment. >>> >>> The two environments will not be configured to talk to each other. >>> They will both have there own replicas. >>> >>> I simply want to export the users and groups I created in freeipa in >>> DR, and import them (preserving details and passwords) into the >>> freeipa server in Production. >>> >>> What is the recommendation? Is there an ipa tool? Or will ldif >>> exports suffice? >>> >>> Thanks in advance, >>> >>> Les >> >> I think the best way would be to use the "ipa migrate-ds" command. It >> should >> work both with stand alone Directory Servers and IPA too. You may >> just need to >> play with --userignoreobjectclass amd userignoreattribute to not migrate >> Kerberos related attributes and objectclasses if for example your >> other DS has >> a different realm. > > Kerberos attributes are already excluded by default. > > You'll need to enable password migration mode on the production IPA > server, ipa config-mod --enable-migration=true > > The first time your migrated production users authenticate with their > password their Kerberos credentials will be generated.
If users authenticate using sssd. ^ > > rob > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
