John Bowman via FreeIPA-users wrote: > What would be the best method to stand up a new IPA environment while > keeping as much of the existing data as possible? > > I've read that the ipa migrate-ds only migrates the users and groups and > the recommended suggestion is to set up a replica. I'd like to sever > any ties to the existing environment but not have to start over > completely from scratch if at all possible. Ideally I would be able to > just point existing services to the new environment and hopefully > minimize impact, I'm sure I'd still have plenty of manual changes as > well, but one can dream. > > Basically I'm just running in to too many issues with trying to expand > our existing environment some of which is related to having a mix of IPA > 3.0 and 4.x I believe and likely some old and recent missteps that make > me question the stability of our environment. > > Any tips/advice would be appreciated.
It wouldn't be as easy as re-pointing. There is no supported way to migrate the Kerberos master key and without that you'd need all users to change passwords, all clients would need to re-enroll and any Kerberized services would need new keytabs. Some of the data (HBAC, sudo perhaps a few others) can be migrated as an LDIF (YMMV). One problem with migrate-ds now is that makes existing user-private groups into regular groups. This is undesirable for some. You may be able to pick a master (or install a new one) with a CA and break it off from the pack by breaking the replication agreements to make it standalone. That could be the starting point. This also has some risks and some things to clean up (like DNA ranges) but may be a cleaner way of doing things. rob _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org