On Wed, 21 Jun 2023, Finn Fysj via FreeIPA-users wrote:
Hi,
When I try to migrate from my RHEL 7 instance RHEL 9 most of the stuff
seems to work, fine. I needed to setup the new IPA servers by
modifying UID/GID_MAX since in the early versions of the installation
there wasn't a "check" for these attributes. I needed to do this since
the existing IPA server uses UID/GIDs starting from 6000.
Running:
ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts'
--group-container='cn=groups,cn=accounts ipa.example.com
However, I see that all the users that used to belong to "admins" have
now dissapeard, is there a way to avoid this? Or is there any attribute
I should think of while migrating?
PS: I'm aware that the suggested method of migrating is Rhel7 > Rhel8 >
Rhel9, however, it's seems to work fine without.
I would actually address this one, not the original question.
You are conflating two different actions into one. 'Migrating' from a
particular OS version in existing IPA deployment to another one is not a
migration, from IPA point of view. In this case, even if you are adding
new replicas using an updated OS version, the data in LDAP stays the
same and is replicated in its entirety across the topology.
When we say that an upgrade to RHEL9 from RHEL7 deployment should be
done by adding an intermediary RHEL8 replica, this is the case.
In the case where you are using 'ipa migrate-ds', you are creating a
totally separate environment which shares no LDAP data directly with the
old one. Here you are adding users/groups from the old setup (be that an
older IPA deployment or some OpenLDAP setup, or may be Active Directory,
or something else) to the new setup. Only a subset of information is
tranferred.
Coming back to your question, are you passing a bind DN and password to
be able to see all information in the old IPA deployment? bind DN
defaults to 'cn=Directory Manager', so that one should see all user
and group details.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
