> On Wed, 21 Jun 2023, Finn Fysj via FreeIPA-users wrote: > > I would actually address this one, not the original question. > > You are conflating two different actions into one. 'Migrating' from a > particular OS version in existing IPA deployment to another one is not a > migration, from IPA point of view. In this case, even if you are adding > new replicas using an updated OS version, the data in LDAP stays the > same and is replicated in its entirety across the topology. > > When we say that an upgrade to RHEL9 from RHEL7 deployment should be > done by adding an intermediary RHEL8 replica, this is the case. > > In the case where you are using 'ipa migrate-ds', you are creating a > totally separate environment which shares no LDAP data directly with the > old one. Here you are adding users/groups from the old setup (be that an > older IPA deployment or some OpenLDAP setup, or may be Active Directory, > or something else) to the new setup. Only a subset of information is > tranferred. > > Coming back to your question, are you passing a bind DN and password to > be able to see all information in the old IPA deployment? bind DN > defaults to 'cn=Directory Manager', so that one should see all user > and group details.
Thank you for your repose, Alexander. I'm indeed creating a separate IPA servers, who're NOT intended to be part of the "old" one, at least not in a Replica setup. Yes. This line is being run in ansible so the DS password is being passed to the command, correct. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue