Michael Kang wrote:
Dear all,I got a LDIF file which is exported from Fedora 389 Directory Server. I want to import those user info into FreeIPA. What should I do? I just need the group,username and passwd information which is exported from another Fedora 389 Directory Server.
You won't be able to import it without some changes. You'll need to match the IPA DIT (http://freeipa.org/page/UsingRhdsWithIpa) to begin with. You'll probably want to update the objectclasses in each user entry as well to include: top, organizationalperson, inetorgperson, inetuser, posixaccount and krbprincipalaux.
You'll need to set krbprincipalname to u...@realm in each user entry.The existing userPassword entry can be imported but you won't have usable kerberos credentials (it will probably generate keys but it will use the pre-hashed password so the keys will be unusable).
As you can see, directly importing the LDIF would be quite a bit of work.
As far as I considered, I need to write a shell script to read user name from LDIF file and use */ipa-useradd/* command to archive my goal.
This is probably a better way, you'll just need to set a password on each user. The first time the user logs in they will need to reset the password (so only they know it)
FreeIPA also use 389 ds. Can I use */389-console/* java platform to manage FreeIPA?
This is not recommended. Someone figured out how to do this at one point and posted instructions to either freeipa-devel or freeipa-users, I can't recall at this point.
It isn't recommended because you can easily create users outside of the IPA DIT, create non-posix users, etc. It will probably end up causing more problems in the long-run. We recommend using the IPA tools.
rob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
