Brian LaMere wrote:
I have a multimaster 389-ds installation, and am considering migrating
to ipa-server.  seems to be pretty clear
that I'm out of luck, and that I need to do a completely clean install.
  Am I reading that correctly?

That's right. We have to configure a whole slew of services to work in concert so using an existing install would be extremely difficult at best, even if the DIT was the same.

Secondly, is multi-master on ipa as easy as it was for 389-ds?

Yes, if not easier. It is just 389-ds under the hood, we have some simple management tools that create the agreements for you. Since we use our own CA SSL is easy as well.

What I would recommend is to set up a test IPA instance to get a feel for how the data is stored, see how migrating users and groups would work, etc. If you want to get really fancy you can add a master or two to the mix.

Depending on your configuration the data migration should be relatively straightforward but know that the IPA DIT is completely flat. All users are in one container, groups in another, etc. Once the migration is done there is a simple form to set up user kerberos keys, then you should be off to the races. The basic idea is that you authenticate using your migrated LDAP password and this will automatically generate a kerberos key for the user.



Freeipa-users mailing list

Reply via email to