On 04/30/2012 05:06 PM, David Copperfield wrote:
> Hi folks,
>
>  We have quite a bunch of netgroups which are hosted on openldap
> server presently, and now it is time to migrate them into freeIPA. The
> NIS triples are in the format:
>
>  (-, username, - )
>
> or
>
>  (hostname001, - , - )
>
> And these openldap netgroups are used for variable purposes, host
> listing for ssh/gssh, access control, sudoers, etc.
>
> So after user accounts and groups are migrated, netgroups needs to be
> migrated too for openldap/IPA migration/cutover. There is no Redhat
> documents on this part though. Has any one tried netgroup migration
> before?  Or we have to input by hand into IPA (host, hostgroup,
> user-group) and replace netgroup with hostgroup(which will create
> respective netgroups in the background), and replace NIS user groups
> and real posix user groups?
>
> Please advice. Thanks a lot.
>
> --David
>  
We do not provide migration script for netgroups however it is very
simple to create a script that would recreate netgroups using IPA
command line.
The reason why we do not do netgroup migration automatically is because
it is a good time to reconsider now netgroups are used in your environment.
For example if you use netgroups to group hosts we recommend you
creating a host group for those hosts. Each host group by default has an
automatically created netgroup with the same name. This can be turned
off but out of box every host group creates a netgroup.
If you use netgroups for users consider switching to user groups rather
than using netgroups for users. Using user groups is more flexible and
preferred method.

Also see chapter 7. It has examples of the scripts that can help you to
migrate netgroups.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to