On Jan 22, 2013, at 5:15 PM, Dmitri Pal <d...@redhat.com> wrote:
> Which exactly LDAP method?
> ldif dump and load? This would not work well unless you also manage to move 
> certs and kerberos master key over which is really hard.

I was assuming the ipa migrate-ds.    

>> Thoughts?  I don't anticipate moving any hardware that's enrolled from site 
>> to site, so certs & the like shouldn't be a factor.
> If you are instead of dump and load will install a new IPA server it will not 
> have any old data and will have new certs and kerberos keys.
> You would have to re-enroll all your clients once again. Users would have to 
> deal with the password change after you read in users using ipa migrate-ds.
> Other information also would have be precreated using ipa commands but this 
> can be scripted by taking an LDIF and creating a series of ipa commands to 
> add data into the new instance.

I intend to re-enroll all clients.  Only clients in the new site will be in the 

Most of my users (25 users) use linux, and sssd will take care of most of the 
kerberos hashes.  The rest - 10 -15 users - can be told to login to the migrate 
LDAP page, later on in the migration.

We've got very little other information in IPA, so it's not a huge issue.

I thought this might be easier than trying to clean up old crud, and moving the 
master IPA server.  There doesn't seem to be a very good process for moving all 
the components to a new master easily.


Freeipa-users mailing list

Reply via email to