On 01/22/2013 06:28 PM, Matthew Barr wrote:
> On Jan 22, 2013, at 5:15 PM, Dmitri Pal <d...@redhat.com> wrote:
>> Which exactly LDAP method?
>> ldif dump and load? This would not work well unless you also manage to move 
>> certs and kerberos master key over which is really hard.
> I was assuming the ipa migrate-ds.    
>>> Thoughts?  I don't anticipate moving any hardware that's enrolled from site 
>>> to site, so certs & the like shouldn't be a factor.
>> If you are instead of dump and load will install a new IPA server it will 
>> not have any old data and will have new certs and kerberos keys.
>> You would have to re-enroll all your clients once again. Users would have to 
>> deal with the password change after you read in users using ipa migrate-ds.
>> Other information also would have be precreated using ipa commands but this 
>> can be scripted by taking an LDIF and creating a series of ipa commands to 
>> add data into the new instance.
> I intend to re-enroll all clients.  Only clients in the new site will be in 
> the system.  
> Most of my users (25 users) use linux, and sssd will take care of most of the 
> kerberos hashes.  The rest - 10 -15 users - can be told to login to the 
> migrate LDAP page, later on in the migration.
> We've got very little other information in IPA, so it's not a huge issue.
> I thought this might be easier than trying to clean up old crud, and moving 
> the master IPA server.  There doesn't seem to be a very good process for 
> moving all the components to a new master easily.
> Thanks!
You are correct. There is no good process to move data over but it seems
that you thought through things very well.
You described the same sequence as I would recommend at the moment to
anyone who wants to move from one IPA instance into a completely new one.

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to