On 01/22/2013 06:28 PM, Matthew Barr wrote:
> On Jan 22, 2013, at 5:15 PM, Dmitri Pal <d...@redhat.com> wrote:
>> Which exactly LDAP method?
>> ldif dump and load? This would not work well unless you also manage to move
>> certs and kerberos master key over which is really hard.
> I was assuming the ipa migrate-ds.
>>> Thoughts? I don't anticipate moving any hardware that's enrolled from site
>>> to site, so certs & the like shouldn't be a factor.
>> If you are instead of dump and load will install a new IPA server it will
>> not have any old data and will have new certs and kerberos keys.
>> You would have to re-enroll all your clients once again. Users would have to
>> deal with the password change after you read in users using ipa migrate-ds.
>> Other information also would have be precreated using ipa commands but this
>> can be scripted by taking an LDIF and creating a series of ipa commands to
>> add data into the new instance.
> I intend to re-enroll all clients. Only clients in the new site will be in
> the system.
> Most of my users (25 users) use linux, and sssd will take care of most of the
> kerberos hashes. The rest - 10 -15 users - can be told to login to the
> migrate LDAP page, later on in the migration.
> We've got very little other information in IPA, so it's not a huge issue.
> I thought this might be easier than trying to clean up old crud, and moving
> the master IPA server. There doesn't seem to be a very good process for
> moving all the components to a new master easily.
You are correct. There is no good process to move data over but it seems
that you thought through things very well.
You described the same sequence as I would recommend at the moment to
anyone who wants to move from one IPA instance into a completely new one.
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list