Martin Kosek wrote:
On 01/17/2014 07:24 AM, Les Stott wrote:
Hi All,

Looking for the quickest and easiest way to export users from one freeipa 
server and install on another.

I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
I am setting up an identical freeipa server in a Production Environment.

The two environments will not be configured to talk to each other. They will 
both have there own replicas.

I simply want to export the users and groups I created in freeipa in DR, and 
import them (preserving details and passwords) into the freeipa server in 

What is the recommendation? Is there an ipa tool? Or will ldif exports suffice?

Thanks in advance,


I think the best way would be to use the "ipa migrate-ds" command. It should
work both with stand alone Directory Servers and IPA too. You may just need to
play with --userignoreobjectclass amd userignoreattribute to not migrate
Kerberos related attributes and objectclasses if for example your other DS has
a different realm.

Kerberos attributes are already excluded by default.

You'll need to enable password migration mode on the production IPA server, ipa config-mod --enable-migration=true

The first time your migrated production users authenticate with their password their Kerberos credentials will be generated.


Freeipa-users mailing list

Reply via email to