On 01/17/2014 09:36 AM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 01/17/2014 07:24 AM, Les Stott wrote:
>>> Hi All,
>>> Looking for the quickest and easiest way to export users from one
>>> freeipa server and install on another.
>>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR
>>> I am setting up an identical freeipa server in a Production
>>> The two environments will not be configured to talk to each other.
>>> They will both have there own replicas.
>>> I simply want to export the users and groups I created in freeipa in
>>> DR, and import them (preserving details and passwords) into the
>>> freeipa server in Production.
>>> What is the recommendation? Is there an ipa tool? Or will ldif
>>> exports suffice?
>>> Thanks in advance,
>> I think the best way would be to use the "ipa migrate-ds" command. It
>> work both with stand alone Directory Servers and IPA too. You may
>> just need to
>> play with --userignoreobjectclass amd userignoreattribute to not migrate
>> Kerberos related attributes and objectclasses if for example your
>> other DS has
>> a different realm.
> Kerberos attributes are already excluded by default.
> You'll need to enable password migration mode on the production IPA
> server, ipa config-mod --enable-migration=true
> The first time your migrated production users authenticate with their
> password their Kerberos credentials will be generated.
If users authenticate using sssd. ^
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list