On 01/17/2014 03:58 PM, Dmitri Pal wrote: > On 01/17/2014 09:36 AM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 01/17/2014 07:24 AM, Les Stott wrote: >>>> Hi All, >>>> >>>> Looking for the quickest and easiest way to export users from one >>>> freeipa server and install on another. >>>> >>>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR >>>> environment. >>>> I am setting up an identical freeipa server in a Production >>>> Environment. >>>> >>>> The two environments will not be configured to talk to each other. >>>> They will both have there own replicas. >>>> >>>> I simply want to export the users and groups I created in freeipa in >>>> DR, and import them (preserving details and passwords) into the >>>> freeipa server in Production. >>>> >>>> What is the recommendation? Is there an ipa tool? Or will ldif >>>> exports suffice? >>>> >>>> Thanks in advance, >>>> >>>> Les >>> >>> I think the best way would be to use the "ipa migrate-ds" command. It >>> should >>> work both with stand alone Directory Servers and IPA too. You may >>> just need to >>> play with --userignoreobjectclass amd userignoreattribute to not migrate >>> Kerberos related attributes and objectclasses if for example your >>> other DS has >>> a different realm. >> >> Kerberos attributes are already excluded by default. >> >> You'll need to enable password migration mode on the production IPA >> server, ipa config-mod --enable-migration=true >> >> The first time your migrated production users authenticate with their >> password their Kerberos credentials will be generated. > > If users authenticate using sssd. ^
If they do not use SSSD, they can also use a special page for password migration: https://ipa.example.com/ipa/migration/ Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users