On 01/17/2014 03:58 PM, Dmitri Pal wrote:
> On 01/17/2014 09:36 AM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 01/17/2014 07:24 AM, Les Stott wrote:
>>>> Hi All,
>>>> Looking for the quickest and easiest way to export users from one
>>>> freeipa server and install on another.
>>>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR
>>>> environment.
>>>> I am setting up an identical freeipa server in a Production
>>>> Environment.
>>>> The two environments will not be configured to talk to each other.
>>>> They will both have there own replicas.
>>>> I simply want to export the users and groups I created in freeipa in
>>>> DR, and import them (preserving details and passwords) into the
>>>> freeipa server in Production.
>>>> What is the recommendation? Is there an ipa tool? Or will ldif
>>>> exports suffice?
>>>> Thanks in advance,
>>>> Les
>>> I think the best way would be to use the "ipa migrate-ds" command. It
>>> should
>>> work both with stand alone Directory Servers and IPA too. You may
>>> just need to
>>> play with --userignoreobjectclass amd userignoreattribute to not migrate
>>> Kerberos related attributes and objectclasses if for example your
>>> other DS has
>>> a different realm.
>> Kerberos attributes are already excluded by default.
>> You'll need to enable password migration mode on the production IPA
>> server, ipa config-mod --enable-migration=true
>> The first time your migrated production users authenticate with their
>> password their Kerberos credentials will be generated.
> If users authenticate using sssd. ^

If they do not use SSSD, they can also use a special page for password 



Freeipa-users mailing list

Reply via email to