Thanks Martin.

Ipa migrate-ds worked a treat. I'll get users to login to an ipa client so that 
it generates the Kerberos hash (like I had to originally)

For reference I did have to specify the correct containers for users and 

ipa migrate-ds --user-container=cn=users,cn=accounts 
--group-container=cn=groups,cn=accounts --with-compat 

I still would like a way to dump users out to a file, for backup purposes, such 
as an ldif file. If anyone has a script to do that I'd appreciate it.



-----Original Message-----
From: Martin Kosek [] 
Sent: Friday, 17 January 2014 6:46 PM
To: Les Stott;
Subject: Re: [Freeipa-users] export users/groups from one ipa server to another

On 01/17/2014 07:24 AM, Les Stott wrote:
> Hi All,
> Looking for the quickest and easiest way to export users from one freeipa 
> server and install on another.
> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
> I am setting up an identical freeipa server in a Production Environment.
> The two environments will not be configured to talk to each other. They will 
> both have there own replicas.
> I simply want to export the users and groups I created in freeipa in DR, and 
> import them (preserving details and passwords) into the freeipa server in 
> Production.
> What is the recommendation? Is there an ipa tool? Or will ldif exports 
> suffice?
> Thanks in advance,
> Les

I think the best way would be to use the "ipa migrate-ds" command. It should 
work both with stand alone Directory Servers and IPA too. You may just need to 
play with --userignoreobjectclass amd userignoreattribute to not migrate 
Kerberos related attributes and objectclasses if for example your other DS has 
a different realm.


Freeipa-users mailing list

Reply via email to