Ipa migrate-ds worked a treat. I'll get users to login to an ipa client so that
it generates the Kerberos hash (like I had to originally)
For reference I did have to specify the correct containers for users and
ipa migrate-ds --user-container=cn=users,cn=accounts
I still would like a way to dump users out to a file, for backup purposes, such
as an ldif file. If anyone has a script to do that I'd appreciate it.
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Friday, 17 January 2014 6:46 PM
To: Les Stott; email@example.com
Subject: Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 07:24 AM, Les Stott wrote:
> Hi All,
> Looking for the quickest and easiest way to export users from one freeipa
> server and install on another.
> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
> I am setting up an identical freeipa server in a Production Environment.
> The two environments will not be configured to talk to each other. They will
> both have there own replicas.
> I simply want to export the users and groups I created in freeipa in DR, and
> import them (preserving details and passwords) into the freeipa server in
> What is the recommendation? Is there an ipa tool? Or will ldif exports
> Thanks in advance,
I think the best way would be to use the "ipa migrate-ds" command. It should
work both with stand alone Directory Servers and IPA too. You may just need to
play with --userignoreobjectclass amd userignoreattribute to not migrate
Kerberos related attributes and objectclasses if for example your other DS has
a different realm.
Freeipa-users mailing list