On 01/20/2014 09:51 AM, Les Stott wrote:
Thanks Martin.

Ipa migrate-ds worked a treat. I'll get users to login to an ipa client so that 
it generates the Kerberos hash (like I had to originally)

For reference I did have to specify the correct containers for users and 

ipa migrate-ds --user-container=cn=users,cn=accounts 
--group-container=cn=groups,cn=accounts --with-compat 

I still would like a way to dump users out to a file, for backup purposes, such 
as an ldif file. If anyone has a script to do that I'd appreciate it.
Please refer to this link - http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html#Exporting_Data-Exporting_to_LDIF_from_the_Command_Line

-Sankar R



-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Friday, 17 January 2014 6:46 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] export users/groups from one ipa server to another

On 01/17/2014 07:24 AM, Les Stott wrote:
Hi All,

Looking for the quickest and easiest way to export users from one freeipa 
server and install on another.

I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
I am setting up an identical freeipa server in a Production Environment.

The two environments will not be configured to talk to each other. They will 
both have there own replicas.

I simply want to export the users and groups I created in freeipa in DR, and 
import them (preserving details and passwords) into the freeipa server in 

What is the recommendation? Is there an ipa tool? Or will ldif exports suffice?

Thanks in advance,

I think the best way would be to use the "ipa migrate-ds" command. It should 
work both with stand alone Directory Servers and IPA too. You may just need to play with 
--userignoreobjectclass amd userignoreattribute to not migrate Kerberos related 
attributes and objectclasses if for example your other DS has a different realm.


Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to