On 01/20/2014 09:51 AM, Les Stott wrote:
Thanks Martin.

Ipa migrate-ds worked a treat. I'll get users to login to an ipa client so that 
it generates the Kerberos hash (like I had to originally)

For reference I did have to specify the correct containers for users and 
groups...

ipa migrate-ds --user-container=cn=users,cn=accounts 
--group-container=cn=groups,cn=accounts --with-compat 
ldap://dr-ipa.mydomain.com:389

I still would like a way to dump users out to a file, for backup purposes, such 
as an ldif file. If anyone has a script to do that I'd appreciate it.
Please refer to this link - http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html#Exporting_Data-Exporting_to_LDIF_from_the_Command_Line

Thanks,
-Sankar R


Regards,

Les


-----Original Message-----
From: Martin Kosek [mailto:mko...@redhat.com]
Sent: Friday, 17 January 2014 6:46 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] export users/groups from one ipa server to another

On 01/17/2014 07:24 AM, Les Stott wrote:
Hi All,

Looking for the quickest and easiest way to export users from one freeipa 
server and install on another.

I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment.
I am setting up an identical freeipa server in a Production Environment.

The two environments will not be configured to talk to each other. They will 
both have there own replicas.

I simply want to export the users and groups I created in freeipa in DR, and 
import them (preserving details and passwords) into the freeipa server in 
Production.

What is the recommendation? Is there an ipa tool? Or will ldif exports suffice?

Thanks in advance,

Les
I think the best way would be to use the "ipa migrate-ds" command. It should 
work both with stand alone Directory Servers and IPA too. You may just need to play with 
--userignoreobjectclass amd userignoreattribute to not migrate Kerberos related 
attributes and objectclasses if for example your other DS has a different realm.

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to