Hi Martin and Tamas

My source was a different one, i found a hint in a ipa python file!

Luckily I documented what we did in our internal wiki. I have found the
following section:

Migration from FreeIPA 3.0.0 to FreeIPA 4.1.0


> kinit admin

> ipa config-mod --enable-migration=TRUE

> ipa-compat-manage disable

> ipactl restart

The migration function uses the script

/usr/lib/python2.7/site-packages/ipalib/plugins/migration.py. This contains

some useful comments, including the parameters for an IPA to IPA migration!

> ipa migrate-ds --group-overwrite-gid

--user-container='cn=users,cn=accounts'

--group-container='cn=groups,cn=accounts' ldap://<url of old FreeIPA

server>:389

> ipa-compat-manage enable

> ipactl restart

This copies all the users, and the groups - other than admin. This means

that users that were members of the admins group on the old instance will

not be added to admins group on the new instance. They must be readded,

either via the Web UI, or CLI:

> su - admin,

> ipa group-add-member admins --users=bilbo


Note that at the time we makng things up as we went along, so very possibly
this was not the best way 8-) but it worked for us.

Chris




From:   Martin Kosek <mko...@redhat.com>
To:     Christopher Lamb/Switzerland/IBM@IBMCH, Tamas Papp
            <tom...@martos.bme.hu>
Cc:     freeipa-users@redhat.com
Date:   10.06.2015 15:35
Subject:        Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not
            migrated?



On 06/10/2015 03:32 PM, Christopher Lamb wrote:
> Hi Tamas
>
> I think the general advice is to replicate rather than to migrate. I am
> sure Martin K will jump in on this.

Yes :-)

> However some weeks ago, when doing a very similar move to yours, we chose
> to migrate (we were misled by some very old FreeIPA docus that have since
> been archived).
>
> In our case passwords were successfully migrated, so the users were able
to
> use the same user / password combo as before.
>
>
> I will see if I can dig out the migrate command we used at the time.

Did you use the migration command advised in
https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA

?

>
> Chris
>
>
>
> From:          Tamas Papp <tom...@martos.bme.hu>
> To:            freeipa-users@redhat.com
> Date:          10.06.2015 15:19
> Subject:               [Freeipa-users] migrating 3.0 -> 4.1: passwords not
migrated?
> Sent by:               freeipa-users-boun...@redhat.com
>
>
>
> hi,
>
> Currently there are CentOS 6.5 servers and IPA 3.0.
>
> The goal is migrating users to CentOS 7.1 and IPA 4.1.
>
> This is the command I use:
>
>
> $ ipa migrate-ds ldap://ipa11
> --user-container=cn=users,cn=accounts,dc=foo
> --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo
> --with-compat < ~/.pw.manager
>
>
> Users are migrated successfully but password must be reset, otherwise
> they cannot logon. Any idea, what's going on?
>
>
>
>
> I also have a bonus question.
> How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to
> export/import it as ldif and that's all?
>
>
> Thanks,
> tamas
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to