Hi Martin and Tamas My source was a different one, i found a hint in a ipa python file!
Luckily I documented what we did in our internal wiki. I have found the following section: Migration from FreeIPA 3.0.0 to FreeIPA 4.1.0 > kinit admin > ipa config-mod --enable-migration=TRUE > ipa-compat-manage disable > ipactl restart The migration function uses the script /usr/lib/python2.7/site-packages/ipalib/plugins/migration.py. This contains some useful comments, including the parameters for an IPA to IPA migration! > ipa migrate-ds --group-overwrite-gid --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts' ldap://<url of old FreeIPA server>:389 > ipa-compat-manage enable > ipactl restart This copies all the users, and the groups - other than admin. This means that users that were members of the admins group on the old instance will not be added to admins group on the new instance. They must be readded, either via the Web UI, or CLI: > su - admin, > ipa group-add-member admins --users=bilbo Note that at the time we makng things up as we went along, so very possibly this was not the best way 8-) but it worked for us. Chris From: Martin Kosek <mko...@redhat.com> To: Christopher Lamb/Switzerland/IBM@IBMCH, Tamas Papp <tom...@martos.bme.hu> Cc: email@example.com Date: 10.06.2015 15:35 Subject: Re: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? On 06/10/2015 03:32 PM, Christopher Lamb wrote: > Hi Tamas > > I think the general advice is to replicate rather than to migrate. I am > sure Martin K will jump in on this. Yes :-) > However some weeks ago, when doing a very similar move to yours, we chose > to migrate (we were misled by some very old FreeIPA docus that have since > been archived). > > In our case passwords were successfully migrated, so the users were able to > use the same user / password combo as before. > > > I will see if I can dig out the migrate command we used at the time. Did you use the migration command advised in https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA ? > > Chris > > > > From: Tamas Papp <tom...@martos.bme.hu> > To: firstname.lastname@example.org > Date: 10.06.2015 15:19 > Subject: [Freeipa-users] migrating 3.0 -> 4.1: passwords not migrated? > Sent by: freeipa-users-boun...@redhat.com > > > > hi, > > Currently there are CentOS 6.5 servers and IPA 3.0. > > The goal is migrating users to CentOS 7.1 and IPA 4.1. > > This is the command I use: > > > $ ipa migrate-ds ldap://ipa11 > --user-container=cn=users,cn=accounts,dc=foo > --group-container=cn=groups,cn=accounts,dc=foo --base-dn=dc=foo > --with-compat < ~/.pw.manager > > > Users are migrated successfully but password must be reset, otherwise > they cannot logon. Any idea, what's going on? > > > > > I also have a bonus question. > How can I migrate the cn=sysaccounts,cn=etc,dc=cxn tree? Do I need to > export/import it as ldif and that's all? > > > Thanks, > tamas > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project