On 09/27/2015 01:34 PM, Matt . wrote:
> Hi All,
> I'm investigating what the possibillities are when you have a existing
> domain/realm and the company name is changed, so the domain should be
> also. I came on this idea because of I wanted to know how flexible the
> integration is here.
> As we use in my opinion a very simple and dumb node setup, we are very
> able to move around as we want, but how is this done at other
> companies ?
> To start with DNS I would setup a new IPA server with the new domain
> and forward this domain from te old ipa server and start moving over
> servers and create a new hostkey for them. As loadbalancers are in
> place in lost of setups this very easy todo witout downtime.
> I'm more wondered about how the users and their related groups an be
> moved over, or would this be done using migrate-ds or something ? As
> the domain changes, so the dc= string too... the reference of the
> groups is missing.
> I hope someone can make this more clear as I think this is good
> knowledge to have upfront anything and any case.
Good question. From technical point of view, I think the biggest issue may be
Kerberos principals/realm and Certificates subject/issuer as both are not that
easy to change. CCing Simo in case he has a good idea how to do that.
I assume there are 2 ways how to approach the problem:
1) Keep using old realm and main domain and simply add aliases where needed,
use the new DNS domain with old realm or old Certificate subject base
2) Start new FreeIPA with fixed Kerberos realm and CA - this is a clean start
though rather brutal one. We have plans to provide some tooling to help, as for
now there is only the possibility to migrate the users:
Lenka was already investigating https://fedorahosted.org/freeipa/ticket/3656,
so some updates may happen.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project