On 30/09/15 07:57, Martin Kosek wrote:
On 09/27/2015 01:34 PM, Matt . wrote:
Hi All,

I'm investigating what the possibillities are when you have a existing
domain/realm and the company name is changed, so the domain should be
also. I came on this idea because of I wanted to know how flexible the
integration is here.

As we use in my opinion a very simple and dumb node setup, we are very
able to move around as we want, but how is this done at other
companies ?

To start with DNS I would setup a new IPA server with the new domain
and forward this domain from te old ipa server and start moving over
servers and create a new hostkey for them. As loadbalancers are in
place in lost of setups this very easy todo witout downtime.

I'm more wondered about how the users and their related groups an be
moved over, or would this be done using migrate-ds or something ? As
the domain changes, so the dc= string too... the reference of the
groups is missing.

I hope someone can make this more clear as I think this is good
knowledge to have upfront anything and any case.



Good question. From technical point of view, I think the biggest issue may be
Kerberos principals/realm and Certificates subject/issuer as both are not that
easy to change. CCing Simo in case he has a good idea how to do that.

We can't rename a domain, but you can move all servers to a different DNS domain.

I assume there are 2 ways how to approach the problem:
1) Keep using old realm and main domain and simply add aliases where needed,
use the new DNS domain with old realm or old Certificate subject base

2) Start new FreeIPA with fixed Kerberos realm and CA - this is a clean start
though rather brutal one. We have plans to provide some tooling to help, as for
now there is only the possibility to migrate the users:

My suggestion would be to go with 1 and/or wait for trust support in IPA, at that point migration from one domain to another will be much easier as it will be possible to do it one machine/user at a time (caveat, 2 distinct FreeIPA realms will probably not be able to share the same DNS namespace).



Lenka was already investigating https://fedorahosted.org/freeipa/ticket/3656,
so some updates may happen.

Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to