So I went ahead and ran the migrate-ds command; ran into issue that was
described here: when
trying to change password

I re-ran migrate-ds option; but I actually don't see the user accounts
being migrated at all when I run a "ipa user-show user_name --all"

I supposed manual option/script is the only option at this point?


On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng <>

> Hi list,
> Currently in the midst of doing a migration of FreeIPA from v3.0.0 to
> v4.2.0; I have setup the new IPA instances and I am looking at migrate the
> data.
> Based on the section under 'Migrating from other FreeIPA to FreeIPA' here (
> it is suggested to run the following sample command:
> echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://migrated.freeipa.server.test
> My questions are:
> 1) Will this work as my new domain has changed (so realm is different)
> 2) Will this work for migration from 3.0.0 to 4.2.0?
> 3) Is this command safe to run from a production box?
> 4) If it fails or is not safe to run, what is the alternative/process?
> (details would be appreciated)
> Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS,
> ...) have to be migrated manually, by exporting the LDIF from old FreeIPA
> instance, selecting the records to be migrated, updating the attributes in
> batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA."
> I have some idea how to do LDIF import/export but is this process
> documented anywhere (on the
> Thanks, Anthony
> --
> Thanks, Anthony

Thanks, Anthony
Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to