> Hi all,
> I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has
> been a pain point for quite some time.  I've heard that FreeIPA might
> be a solution worth exploring.
> I would like to try to avoid user visible disruption if possible,
> however.  This means that we would like to keep our Kerberos realm
> name, keep AFS cross-realm authentication working, etc.  UIDs
> remaining the same would be good; I'd have to think about
We dont use cross realm. We created a new realm with new name. We used
ipa migrade-ds to migrate users/groups with uids.

Because we couldnt migrate the user passwords from old to new realm, we
reset the users password in the new IPA realm and let the users input a
new password once.
> Essentially all of our clients are various flavors of Debian; mostly
> Jessie (we have an unfortunate number of older machines that I hope to
> upgrade soon).
> Has anyone done something like this before?  Anyone have any ideas
> what the migration path would look like or whether this is even
> possible? 
I have the same situation. We have an old MIT Kerberos / OpenLDAP system
which we have  to migrate. We use FreeIPA 4.2 on Fedora 23 and the
current OpenAFS release and simply said: it works. Our first milestone
was to migrate webplattforms and all behind them (apache with kerberos
auth and data in AFS) first and after them with more experience with the
afs / freeipa combination we want to migrate the user homes and client

> Thanks,
> Grant Wu
> gran...@andrew.cmu.edu <mailto:gran...@andrew.cmu.edu>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to