[Freeipa-users] Re: Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
There's no direct failures, however, it won't copy groups that already exists, which is probably the case here. "Admins" already exists on the installed IPA. It's understandable Rob, however, we don't use the full capabilities of FreeIPA, only the LDAP and UI aspects of it. Cheers. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
Finn Fysj via FreeIPA-users wrote: >> On Wed, 21 Jun 2023, Finn Fysj via FreeIPA-users wrote: >> >> I would actually address this one, not the original question. >> >> You are conflating two different actions into one. 'Migrating' from a >> particular OS version in existing IPA deployment to another one is not a >> migration, from IPA point of view. In this case, even if you are adding >> new replicas using an updated OS version, the data in LDAP stays the >> same and is replicated in its entirety across the topology. >> >> When we say that an upgrade to RHEL9 from RHEL7 deployment should be >> done by adding an intermediary RHEL8 replica, this is the case. >> >> In the case where you are using 'ipa migrate-ds', you are creating a >> totally separate environment which shares no LDAP data directly with the >> old one. Here you are adding users/groups from the old setup (be that an >> older IPA deployment or some OpenLDAP setup, or may be Active Directory, >> or something else) to the new setup. Only a subset of information is >> tranferred. >> >> Coming back to your question, are you passing a bind DN and password to >> be able to see all information in the old IPA deployment? bind DN >> defaults to 'cn=Directory Manager', so that one should see all user >> and group details. > > Thank you for your repose, Alexander. > > I'm indeed creating a separate IPA servers, who're NOT intended to be part of > the "old" one, at least not in a Replica setup. > > Yes. This line is being run in ansible so the DS password is being passed to > the command, correct. I'm assuming that Ansible is eating the output of the migration command? Any failures to migrate users/groups would be shown there. migrate-ds is not a great way to do IPA-to-IPA migration for a number of reasons, mainly because it only migrates users and groups and nothing else. It was designed to help migrate from LDAP-based systems to IPA. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
> On Wed, 21 Jun 2023, Finn Fysj via FreeIPA-users wrote: > > I would actually address this one, not the original question. > > You are conflating two different actions into one. 'Migrating' from a > particular OS version in existing IPA deployment to another one is not a > migration, from IPA point of view. In this case, even if you are adding > new replicas using an updated OS version, the data in LDAP stays the > same and is replicated in its entirety across the topology. > > When we say that an upgrade to RHEL9 from RHEL7 deployment should be > done by adding an intermediary RHEL8 replica, this is the case. > > In the case where you are using 'ipa migrate-ds', you are creating a > totally separate environment which shares no LDAP data directly with the > old one. Here you are adding users/groups from the old setup (be that an > older IPA deployment or some OpenLDAP setup, or may be Active Directory, > or something else) to the new setup. Only a subset of information is > tranferred. > > Coming back to your question, are you passing a bind DN and password to > be able to see all information in the old IPA deployment? bind DN > defaults to 'cn=Directory Manager', so that one should see all user > and group details. Thank you for your repose, Alexander. I'm indeed creating a separate IPA servers, who're NOT intended to be part of the "old" one, at least not in a Replica setup. Yes. This line is being run in ansible so the DS password is being passed to the command, correct. ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: Migrating from Rhel 7 to Rhel 9 (changing UID/GID_MAX and losing admins group)
On Wed, 21 Jun 2023, Finn Fysj via FreeIPA-users wrote: Hi, When I try to migrate from my RHEL 7 instance RHEL 9 most of the stuff seems to work, fine. I needed to setup the new IPA servers by modifying UID/GID_MAX since in the early versions of the installation there wasn't a "check" for these attributes. I needed to do this since the existing IPA server uses UID/GIDs starting from 6000. Running: ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts' --group-container='cn=groups,cn=accounts ipa.example.com However, I see that all the users that used to belong to "admins" have now dissapeard, is there a way to avoid this? Or is there any attribute I should think of while migrating? PS: I'm aware that the suggested method of migrating is Rhel7 > Rhel8 > Rhel9, however, it's seems to work fine without. I would actually address this one, not the original question. You are conflating two different actions into one. 'Migrating' from a particular OS version in existing IPA deployment to another one is not a migration, from IPA point of view. In this case, even if you are adding new replicas using an updated OS version, the data in LDAP stays the same and is replicated in its entirety across the topology. When we say that an upgrade to RHEL9 from RHEL7 deployment should be done by adding an intermediary RHEL8 replica, this is the case. In the case where you are using 'ipa migrate-ds', you are creating a totally separate environment which shares no LDAP data directly with the old one. Here you are adding users/groups from the old setup (be that an older IPA deployment or some OpenLDAP setup, or may be Active Directory, or something else) to the new setup. Only a subset of information is tranferred. Coming back to your question, are you passing a bind DN and password to be able to see all information in the old IPA deployment? bind DN defaults to 'cn=Directory Manager', so that one should see all user and group details. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue