Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/02/2011 09:28 AM, Peter Doherty wrote: On Feb 2, 2011, at 09:09 , Simo Sorce wrote: On Tue, 1 Feb 2011 22:30:50 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: On Feb 1, 2011, at 15:04 , Dmitri Pal wrote: Also it is worth mentioning that we are planning to come up with Beta 2 later this week so may be it makes sense to wait couple days and move to the latest bits. Can I upgrade from Beta-1 to Beta-2, or are they incompatible? There are small incompatibilities, some new schema and some changes to the DIT. So you can't upgrade from 1.2 to 1.9 and you can't go from 1.9 to 2.0 and you can't go from 2.0 beta-1 to 2.0 beta-2? So why would I want to use a product like that? The version 1.2 is the version that had very limited functionality. When we started working on v2 it became apparent that we will not be able to maintain backward compatibility and the migration from IPA v1 to V2 will be similar to migration for a different LDAP server. Out goal for v2 and beyond to be compatible and to allow smooth migration. However this means that we need to fix as many schema inconstancies and data storage issues before we release v2 otherwise we will be stuck with those forever. This means that the schema is changing in the beta cycle to address issues we find. It is really unfortunate that you are caught in this situation. We are on the verge of releasing beta 2 so everybody is head down fixing issues. We will try to carve some time to come up with a better strategy for you next week if that would help so that you can move to beta2. We hear your frustration and really sorry about the bad experience you have with the project. Thank you Dmitri Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
So you can't upgrade from 1.2 to 1.9 and you can't go from 1.9 to 2.0 and you can't go from 2.0 beta-1 to 2.0 beta-2? So why would I want to use a product like that? Upgrades will be possible within stable releases. Handling upgrades in development versions would cost too much development time w/o any real benefit as schema and DIT will be fixed in stone once 2.0 final will be released. Alpha and Beta release are not meant for production but only for testing environments. Hi, I'm part of the same team that is stuck in this situation. I think you guys (FreeIPA team) need to make it really clear to current adopters that they are going to have to start from scratch if they go with the current v2 releases (1.9, 2.0-beta, etc.) and want to upgrade later. Of course there is no definition of what beta means, but really I think we're your *ideal* beta testers and you should put in some effort to make it possible for us to use the beta releases of FreeIPA. We are a research computing group, so our service level standards are we can live with a 24-36 hours of down time M-F every couple of months, and 1 week of down time every year. We have a handful of real users, want to integrate apache httpd into using LDAP, want to utilize the web i/f for account management, use FreeIPA for NFS mounts, real X.509 certificates, etc. Even if an automated/smooth transition between beta versions or from beta to final release is impossible, then some guidance on strategies to transition systems manually (and a very rough estimate of the time commitment to do that) would be useful. I wish I understood LDAP better, but I don't see why we cant just dump the current FreeIPA LDIF files, tweak the entries as necessary, and import them to the latest version of FreeIPA. We're pretty close right now (as in, the next 4-24 hours) of abandoning FreeIPA, so some encouraging words on this front could make a difference and keep us with you. Ian -- Ian Stokes-Rees, PhDW: http://portal.nebiogrid.org ijsto...@hkl.hms.harvard.eduT: +1.617.432.5608 x75 NEBioGrid, Harvard Medical School C: +1.617.331.5993 attachment: ijstokes.vcf___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/02/2011 12:30 PM, Ian Stokes-Rees wrote: So you can't upgrade from 1.2 to 1.9 and you can't go from 1.9 to 2.0 and you can't go from 2.0 beta-1 to 2.0 beta-2? So why would I want to use a product like that? Upgrades will be possible within stable releases. Handling upgrades in development versions would cost too much development time w/o any real benefit as schema and DIT will be fixed in stone once 2.0 final will be released. Alpha and Beta release are not meant for production but only for testing environments. Hi, I'm part of the same team that is stuck in this situation. I think you guys (FreeIPA team) need to make it really clear to current adopters that they are going to have to start from scratch if they go with the current v2 releases (1.9, 2.0-beta, etc.) and want to upgrade later. It is our mistake that we did not realize that there is an expectation that there will be an easy migration between alphas and betas. We always thought of them as of preparation steps for the actual release and that none would try to use them in producution or load data that would be someothing other than a test set. So expectation was that no migration would be needed. This is why your situation caught us by surprise. I guess you had a lot of faith in the project and this is great. I also completely understand your frustration and desire to abandon it in the current situation. I think it would be mutually beneficial to avoid that and find a solution that would help you to move on. Yes you are ideal testers and we want to continue working with you. We also ask for understanding that such migration requirement was not expected on our side. We reinstall the system every day and run tests with new functionality on a fresh system. During last month between previous beta the team addressed more than 200 issues across the whole project. Some major issues have been addressed that required schema changes. We are planning to release IPA beta2 today or tomorrow this is why we are little bit less responsive than we want to be. But this is all lyrics. The main issue with the migration between betas (as in any case) is passwords and keys. Simo knows the details but in a nutshell the problem is that if you dump and load the LDIF (even if you adjust the records to accommodate schema changes manually) your keys would not match. You need to carry the master key over and may be more than that. We need to sit down and think through the recommendations for a manual procedure like this. We will try to do it ASAP but given that we are releasing any day now it is not realistic to expect it happening today. Can this wait till next week? If not it would be a real pity. We are working hard to deliver the project to research groups like yours and we will do our best to help you to migrate your data forward. To reduce the scope of the effort let me recap the goal: 1) You want to install IPA and load the users (is there anything else?) from the previous installation and abandon the old installation 2) You do not want to loose passwords 3) You are Ok with manual procedure 4) You are Ok to try different approaches (some of which might not work out) and work with us on formulating a procedure that would help other deployments like yours to overcome this situation. Again sorry for all the trouble. If we knew the requirement to be able to migrate between betas earlier we might have done some things differently. Hope to find understanding on your side and willingness to work with us on a solution. Thank you Dmitri Of course there is no definition of what beta means, but really I think we're your *ideal* beta testers and you should put in some effort to make it possible for us to use the beta releases of FreeIPA. We are a research computing group, so our service level standards are we can live with a 24-36 hours of down time M-F every couple of months, and 1 week of down time every year. We have a handful of real users, want to integrate apache httpd into using LDAP, want to utilize the web i/f for account management, use FreeIPA for NFS mounts, real X.509 certificates, etc. Even if an automated/smooth transition between beta versions or from beta to final release is impossible, then some guidance on strategies to transition systems manually (and a very rough estimate of the time commitment to do that) would be useful. I wish I understood LDAP better, but I don't see why we cant just dump the current FreeIPA LDIF files, tweak the entries as necessary, and import them to the latest version of FreeIPA. We're pretty close right now (as in, the next 4-24 hours) of abandoning FreeIPA, so some encouraging words on this front could make a difference and keep us with you. Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
Can this wait till next week? If not it would be a real pity. We are working hard to deliver the project to research groups like yours and we will do our best to help you to migrate your data forward. We will probably decide what path to take tomorrow. I'm not sure if we're prepared to wait, since waiting 1 week will probably only get us using the new Beta-2, and won't solve any problems for Beta-3 or official release of 2.0. To reduce the scope of the effort let me recap the goal: 1) You want to install IPA and load the users (is there anything else?) from the previous installation and abandon the old installation I'm not sure the details of everything that is in FreeIPA, but I think right now it is at least user information and NFS mounts. Possible more. We have 10-20 accounts, so not much. 2) You do not want to loose passwords I don't really care about this. We can loose all passwords as far as I'm concerned. Peter, the other person who has been on this thread and the one who has done all the work, may have a different opinion. 3) You are Ok with manual procedure 4) You are Ok to try different approaches (some of which might not work out) and work with us on formulating a procedure that would help other deployments like yours to overcome this situation. Yes, we're OK to try manual procedures and different approaches, *if* we decide it is worth sticking with FreeIPA. Again sorry for all the trouble. If we knew the requirement to be able to migrate between betas earlier we might have done some things differently. Hope to find understanding on your side and willingness to work with us on a solution. How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. Regards, Ian -- Ian Stokes-Rees, PhDW: http://portal.nebiogrid.org ijsto...@hkl.hms.harvard.eduT: +1.617.432.5608 x75 NEBioGrid, Harvard Medical School C: +1.617.331.5993 attachment: ijstokes.vcf___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/02/2011 04:02 PM, Ian Stokes-Rees wrote: Can this wait till next week? If not it would be a real pity. We are working hard to deliver the project to research groups like yours and we will do our best to help you to migrate your data forward. We will probably decide what path to take tomorrow. I'm not sure if we're prepared to wait, since waiting 1 week will probably only get us using the new Beta-2, and won't solve any problems for Beta-3 or official release of 2.0. To reduce the scope of the effort let me recap the goal: 1) You want to install IPA and load the users (is there anything else?) from the previous installation and abandon the old installation I'm not sure the details of everything that is in FreeIPA, but I think right now it is at least user information and NFS mounts. Possible more. We have 10-20 accounts, so not much. NFS mount schema is the same and standard 2307bis so there is no difference between the versions. The only issue can be the location of the container since we did some rearrangement of the tree recently. But there is no crypto or hashes there so dumping the cn=automount and loading it into the new version should be straightforward exercise. For the users migrate-ds should be used then. It will take user accounts from the old installation and move to the new one. If you use SSSD on the client in the migration mode then it will recreated migrated kerberos hashes behind the scenes as soon as you log into a client machine using SSSD after migration. If migrate-ds does not work for you then we need to know all the details and logs of what went wrong so that we can fix the issue. 2) You do not want to loose passwords I don't really care about this. We can loose all passwords as far as I'm concerned. Peter, the other person who has been on this thread and the one who has done all the work, may have a different opinion. The procedure described above, i.e. using SSSD on the client will solve the problem of the password migration if you care. 3) You are Ok with manual procedure 4) You are Ok to try different approaches (some of which might not work out) and work with us on formulating a procedure that would help other deployments like yours to overcome this situation. Yes, we're OK to try manual procedures and different approaches, *if* we decide it is worth sticking with FreeIPA. This is your decision to make. Again sorry for all the trouble. If we knew the requirement to be able to migrate between betas earlier we might have done some things differently. Hope to find understanding on your side and willingness to work with us on a solution. How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. They are not migratable versions. Frankly I have not heard of any product of such complexity that would support migration between the alpha-beta-rc drops. Sorry but your expectation is wrong. It is our fault that we have not clearly stated it but this is the case. And yes, just to set expectations straight, when we release IPA v2 we expect it to be a fresh install and users migrated to it using migrate-ds and passwords migrated using SSSD or a special migration page we provide. Other parts of the tree can be migrated piecemeal and we will be happy to help you do it if migrating this part of information is possible. For example migrating hosts and service will not be possible but sudo, HBAC, DNS etc. will be, so discretion should be used depending upon what you have in your deployment. However if we are talking about 10-20 accounts it might be easier to recreate them manually or with a simple script. Overall we appreciate your business and would be glad to help within the reasonable expectations. Thank you, Dmitri Regards, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Wed, Feb 2, 2011 at 10:02 PM, Ian Stokes-Rees ijsto...@hkl.hms.harvard.edu wrote: How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. If you read the release notes (http://freeipa.org/page/IPAv2_beta), in the paragraph 'migration' it is quite clearly stated that migration from v1 to v2 of freeipa is not possible. You are right that it is not clearly stated that migrations between 1.9.whatever and 2 are not possible but ... ... as a sysadmin, whenever I read 'alpha|beta', all alarms go off :-). I do follow the project, but I would never run any kind of production on it just yet. I think that blaming redhat for your using a beta version of software in production is a bit harsh. I understand you are under stress and upset, but this was not supposed to be running in a production environment. Do not blame redhat for something that clearly is not their fault. This project is going to be awesome for unix networks. All the pieces of the puzzle were out there, but these guys are putting them together in a nice package. Having dealt with a share of ldap+kerberos environments, I can tell you this is it. It is not there yet, but it is getting there. It is your choice to not use it. -- groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
Thank you Natxo. We are working hard to get it there and when we do .. it will awesome! Jenny Natxo Asenjo wrote: On Wed, Feb 2, 2011 at 10:02 PM, Ian Stokes-Rees ijsto...@hkl.hms.harvard.edu wrote: How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. If you read the release notes (http://freeipa.org/page/IPAv2_beta), in the paragraph 'migration' it is quite clearly stated that migration from v1 to v2 of freeipa is not possible. You are right that it is not clearly stated that migrations between 1.9.whatever and 2 are not possible but ... ... as a sysadmin, whenever I read 'alpha|beta', all alarms go off :-). I do follow the project, but I would never run any kind of production on it just yet. I think that blaming redhat for your using a beta version of software in production is a bit harsh. I understand you are under stress and upset, but this was not supposed to be running in a production environment. Do not blame redhat for something that clearly is not their fault. This project is going to be awesome for unix networks. All the pieces of the puzzle were out there, but these guys are putting them together in a nice package. Having dealt with a share of ldap+kerberos environments, I can tell you this is it. It is not there yet, but it is getting there. It is your choice to not use it. -- groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau jgali...@redhat.com Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
... as a sysadmin, whenever I read 'alpha|beta', all alarms go off :-). I do follow the project, but I would never run any kind of production on it just yet. Our whole group thinks FreeIPA looks really exciting. We really do *want* to use it. We want the project to succeed, and we'd be happy to be part of the (non-developer) community that helps get you guys there. We are just disappointed that right now it doesn't look like we can stick with you to make this happen, which is particularly frustrating because we've invested a lot of time (at least several weeks at this point) into getting to know and use FreeIPA. We have 4 active users, and about a dozen others. This is part of a research computing cluster infrastructure and does not hold home directories for anyone (no mail, no critical files, etc). As I've said, it seems like we have an ideal environment for beta testing. Are you only planning on testing version migration/upgrade abilities in the final release? Or perhaps there is a very long road of beta versions that will come out over the next several years before a final 2.0 release appears. It did not seem unreasonable for us to assume that some kind of migration capability would be part of (at least) the beta releases. I think that blaming redhat for your using a beta version of software in production is a bit harsh. I understand you are under stress and upset, We're not blaming the FreeIPA team. We are surprised that for such a significant project where clearly so much time and work *has* been invested (even into things like documentation) that something so critical as migration didn't get more attention sooner. I appreciate the issues that arise with developing good schemas, and the complexities of being able to translate data between different schemas. The backup plan I'm now considering (but it isn't just my decision) is OpenLDAP or Dir-389 + WebMin + UserMin (not sure if Dir-389 will work well with WebMin LDAP module). Cheers, Ian attachment: ijstokes.vcf___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users