Re: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0

2016-04-26 Thread Petr Vobornik 
On 04/25/2016 11:33 PM, Anthony Cheng wrote:
> So I went ahead and ran the migrate-ds command; ran into issue that was 
> described here: 
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when 
> trying to change password
> 
> I re-ran migrate-ds option; but I actually don't see the user accounts being 
> migrated at all when I run a "ipa user-show user_name --all"
> 
> I supposed manual option/script is the only option at this point?
> 
> Anthony
> 
> On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng  > wrote:
> 
> Hi list,
> 
> Currently in the midst of doing a migration of FreeIPA from v3.0.0 to
> v4.2.0; I have setup the new IPA instances and I am looking at migrate 
> the data.

I'd assume that by v3.0.0 you mean RHEL 6.7 and by v 4.2.0 RHEL 7.2. For
such migration you can use a method by creating a replica

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrading.html#migrating-ipa-proc

With IPA upgraded from version 2.x, make sure that internal CA users has
correct certificates and that all certificates are valid. Details are in
thread "7.x replica install from 6.x master fails" Especially:
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00046.html
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00138.html
* https://www.redhat.com/archives/freeipa-users/2016-April/msg00143.html

> 
> Based on the section under 'Migrating from other FreeIPA to FreeIPA' here
> 
> (http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment),
> it is suggested to run the following sample command:
> 
> echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> 
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://migrated.freeipa.server.test

Migrate DS was designed to be used for migration from general LDAP
server to IPA but it can be used also for IPA-IPA migration given that
IPA has also LDAP server.

> 
> My questions are:
> 1) Will this work as my new domain has changed (so realm is different)

Yes

> 2) Will this work for migration from 3.0.0 to 4.2.0?

Yes, but see the link above - it is the recommended method if you want
to just "upgrade".

> 3) Is this command safe to run from a production box?

The command doesn't do any changes on source machine. It's always better
to try it first in testing environment.

> 4) If it fails or is not safe to run, what is the alternative/process?
> (details would be appreciated)

Depends how it fails.

> 
> Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS,
> ...) have to be migrated manually, by exporting the LDIF from old FreeIPA
> instance, selecting the records to be migrated, updating the attributes in
> batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA."

Yes, automatic migration of other records than users and groups was not
yet implented: we have an RFE for such migration:
https://fedorahosted.org/freeipa/ticket/3656

> 
> I have some idea how to do LDIF import/export but is this process 
> documented
> anywhere (on the freeipa.org )?

I'm not aware of any such document.
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Migrate FreeIPA data from v3.0. to v4.2.0

2016-04-25 Thread Anthony Cheng 
So I went ahead and ran the migrate-ds command; ran into issue that was
described here:
https://www.redhat.com/archives/freeipa-users/2015-March/msg00398.html when
trying to change password

I re-ran migrate-ds option; but I actually don't see the user accounts
being migrated at all when I run a "ipa user-show user_name --all"

I supposed manual option/script is the only option at this point?

Anthony

On Mon, Apr 25, 2016 at 1:06 PM Anthony Cheng 
wrote:

> Hi list,
>
> Currently in the midst of doing a migration of FreeIPA from v3.0.0 to
> v4.2.0; I have setup the new IPA instances and I am looking at migrate the
> data.
>
> Based on the section under 'Migrating from other FreeIPA to FreeIPA' here (
> http://www.freeipa.org/page/Howto/Migration#Migrating_existing_FreeIPA_deployment),
> it is suggested to run the following sample command:
>
> echo Secret123 | ipa migrate-ds --bind-dn="cn=Directory Manager"
> --user-container=cn=users,cn=accounts
> --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
> --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
> --user-ignore-objectclass=mepOriginEntry --with-compat
> ldap://migrated.freeipa.server.test
>
> My questions are:
> 1) Will this work as my new domain has changed (so realm is different)
> 2) Will this work for migration from 3.0.0 to 4.2.0?
> 3) Is this command safe to run from a production box?
> 4) If it fails or is not safe to run, what is the alternative/process?
> (details would be appreciated)
>
> Also on the same link, it mentions that "other objects (SUDO, HBAC, DNS,
> ...) have to be migrated manually, by exporting the LDIF from old FreeIPA
> instance, selecting the records to be migrated, updating the attributes in
> batch (e.g. new realm) and adding the cleaned LDIF to new FreeIPA."
>
> I have some idea how to do LDIF import/export but is this process
> documented anywhere (on the freeipa.org)?
>
> Thanks, Anthony
> --
>
> Thanks, Anthony
>
-- 

Thanks, Anthony
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project