Re: [Freeipa-users] migrate from LDAP to FreeIPA ?
On Fri, Mar 25, 2011 at 05:14:02PM -0400, Rob Crittenden wrote: Shouldn't be too bad. Here is our beta documentation on migration: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA Ok, good, that looks like it should cover the bulk of our migration. The other problems I'm looking at are probably more of design issues. Are there a deployment guide somewhere as well ? Currently we use netgroups for servers and users, mainly to manage who can log in to which server trough pam_access/access.conf plus for sudo rules. Should we continue using netgroups, or will the user groups and host groups in IPA cover this ? Does the user groups allow nesting of posix groups ? I.e. user1 is member of group1 which automatically make him member of group2 and group3? Some guides for configuring roles/privileges would be very interesting. We want to have group admins who are allowed to add/remove members of the groups this admin admins... Also we might want to allow team leaders to add new users.. Oh.. and are there any training available/planned for IPA (v2)? -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migrate from LDAP to FreeIPA ?
On 04/04/2011 04:12 AM, Jan-Frode Myklebust wrote: On Fri, Mar 25, 2011 at 05:14:02PM -0400, Rob Crittenden wrote: Shouldn't be too bad. Here is our beta documentation on migration: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA Ok, good, that looks like it should cover the bulk of our migration. The other problems I'm looking at are probably more of design issues. Are there a deployment guide somewhere as well ? No not yet. This manual is what we have. But we will be very interested in hearing your opinion on what topics other than those we already have in the manual we should cover. Currently we use netgroups for servers and users, mainly to manage who can log in to which server trough pam_access/access.conf plus for sudo rules. Should we continue using netgroups, or will the user groups and host groups in IPA cover this ? We recommend using groups and host groups. Both support nesting. For the migration purposes a netgroup with the same name is created by default for any host group you create. This netgroup is jusr a pointer to the host group sort of a shell. This would allow you to use host groups in the admin model while the clients can continue to leverage notgroups until they get smart to use host groups directly. At that moment you would be able to turn off the automatic creation of the netgroups. But this will be a quite distant future. Does the user groups allow nesting of posix groups ? I.e. user1 is member of group1 which automatically make him member of group2 and group3? Yes the groups are nested and you can mix posix and nonposix groups. Some guides for configuring roles/privileges would be very interesting. We want to have group admins who are allowed to add/remove members of the groups this admin admins... Also we might want to allow team leaders to add new users.. We do not have enough solutions worked out yet. Any contributions about your experience with IPA will be valuable. Oh.. and are there any training available/planned for IPA (v2)? We will be giving presentation on the Summit. The training schedule is not yet worked out. -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] migrate from LDAP to FreeIPA ?
We run a quite pure RHEL server environment, with users, groups, authentication (ldap bind), sudorules and netgroups all in two master-master replicating 389ds´. The users and groups are managed by Sun Identity Manager (SIM), which pushes them to the directory servers -- but we´re not really using it and might as well have managed these directly in an LDAP editor. So, it´s time to drop SIM, and I´m a bit torn between implementing some simple shell scripts to manage the users/groups in LDAP and take advantage of the new password policy features of 386ds etc.. , or if we should deploy IPAv2 and get kerberos, nice UIs, machine/service identity and lots more. So, to my question -- are there any migration guides that can help us move from LDAP to IPA ? Is it a complicated procedure ? -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] migrate from LDAP to FreeIPA ?
Jan-Frode Myklebust wrote: We run a quite pure RHEL server environment, with users, groups, authentication (ldap bind), sudorules and netgroups all in two master-master replicating 389ds´. The users and groups are managed by Sun Identity Manager (SIM), which pushes them to the directory servers -- but we´re not really using it and might as well have managed these directly in an LDAP editor. So, it´s time to drop SIM, and I´m a bit torn between implementing some simple shell scripts to manage the users/groups in LDAP and take advantage of the new password policy features of 386ds etc.. , or if we should deploy IPAv2 and get kerberos, nice UIs, machine/service identity and lots more. So, to my question -- are there any migration guides that can help us move from LDAP to IPA ? Is it a complicated procedure ? Shouldn't be too bad. Here is our beta documentation on migration: http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
