Re: [Freeipa-users] Export data

2014-02-19 Thread Rob Crittenden 

Choudhury, Suhail wrote:

Hi Martin,

Thanks for your previous answer.

And how can I export a list of DNS entries using ldapsearch?


He included the basics in his previous answer:

> $ kinit admin
> $ ldapsearch -h `hostname` -Y GSSAPI -b 
'cn=users,cn=accounts,dc=example,dc=com'


You can append the command with the list of attributes you want, and 
suppress a bunch of the extraneous output with -LLL, so something like:


$ ldapsearch -LLL -h `hostname` -Y GSSAPI -b 
'cn=users,cn=accounts,dc=example,dc=com' dn


rob



Regards,
Suhail.
DevOps BSkyB.


From: Martin Kosek [mko...@redhat.com]
Sent: 22 January 2014 13:30
To: Choudhury, Suhail; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Export data

On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:

Hi guys,

I trying to get a dump of all users, hosts and DNS entries from IPA so
we can run scripts/Puppet against them.

Tried searching for it but cannot find anything, so was hoping someone
can give some hints on how best to do this please.



You can either export them via ldapsearch:

$ kinit admin
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com'


... or for write a Python script to do what you want. Very simple example:

$ kinit admin
$ python

from ipalib import api
api.bootstrap()
api.finalize()
api.Backend.xmlclient.connect()
users = api.Command.user_find()
for user in users['result']:... print "%s:%s:%s" % (user['uid'][0],

user['uidnumber'][0], user['gidnumber'][0])
...
admin:191360:191360
tuser:191361:191361


Martin


Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and 
Sky International AG and are used under licence. British Sky Broadcasting 
Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration 
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) 
are direct or indirect subsidiaries of British Sky Broadcasting Group plc 
(Registration No. 2247735). All of the companies mentioned in this!

 p!

  aragraph are incorporated in England and Wales and share the same registered 
office at Grant Way, Isleworth, Middlesex TW7 5QD.



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-02-19 Thread Martin Kosek 
Similarly to users, you just use the right  container:

$ kinit admin
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=dns,dc=example,dc=com'

There are plenty of resources online how to work with ldapsearch, ldapmodify
and resulting LDIFs that could help get you started.

Martin

On 02/19/2014 04:33 PM, Choudhury, Suhail wrote:
> Hi Martin,
> 
> Thanks for your previous answer.
> 
> And how can I export a list of DNS entries using ldapsearch?
> 
> Regards,
> Suhail.
> DevOps BSkyB.
> 
> 
> From: Martin Kosek [mko...@redhat.com]
> Sent: 22 January 2014 13:30
> To: Choudhury, Suhail; freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Export data
> 
> On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:
>> Hi guys,
>>
>> I trying to get a dump of all users, hosts and DNS entries from IPA so
>> we can run scripts/Puppet against them.
>>
>> Tried searching for it but cannot find anything, so was hoping someone
>> can give some hints on how best to do this please.
>>
> 
> You can either export them via ldapsearch:
> 
> $ kinit admin
> $ ldapsearch -h `hostname` -Y GSSAPI -b 
> 'cn=users,cn=accounts,dc=example,dc=com'
> 
> 
> ... or for write a Python script to do what you want. Very simple example:
> 
> $ kinit admin
> $ python
>>>> from ipalib import api
>>>> api.bootstrap()
>>>> api.finalize()
>>>> api.Backend.xmlclient.connect()
>>>> users = api.Command.user_find()
>>>> for user in users['result']:... print "%s:%s:%s" % (user['uid'][0],
> user['uidnumber'][0], user['gidnumber'][0])
> ...
> admin:191360:191360
> tuser:191361:191361
> 
> 
> Martin
> 
> 
> Information in this email including any attachments may be privileged, 
> confidential and is intended exclusively for the addressee. The views 
> expressed may not be official policy, but the personal views of the 
> originator. If you have received it in error, please notify the sender by 
> return e-mail and delete it from your system. You should not reproduce, 
> distribute, store, retransmit, use or disclose its contents to anyone. Please 
> note we reserve the right to monitor all e-mail communication through our 
> internal and external networks. SKY and the SKY marks are trademarks of 
> British Sky Broadcasting Group plc and Sky International AG and are used 
> under licence. British Sky Broadcasting Limited (Registration No. 2906991), 
> Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers 
> Services Limited (Registration No. 2340150) are direct or indirect 
> subsidiaries of British Sky Broadcasting Group plc (Registration No. 
> 2247735). All of the companies mentioned in this!
  paragraph
 are incorporated in England and Wales and share the same registered office at 
Grant Way, Isleworth, Middlesex TW7 5QD.
> 
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-02-19 Thread Choudhury, Suhail 
Hi Martin,

Thanks for your previous answer.

And how can I export a list of DNS entries using ldapsearch?

Regards,
Suhail.
DevOps BSkyB.


From: Martin Kosek [mko...@redhat.com]
Sent: 22 January 2014 13:30
To: Choudhury, Suhail; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Export data

On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:
> Hi guys,
>
> I trying to get a dump of all users, hosts and DNS entries from IPA so
> we can run scripts/Puppet against them.
>
> Tried searching for it but cannot find anything, so was hoping someone
> can give some hints on how best to do this please.
>

You can either export them via ldapsearch:

$ kinit admin
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com'


... or for write a Python script to do what you want. Very simple example:

$ kinit admin
$ python
>>> from ipalib import api
>>> api.bootstrap()
>>> api.finalize()
>>> api.Backend.xmlclient.connect()
>>> users = api.Command.user_find()
>>> for user in users['result']:... print "%s:%s:%s" % (user['uid'][0],
user['uidnumber'][0], user['gidnumber'][0])
...
admin:191360:191360
tuser:191361:191361


Martin


Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and 
Sky International AG and are used under licence. British Sky Broadcasting 
Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration 
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) 
are direct or indirect subsidiaries of British Sky Broadcasting Group plc 
(Registration No. 2247735). All of the companies mentioned in this p!
 aragraph are incorporated in England and Wales and share the same registered 
office at Grant Way, Isleworth, Middlesex TW7 5QD.



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-24 Thread Martin Kosek 
Dimitar, this is actually a very good question. Our team have been discussing
the best way to back and restore a FreeIPA infrastructure for some time. In
FreeIPA 3.2, we introduced ipa-backup and ipa-restore scripts which we are
evaluating, but we still think that the best way to backup and restore may be
simply creating replicas and/or system snapshots

You can read full details in this article:

http://www.freeipa.org/page/Backup_and_Restore

Feedback welcome,
Martin

On 01/23/2014 05:03 PM, Dimitar Georgievski wrote:
> In my case DNS is not an issue, FreeIPA is integrated with existing DNS
> servers.
> 
> The above procedure would work for migrating the user's data to a new IPA
> server that has a new host name. What if I would like to restore the
> original IPA server ? Could I repeat the above steps with the exception of
>  #4, in which I would restore backed-up certificates and keytab files. This
> should avoid the need to regenerate them, no?
> 
> In short how would you perform a full back-up and restore of the Primary
> IPA server?  I understand this is not a trivial task for the IPA server and
> from what I've learned it is probably not fully supported in the current
> ver 3.x
> 
> 
> Thanks,
> 
> Dimitar
> 
> 
> 
> On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek  wrote:
> 
>> On 01/22/2014 06:57 PM, Petr Viktorin wrote:
>>> On 01/22/2014 06:26 PM, Dimitar Georgievski wrote:
 Would you use ldapmodify -f file-name-with-exported-data to import the
 data back to a new copy of FreeIPA?
>>>
>>> No, that generally won't work. There's more to IPA than the data in LDAP.
>>> Instead of copying data you should install the new server as a replica
>> of the
>>> old one.
>>
>> That would give you FreeIPA with the same domain, realm or certificate
>> subject
>> name.
>>
>> If you want to start with different settings, I would recommend:
>>
>> 1) Installing new IPA server
>> 2) Using "ipa migrate-ds" command to migrate users and groups
>> 3) Use the ldapsearch&ldapmodify to migrate DNS (you may need to change
>> the DN
>> in the LDIF file to use correct SUFFIX if the realm changed)
>> 4) For all hosts - unenroll and enroll again against the new IPA. This is
>> needed to regenerate the new certificates or host keytab
>>
>> HTH,
>> Martin
>>
> 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-23 Thread Dimitar Georgievski 
In my case DNS is not an issue, FreeIPA is integrated with existing DNS
servers.

The above procedure would work for migrating the user's data to a new IPA
server that has a new host name. What if I would like to restore the
original IPA server ? Could I repeat the above steps with the exception of
 #4, in which I would restore backed-up certificates and keytab files. This
should avoid the need to regenerate them, no?

In short how would you perform a full back-up and restore of the Primary
IPA server?  I understand this is not a trivial task for the IPA server and
from what I've learned it is probably not fully supported in the current
ver 3.x


Thanks,

Dimitar



On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek  wrote:

> On 01/22/2014 06:57 PM, Petr Viktorin wrote:
> > On 01/22/2014 06:26 PM, Dimitar Georgievski wrote:
> >> Would you use ldapmodify -f file-name-with-exported-data to import the
> >> data back to a new copy of FreeIPA?
> >
> > No, that generally won't work. There's more to IPA than the data in LDAP.
> > Instead of copying data you should install the new server as a replica
> of the
> > old one.
>
> That would give you FreeIPA with the same domain, realm or certificate
> subject
> name.
>
> If you want to start with different settings, I would recommend:
>
> 1) Installing new IPA server
> 2) Using "ipa migrate-ds" command to migrate users and groups
> 3) Use the ldapsearch&ldapmodify to migrate DNS (you may need to change
> the DN
> in the LDIF file to use correct SUFFIX if the realm changed)
> 4) For all hosts - unenroll and enroll again against the new IPA. This is
> needed to regenerate the new certificates or host keytab
>
> HTH,
> Martin
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-22 Thread Martin Kosek 
On 01/22/2014 06:57 PM, Petr Viktorin wrote:
> On 01/22/2014 06:26 PM, Dimitar Georgievski wrote:
>> Would you use ldapmodify -f file-name-with-exported-data to import the
>> data back to a new copy of FreeIPA?
> 
> No, that generally won't work. There's more to IPA than the data in LDAP.
> Instead of copying data you should install the new server as a replica of the
> old one.

That would give you FreeIPA with the same domain, realm or certificate subject
name.

If you want to start with different settings, I would recommend:

1) Installing new IPA server
2) Using "ipa migrate-ds" command to migrate users and groups
3) Use the ldapsearch&ldapmodify to migrate DNS (you may need to change the DN
in the LDIF file to use correct SUFFIX if the realm changed)
4) For all hosts - unenroll and enroll again against the new IPA. This is
needed to regenerate the new certificates or host keytab

HTH,
Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-22 Thread Petr Viktorin 

On 01/22/2014 06:26 PM, Dimitar Georgievski wrote:

Would you use ldapmodify -f file-name-with-exported-data to import the
data back to a new copy of FreeIPA?


No, that generally won't work. There's more to IPA than the data in LDAP.
Instead of copying data you should install the new server as a replica 
of the old one.




Thanks

Dimitar


On Wed, Jan 22, 2014 at 8:52 AM, Petr Spacek mailto:pspa...@redhat.com>> wrote:

On 22.1.2014 14:40, Rob Crittenden wrote:

Martin Kosek wrote:

On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:

Hi guys,

I trying to get a dump of all users, hosts and DNS
entries from IPA so
we can run scripts/Puppet against them.

Tried searching for it but cannot find anything, so was
hoping someone
can give some hints on how best to do this please.


You can either export them via ldapsearch:

$ kinit admin
$ ldapsearch -h `hostname` -Y GSSAPI -b
'cn=users,cn=accounts,dc=__example,dc=com'


... or for write a Python script to do what you want. Very
simple example:

$ kinit admin
$ python

from ipalib import api
api.bootstrap()
api.finalize()
api.Backend.xmlclient.connect(__)
users = api.Command.user_find()
for user in users['result']:... print
"%s:%s:%s" % (user['uid'][0],

user['uidnumber'][0], user['gidnumber'][0])
...
admin:191360:191360
tuser:191361:191361


Be aware that there are some search limits too, both in size and
time. Some of
this is configurable from the client side, some on the server.


You can use standard zone transfer for DNS:

See

https://www.redhat.com/__archives/freeipa-users/2013-__September/msg00022.html


https://www.redhat.com/__archives/freeipa-users/2013-__September/msg00047.html





--
PetrĀ³

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-22 Thread Dimitar Georgievski 
Would you use ldapmodify -f file-name-with-exported-data to import the data
back to a new copy of FreeIPA?

Thanks

Dimitar


On Wed, Jan 22, 2014 at 8:52 AM, Petr Spacek  wrote:

> On 22.1.2014 14:40, Rob Crittenden wrote:
>
>> Martin Kosek wrote:
>>
>>> On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:
>>>
 Hi guys,

 I trying to get a dump of all users, hosts and DNS entries from IPA so
 we can run scripts/Puppet against them.

 Tried searching for it but cannot find anything, so was hoping someone
 can give some hints on how best to do this please.


>>> You can either export them via ldapsearch:
>>>
>>> $ kinit admin
>>> $ ldapsearch -h `hostname` -Y GSSAPI -b
>>> 'cn=users,cn=accounts,dc=example,dc=com'
>>>
>>>
>>> ... or for write a Python script to do what you want. Very simple
>>> example:
>>>
>>> $ kinit admin
>>> $ python
>>>
 from ipalib import api
>> api.bootstrap()
>> api.finalize()
>> api.Backend.xmlclient.connect()
>> users = api.Command.user_find()
>> for user in users['result']:... print "%s:%s:%s" %
>> (user['uid'][0],
>>
> user['uidnumber'][0], user['gidnumber'][0])
>>> ...
>>> admin:191360:191360
>>> tuser:191361:191361
>>>
>>
>> Be aware that there are some search limits too, both in size and time.
>> Some of
>> this is configurable from the client side, some on the server.
>>
>
> You can use standard zone transfer for DNS:
>
> See
> https://www.redhat.com/archives/freeipa-users/2013-September/msg00022.html
> https://www.redhat.com/archives/freeipa-users/2013-September/msg00047.html
>
> --
> Petr^2 Spacek
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-22 Thread Petr Spacek 

On 22.1.2014 14:40, Rob Crittenden wrote:

Martin Kosek wrote:

On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:

Hi guys,

I trying to get a dump of all users, hosts and DNS entries from IPA so
we can run scripts/Puppet against them.

Tried searching for it but cannot find anything, so was hoping someone
can give some hints on how best to do this please.



You can either export them via ldapsearch:

$ kinit admin
$ ldapsearch -h `hostname` -Y GSSAPI -b
'cn=users,cn=accounts,dc=example,dc=com'


... or for write a Python script to do what you want. Very simple example:

$ kinit admin
$ python

from ipalib import api
api.bootstrap()
api.finalize()
api.Backend.xmlclient.connect()
users = api.Command.user_find()
for user in users['result']:... print "%s:%s:%s" % (user['uid'][0],

user['uidnumber'][0], user['gidnumber'][0])
...
admin:191360:191360
tuser:191361:191361


Be aware that there are some search limits too, both in size and time. Some of
this is configurable from the client side, some on the server.


You can use standard zone transfer for DNS:

See
https://www.redhat.com/archives/freeipa-users/2013-September/msg00022.html
https://www.redhat.com/archives/freeipa-users/2013-September/msg00047.html

--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-22 Thread Rob Crittenden 

Martin Kosek wrote:

On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:

Hi guys,

I trying to get a dump of all users, hosts and DNS entries from IPA so
we can run scripts/Puppet against them.

Tried searching for it but cannot find anything, so was hoping someone
can give some hints on how best to do this please.



You can either export them via ldapsearch:

$ kinit admin
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com'


... or for write a Python script to do what you want. Very simple example:

$ kinit admin
$ python

from ipalib import api
api.bootstrap()
api.finalize()
api.Backend.xmlclient.connect()
users = api.Command.user_find()
for user in users['result']:... print "%s:%s:%s" % (user['uid'][0],

user['uidnumber'][0], user['gidnumber'][0])
...
admin:191360:191360
tuser:191361:191361


Be aware that there are some search limits too, both in size and time. 
Some of this is configurable from the client side, some on the server.


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Export data

2014-01-22 Thread Martin Kosek 
On 01/22/2014 01:48 PM, Choudhury, Suhail wrote:
> Hi guys,
> 
> I trying to get a dump of all users, hosts and DNS entries from IPA so
> we can run scripts/Puppet against them.
> 
> Tried searching for it but cannot find anything, so was hoping someone
> can give some hints on how best to do this please.
> 

You can either export them via ldapsearch:

$ kinit admin
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com'


... or for write a Python script to do what you want. Very simple example:

$ kinit admin
$ python
>>> from ipalib import api
>>> api.bootstrap()
>>> api.finalize()
>>> api.Backend.xmlclient.connect()
>>> users = api.Command.user_find()
>>> for user in users['result']:... print "%s:%s:%s" % (user['uid'][0],
user['uidnumber'][0], user['gidnumber'][0])
...
admin:191360:191360
tuser:191361:191361


Martin

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

[Freeipa-users] Export data

2014-01-22 Thread Choudhury, Suhail 
Hi guys,

I trying to get a dump of all users, hosts and DNS entries from IPA so
we can run scripts/Puppet against them.

Tried searching for it but cannot find anything, so was hoping someone
can give some hints on how best to do this please.

-- 
Regards,
Suhail.
DevOps(Recs), BSkyB.


Information in this email including any attachments may be privileged, 
confidential and is intended exclusively for the addressee. The views expressed 
may not be official policy, but the personal views of the originator. If you 
have received it in error, please notify the sender by return e-mail and delete 
it from your system. You should not reproduce, distribute, store, retransmit, 
use or disclose its contents to anyone. Please note we reserve the right to 
monitor all e-mail communication through our internal and external networks. 
SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and 
Sky International AG and are used under licence. British Sky Broadcasting 
Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration 
No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) 
are direct or indirect subsidiaries of British Sky Broadcasting Group plc 
(Registration No. 2247735). All of the companies mentioned in this p!
 aragraph are incorporated in England and Wales and share the same registered 
office at Grant Way, Isleworth, Middlesex TW7 5QD.



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users