Re: [Freeipa-users] Import LDIF file to FreeIPA

2009-10-20 Thread Dmitri Pal 
Rob Crittenden wrote:
> Michael Kang wrote:
>> Dear all,
>>
>> I got a LDIF file which is exported from Fedora 389 Directory Server.
>> I want to import those user info into FreeIPA. What should I do? I
>> just need the group,username and passwd information which is exported
>> from another Fedora 389 Directory Server.
>
> You won't be able to import it without some changes. You'll need to
> match the IPA DIT (http://freeipa.org/page/UsingRhdsWithIpa) to begin
> with. You'll probably want to update the objectclasses in each user
> entry as well to include: top, organizationalperson, inetorgperson,
> inetuser, posixaccount and krbprincipalaux.
>
> You'll need to set krbprincipalname to u...@realm in each user entry.
>
> The existing userPassword entry can be imported but you won't have
> usable kerberos credentials (it will probably generate keys but it
> will use the pre-hashed password so the keys will be unusable).
>
> As you can see, directly importing the LDIF would be quite a bit of work.
>
>> As far as I considered, I need to write a shell script to read user
>> name from LDIF file and use */ipa-useradd/* command to archive my goal.
>
> This is probably a better way, you'll just need to set a password on
> each user. The first time the user logs in they will need to reset the
> password (so only they know it)
>

If you can create a script that invokes IPA CLI like ipa-adduser would
be the best.
In this case you do not need to worry about any schema differences.


>> FreeIPA also use 389 ds. Can I use */389-console/* java platform to
>> manage FreeIPA?
>
> This is not recommended. Someone figured out how to do this at one
> point and posted instructions to either freeipa-devel or
> freeipa-users, I can't recall at this point.
>
> It isn't recommended because you can easily create users outside of
> the IPA DIT, create non-posix users, etc. It will probably end up
> causing more problems in the long-run. We recommend using the IPA tools.
>
> rob
> 
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Import LDIF file to FreeIPA

2009-10-20 Thread Rob Crittenden 

Michael Kang wrote:

Dear all,

I got a LDIF file which is exported from Fedora 389 Directory Server. I 
want to import those user info into FreeIPA. What should I do? I just 
need the group,username and passwd information which is exported from 
another Fedora 389 Directory Server.


You won't be able to import it without some changes. You'll need to 
match the IPA DIT (http://freeipa.org/page/UsingRhdsWithIpa) to begin 
with. You'll probably want to update the objectclasses in each user 
entry as well to include: top, organizationalperson, inetorgperson, 
inetuser, posixaccount and krbprincipalaux.


You'll need to set krbprincipalname to u...@realm in each user entry.

The existing userPassword entry can be imported but you won't have 
usable kerberos credentials (it will probably generate keys but it will 
use the pre-hashed password so the keys will be unusable).


As you can see, directly importing the LDIF would be quite a bit of work.

As far as I considered, I need to write a shell script to read user name 
from LDIF file and use */ipa-useradd/* command to archive my goal.


This is probably a better way, you'll just need to set a password on 
each user. The first time the user logs in they will need to reset the 
password (so only they know it)


FreeIPA also use 389 ds. Can I use */389-console/* java platform to 
manage FreeIPA?


This is not recommended. Someone figured out how to do this at one point 
and posted instructions to either freeipa-devel or freeipa-users, I 
can't recall at this point.


It isn't recommended because you can easily create users outside of the 
IPA DIT, create non-posix users, etc. It will probably end up causing 
more problems in the long-run. We recommend using the IPA tools.


rob


smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users