Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/20/2014 11:12 AM, Rob Crittenden wrote: > Petr Spacek wrote: >> On 20.1.2014 12:27, Petr Spacek wrote: >>> On 20.1.2014 09:21, Martin Kosek wrote: On 01/17/2014 11:06 PM, Dmitri Pal wrote: > On 01/17/2014 03:59 PM, Rob Crittenden wrote: >> Les Stott wrote: The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. >>> >>> Is there a way to avoid this? >>> >>> I had to do that for importing shadow files originally in DR. now, >>> i'm going from freeipa to freeipa. if i export kerberos attributes >>> will that avoid users having to regenerate the kerberos >>> credentials? >> >> No. The kerberos master keys are different. > > Unless you want to copy master keys over. > This is a complex manual procedure. You can probably find it in the > archives as we helped people with it couple times but it is not > recommended. > > May be we should open an RFE to develop a tool that would do > ipa-migrate-ipa and can be used to move data from POC to production. We have a RFE open for that feature already: https://fedorahosted.org/freeipa/ticket/3656 I added a reference to this discussion on the list. Contributions or other ideas are very welcome! >>> >>> It sounds like creating a new replica and then disconnecting the new >>> replica >>> from the old replica. >>> >>> This procedure will copy all keys etc., so be sure you understand >>> security >>> implications for your environment! (Who can get root access to old >>> environment? Who can get root access to the new environment? What will >>> you do >>> if one of them was compromised...?) >> >> I should clarify this: >> >> May be that we could provide a tool for FreeIPA domain rename, so you >> can create replica, disconnect the replica and then rename the FreeIPA >> domain to something else (renaming would include master-key regeneration >> etc.). >> >> This solves two problems at once: >> - FreeIPA-to-FreeIPA migration >> - FreeIPA domain renaming >> > > There could be some weird side-effects. The certificate subject base > is not changable post-install so you could end up issuing certs with > the subject of the old realm. > > rob There is a set of tickets to be able to change the chaining and rename the root CA. Once this is available I guess we would need to call that too to change the subject and chaining. -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
Petr Spacek wrote: On 20.1.2014 12:27, Petr Spacek wrote: On 20.1.2014 09:21, Martin Kosek wrote: On 01/17/2014 11:06 PM, Dmitri Pal wrote: On 01/17/2014 03:59 PM, Rob Crittenden wrote: Les Stott wrote: The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. Is there a way to avoid this? I had to do that for importing shadow files originally in DR. now, i'm going from freeipa to freeipa. if i export kerberos attributes will that avoid users having to regenerate the kerberos credentials? No. The kerberos master keys are different. Unless you want to copy master keys over. This is a complex manual procedure. You can probably find it in the archives as we helped people with it couple times but it is not recommended. May be we should open an RFE to develop a tool that would do ipa-migrate-ipa and can be used to move data from POC to production. We have a RFE open for that feature already: https://fedorahosted.org/freeipa/ticket/3656 I added a reference to this discussion on the list. Contributions or other ideas are very welcome! It sounds like creating a new replica and then disconnecting the new replica from the old replica. This procedure will copy all keys etc., so be sure you understand security implications for your environment! (Who can get root access to old environment? Who can get root access to the new environment? What will you do if one of them was compromised...?) I should clarify this: May be that we could provide a tool for FreeIPA domain rename, so you can create replica, disconnect the replica and then rename the FreeIPA domain to something else (renaming would include master-key regeneration etc.). This solves two problems at once: - FreeIPA-to-FreeIPA migration - FreeIPA domain renaming There could be some weird side-effects. The certificate subject base is not changable post-install so you could end up issuing certs with the subject of the old realm. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 20.1.2014 12:27, Petr Spacek wrote: On 20.1.2014 09:21, Martin Kosek wrote: On 01/17/2014 11:06 PM, Dmitri Pal wrote: On 01/17/2014 03:59 PM, Rob Crittenden wrote: Les Stott wrote: The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. Is there a way to avoid this? I had to do that for importing shadow files originally in DR. now, i'm going from freeipa to freeipa. if i export kerberos attributes will that avoid users having to regenerate the kerberos credentials? No. The kerberos master keys are different. Unless you want to copy master keys over. This is a complex manual procedure. You can probably find it in the archives as we helped people with it couple times but it is not recommended. May be we should open an RFE to develop a tool that would do ipa-migrate-ipa and can be used to move data from POC to production. We have a RFE open for that feature already: https://fedorahosted.org/freeipa/ticket/3656 I added a reference to this discussion on the list. Contributions or other ideas are very welcome! It sounds like creating a new replica and then disconnecting the new replica from the old replica. This procedure will copy all keys etc., so be sure you understand security implications for your environment! (Who can get root access to old environment? Who can get root access to the new environment? What will you do if one of them was compromised...?) I should clarify this: May be that we could provide a tool for FreeIPA domain rename, so you can create replica, disconnect the replica and then rename the FreeIPA domain to something else (renaming would include master-key regeneration etc.). This solves two problems at once: - FreeIPA-to-FreeIPA migration - FreeIPA domain renaming -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 20.1.2014 09:21, Martin Kosek wrote: On 01/17/2014 11:06 PM, Dmitri Pal wrote: On 01/17/2014 03:59 PM, Rob Crittenden wrote: Les Stott wrote: The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. Is there a way to avoid this? I had to do that for importing shadow files originally in DR. now, i'm going from freeipa to freeipa. if i export kerberos attributes will that avoid users having to regenerate the kerberos credentials? No. The kerberos master keys are different. Unless you want to copy master keys over. This is a complex manual procedure. You can probably find it in the archives as we helped people with it couple times but it is not recommended. May be we should open an RFE to develop a tool that would do ipa-migrate-ipa and can be used to move data from POC to production. We have a RFE open for that feature already: https://fedorahosted.org/freeipa/ticket/3656 I added a reference to this discussion on the list. Contributions or other ideas are very welcome! It sounds like creating a new replica and then disconnecting the new replica from the old replica. This procedure will copy all keys etc., so be sure you understand security implications for your environment! (Who can get root access to old environment? Who can get root access to the new environment? What will you do if one of them was compromised...?) -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 11:06 PM, Dmitri Pal wrote: > On 01/17/2014 03:59 PM, Rob Crittenden wrote: >> Les Stott wrote: The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. >>> >>> Is there a way to avoid this? >>> >>> I had to do that for importing shadow files originally in DR. now, >>> i'm going from freeipa to freeipa. if i export kerberos attributes >>> will that avoid users having to regenerate the kerberos credentials? >> >> No. The kerberos master keys are different. > > Unless you want to copy master keys over. > This is a complex manual procedure. You can probably find it in the > archives as we helped people with it couple times but it is not recommended. > > May be we should open an RFE to develop a tool that would do > ipa-migrate-ipa and can be used to move data from POC to production. We have a RFE open for that feature already: https://fedorahosted.org/freeipa/ticket/3656 I added a reference to this discussion on the list. Contributions or other ideas are very welcome! Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/20/2014 09:51 AM, Les Stott wrote: Thanks Martin. Ipa migrate-ds worked a treat. I'll get users to login to an ipa client so that it generates the Kerberos hash (like I had to originally) For reference I did have to specify the correct containers for users and groups... ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --with-compat ldap://dr-ipa.mydomain.com:389 I still would like a way to dump users out to a file, for backup purposes, such as an ldif file. If anyone has a script to do that I'd appreciate it. Please refer to this link - http://documentation-devel.engineering.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Populating_Directory_Databases-Exporting_Data.html#Exporting_Data-Exporting_to_LDIF_from_the_Command_Line Thanks, -Sankar R Regards, Les -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Friday, 17 January 2014 6:46 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] export users/groups from one ipa server to another On 01/17/2014 07:24 AM, Les Stott wrote: Hi All, Looking for the quickest and easiest way to export users from one freeipa server and install on another. I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. I am setting up an identical freeipa server in a Production Environment. The two environments will not be configured to talk to each other. They will both have there own replicas. I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production. What is the recommendation? Is there an ipa tool? Or will ldif exports suffice? Thanks in advance, Les I think the best way would be to use the "ipa migrate-ds" command. It should work both with stand alone Directory Servers and IPA too. You may just need to play with --userignoreobjectclass amd userignoreattribute to not migrate Kerberos related attributes and objectclasses if for example your other DS has a different realm. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
Thanks Martin. Ipa migrate-ds worked a treat. I'll get users to login to an ipa client so that it generates the Kerberos hash (like I had to originally) For reference I did have to specify the correct containers for users and groups... ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --with-compat ldap://dr-ipa.mydomain.com:389 I still would like a way to dump users out to a file, for backup purposes, such as an ldif file. If anyone has a script to do that I'd appreciate it. Regards, Les -Original Message- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Friday, 17 January 2014 6:46 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] export users/groups from one ipa server to another On 01/17/2014 07:24 AM, Les Stott wrote: > Hi All, > > Looking for the quickest and easiest way to export users from one freeipa > server and install on another. > > I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. > I am setting up an identical freeipa server in a Production Environment. > > The two environments will not be configured to talk to each other. They will > both have there own replicas. > > I simply want to export the users and groups I created in freeipa in DR, and > import them (preserving details and passwords) into the freeipa server in > Production. > > What is the recommendation? Is there an ipa tool? Or will ldif exports > suffice? > > Thanks in advance, > > Les I think the best way would be to use the "ipa migrate-ds" command. It should work both with stand alone Directory Servers and IPA too. You may just need to play with --userignoreobjectclass amd userignoreattribute to not migrate Kerberos related attributes and objectclasses if for example your other DS has a different realm. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 03:59 PM, Rob Crittenden wrote: > Les Stott wrote: >>> The first time your migrated production users authenticate with their >>> password their Kerberos credentials will be generated. >> >> Is there a way to avoid this? >> >> I had to do that for importing shadow files originally in DR. now, >> i'm going from freeipa to freeipa. if i export kerberos attributes >> will that avoid users having to regenerate the kerberos credentials? > > No. The kerberos master keys are different. Unless you want to copy master keys over. This is a complex manual procedure. You can probably find it in the archives as we helped people with it couple times but it is not recommended. May be we should open an RFE to develop a tool that would do ipa-migrate-ipa and can be used to move data from POC to production. > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
Les Stott wrote: The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. Is there a way to avoid this? I had to do that for importing shadow files originally in DR. now, i'm going from freeipa to freeipa. if i export kerberos attributes will that avoid users having to regenerate the kerberos credentials? No. The kerberos master keys are different. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
> The first time your migrated production users authenticate with their > password their Kerberos credentials will be generated. Is there a way to avoid this? I had to do that for importing shadow files originally in DR. now, i'm going from freeipa to freeipa. if i export kerberos attributes will that avoid users having to regenerate the kerberos credentials? Thanks, Les From: Rob Crittenden [rcrit...@redhat.com] Sent: Saturday, January 18, 2014 1:36 AM To: Martin Kosek; Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] export users/groups from one ipa server to another Martin Kosek wrote: > On 01/17/2014 07:24 AM, Les Stott wrote: >> Hi All, >> >> Looking for the quickest and easiest way to export users from one freeipa >> server and install on another. >> >> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. >> I am setting up an identical freeipa server in a Production Environment. >> >> The two environments will not be configured to talk to each other. They will >> both have there own replicas. >> >> I simply want to export the users and groups I created in freeipa in DR, and >> import them (preserving details and passwords) into the freeipa server in >> Production. >> >> What is the recommendation? Is there an ipa tool? Or will ldif exports >> suffice? >> >> Thanks in advance, >> >> Les > > I think the best way would be to use the "ipa migrate-ds" command. It should > work both with stand alone Directory Servers and IPA too. You may just need to > play with --userignoreobjectclass amd userignoreattribute to not migrate > Kerberos related attributes and objectclasses if for example your other DS has > a different realm. Kerberos attributes are already excluded by default. You'll need to enable password migration mode on the production IPA server, ipa config-mod --enable-migration=true The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 03:58 PM, Dmitri Pal wrote: > On 01/17/2014 09:36 AM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 01/17/2014 07:24 AM, Les Stott wrote: Hi All, Looking for the quickest and easiest way to export users from one freeipa server and install on another. I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. I am setting up an identical freeipa server in a Production Environment. The two environments will not be configured to talk to each other. They will both have there own replicas. I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production. What is the recommendation? Is there an ipa tool? Or will ldif exports suffice? Thanks in advance, Les >>> >>> I think the best way would be to use the "ipa migrate-ds" command. It >>> should >>> work both with stand alone Directory Servers and IPA too. You may >>> just need to >>> play with --userignoreobjectclass amd userignoreattribute to not migrate >>> Kerberos related attributes and objectclasses if for example your >>> other DS has >>> a different realm. >> >> Kerberos attributes are already excluded by default. >> >> You'll need to enable password migration mode on the production IPA >> server, ipa config-mod --enable-migration=true >> >> The first time your migrated production users authenticate with their >> password their Kerberos credentials will be generated. > > If users authenticate using sssd. ^ If they do not use SSSD, they can also use a special page for password migration: https://ipa.example.com/ipa/migration/ Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 09:36 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 01/17/2014 07:24 AM, Les Stott wrote: >>> Hi All, >>> >>> Looking for the quickest and easiest way to export users from one >>> freeipa server and install on another. >>> >>> I have an existing freeipa server, 3.0.0 standard rhel6 in a DR >>> environment. >>> I am setting up an identical freeipa server in a Production >>> Environment. >>> >>> The two environments will not be configured to talk to each other. >>> They will both have there own replicas. >>> >>> I simply want to export the users and groups I created in freeipa in >>> DR, and import them (preserving details and passwords) into the >>> freeipa server in Production. >>> >>> What is the recommendation? Is there an ipa tool? Or will ldif >>> exports suffice? >>> >>> Thanks in advance, >>> >>> Les >> >> I think the best way would be to use the "ipa migrate-ds" command. It >> should >> work both with stand alone Directory Servers and IPA too. You may >> just need to >> play with --userignoreobjectclass amd userignoreattribute to not migrate >> Kerberos related attributes and objectclasses if for example your >> other DS has >> a different realm. > > Kerberos attributes are already excluded by default. > > You'll need to enable password migration mode on the production IPA > server, ipa config-mod --enable-migration=true > > The first time your migrated production users authenticate with their > password their Kerberos credentials will be generated. If users authenticate using sssd. ^ > > rob > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
Martin Kosek wrote: On 01/17/2014 07:24 AM, Les Stott wrote: Hi All, Looking for the quickest and easiest way to export users from one freeipa server and install on another. I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. I am setting up an identical freeipa server in a Production Environment. The two environments will not be configured to talk to each other. They will both have there own replicas. I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production. What is the recommendation? Is there an ipa tool? Or will ldif exports suffice? Thanks in advance, Les I think the best way would be to use the "ipa migrate-ds" command. It should work both with stand alone Directory Servers and IPA too. You may just need to play with --userignoreobjectclass amd userignoreattribute to not migrate Kerberos related attributes and objectclasses if for example your other DS has a different realm. Kerberos attributes are already excluded by default. You'll need to enable password migration mode on the production IPA server, ipa config-mod --enable-migration=true The first time your migrated production users authenticate with their password their Kerberos credentials will be generated. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
Petr, Martin, thanks for the suggestions, i will try next week. fyi... it will be the same domain so i'll have a look at "ipa migrate-ds". Regards, Les From: Martin Kosek [mko...@redhat.com] Sent: Friday, January 17, 2014 6:46 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] export users/groups from one ipa server to another On 01/17/2014 07:24 AM, Les Stott wrote: > Hi All, > > Looking for the quickest and easiest way to export users from one freeipa > server and install on another. > > I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. > I am setting up an identical freeipa server in a Production Environment. > > The two environments will not be configured to talk to each other. They will > both have there own replicas. > > I simply want to export the users and groups I created in freeipa in DR, and > import them (preserving details and passwords) into the freeipa server in > Production. > > What is the recommendation? Is there an ipa tool? Or will ldif exports > suffice? > > Thanks in advance, > > Les I think the best way would be to use the "ipa migrate-ds" command. It should work both with stand alone Directory Servers and IPA too. You may just need to play with --userignoreobjectclass amd userignoreattribute to not migrate Kerberos related attributes and objectclasses if for example your other DS has a different realm. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 01/17/2014 07:24 AM, Les Stott wrote: > Hi All, > > Looking for the quickest and easiest way to export users from one freeipa > server and install on another. > > I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. > I am setting up an identical freeipa server in a Production Environment. > > The two environments will not be configured to talk to each other. They will > both have there own replicas. > > I simply want to export the users and groups I created in freeipa in DR, and > import them (preserving details and passwords) into the freeipa server in > Production. > > What is the recommendation? Is there an ipa tool? Or will ldif exports > suffice? > > Thanks in advance, > > Les I think the best way would be to use the "ipa migrate-ds" command. It should work both with stand alone Directory Servers and IPA too. You may just need to play with --userignoreobjectclass amd userignoreattribute to not migrate Kerberos related attributes and objectclasses if for example your other DS has a different realm. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export users/groups from one ipa server to another
On 17.1.2014 07:24, Les Stott wrote: Hi All, Looking for the quickest and easiest way to export users from one freeipa server and install on another. I have an existing freeipa server, 3.0.0 standard rhel6 in a DR environment. I am setting up an identical freeipa server in a Production Environment. The two environments will not be configured to talk to each other. They will both have there own replicas. I simply want to export the users and groups I created in freeipa in DR, and import them (preserving details and passwords) into the freeipa server in Production. What is the recommendation? Is there an ipa tool? Or will ldif exports suffice? IMHO you can create a replica (including CA and DNS if you have CA and DNS on the original master) and then disconnect this new replica from the original master and move it to production. -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users