[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Import LDIF file to FreeIPA



Rob Crittenden wrote:
> Michael Kang wrote:
>> Dear all,
>>
>> I got a LDIF file which is exported from Fedora 389 Directory Server.
>> I want to import those user info into FreeIPA. What should I do? I
>> just need the group,username and passwd information which is exported
>> from another Fedora 389 Directory Server.
>
> You won't be able to import it without some changes. You'll need to
> match the IPA DIT (http://freeipa.org/page/UsingRhdsWithIpa) to begin
> with. You'll probably want to update the objectclasses in each user
> entry as well to include: top, organizationalperson, inetorgperson,
> inetuser, posixaccount and krbprincipalaux.
>
> You'll need to set krbprincipalname to uid REALM in each user entry.
>
> The existing userPassword entry can be imported but you won't have
> usable kerberos credentials (it will probably generate keys but it
> will use the pre-hashed password so the keys will be unusable).
>
> As you can see, directly importing the LDIF would be quite a bit of work.
>
>> As far as I considered, I need to write a shell script to read user
>> name from LDIF file and use */ipa-useradd/* command to archive my goal.
>
> This is probably a better way, you'll just need to set a password on
> each user. The first time the user logs in they will need to reset the
> password (so only they know it)
>

If you can create a script that invokes IPA CLI like ipa-adduser would
be the best.
In this case you do not need to worry about any schema differences.


>> FreeIPA also use 389 ds. Can I use */389-console/* java platform to
>> manage FreeIPA?
>
> This is not recommended. Someone figured out how to do this at one
> point and posted instructions to either freeipa-devel or
> freeipa-users, I can't recall at this point.
>
> It isn't recommended because you can easily create users outside of
> the IPA DIT, create non-posix users, etc. It will probably end up
> causing more problems in the long-run. We recommend using the IPA tools.
>
> rob
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users redhat com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]