[Freeipa-users] 389-ds to free-ipa transition; transparent?
Rob Crittenden
rcritten at redhat.com
Wed Aug 25 01:16:48 UTC 2010
Brian LaMere wrote:
> I have a multimaster 389-ds installation, and am considering migrating
> to ipa-server.
>
> http://freeipa.org/page/IPAv2_alpha2#Migration seems to be pretty clear
> that I'm out of luck, and that I need to do a completely clean install.
> Am I reading that correctly?
That's right. We have to configure a whole slew of services to work in
concert so using an existing install would be extremely difficult at
best, even if the DIT was the same.
> Secondly, is multi-master on ipa as easy as it was for 389-ds?
Yes, if not easier. It is just 389-ds under the hood, we have some
simple management tools that create the agreements for you. Since we use
our own CA SSL is easy as well.
What I would recommend is to set up a test IPA instance to get a feel
for how the data is stored, see how migrating users and groups would
work, etc. If you want to get really fancy you can add a master or two
to the mix.
Depending on your configuration the data migration should be relatively
straightforward but know that the IPA DIT is completely flat. All users
are in one container, groups in another, etc. Once the migration is done
there is a simple form to set up user kerberos keys, then you should be
off to the races. The basic idea is that you authenticate using your
migrated LDAP password and this will automatically generate a kerberos
key for the user.
regards
rob
More information about the Freeipa-users
mailing list