[Freeipa-users] export entire ldap/kerberos/etc onto a new host

Dmitri Pal dpal at redhat.com
Wed Feb 2 19:13:50 UTC 2011 

On 02/02/2011 12:30 PM, Ian Stokes-Rees wrote:
>>> So you can't upgrade from 1.2 to 1.9 and you can't go from 1.9 to 2.0
>>> and you can't go from 2.0 beta-1 to 2.0 beta-2?
>>>
>>> So why would I want to use a product like that?
>> Upgrades will be possible within stable releases.
>>
>> Handling upgrades in development versions would cost too much
>> development time w/o any real benefit as schema and DIT will be fixed
>> in stone once 2.0 final will be released.
>>
>> Alpha and Beta release are not meant for production but only for
>> testing environments.
> Hi,
>
> I'm part of the same team that is stuck in this situation.  I think you
> guys (FreeIPA team) need to make it really clear to current adopters
> that they are going to have to start from scratch if they go with the
> current v2 releases (1.9, 2.0-beta, etc.) and want to "upgrade" later.

It is our mistake that we did not realize that there is an expectation
that there will be an easy migration between alphas and betas. We always
thought of them as of preparation steps for the actual release and that
none would try to use them in producution or load data that would be
someothing other than a test set. So expectation was that no migration
would be needed.
This is why your situation caught us by surprise. I guess you had a lot
of faith in the project and this is great. I also completely understand
your frustration and desire to abandon it in the current situation.  I
think it would be mutually beneficial to avoid that and find a solution
that would help you to move on.
Yes you are ideal testers and we want to continue working with you. We
also ask for understanding that such migration requirement was not
expected on our side. We reinstall the system every day and run tests
with new functionality on a fresh system. During last month between
previous beta the team addressed more than 200 issues across the whole
project. Some major issues have been addressed that required schema
changes. We are planning to release IPA beta2 today or tomorrow this is
why we are little bit less responsive than we want to be. But this is
all lyrics.    

The main issue with the migration between betas (as in any case) is
passwords and keys.
Simo knows the details but in a nutshell the problem is that if you dump
and load the LDIF (even if you adjust the records to accommodate schema
changes manually) your keys would not match. You need to carry the
master key over and may be more than that. We need to sit down and think
through the recommendations for a manual procedure like this. We will
try to do it ASAP but given that we are releasing any day now it is not
realistic to expect it happening today.

Can this wait till next week? If not it would be a real pity. We are
working hard to deliver the project to research groups like yours and we
will do our best to help you to migrate your data forward.

To reduce the scope of the effort let me recap the goal:
1) You want to install IPA and load the users (is there anything else?)
from the previous installation and abandon the old installation
2) You do not want to loose passwords
3) You are Ok with manual procedure
4) You are Ok to try different approaches (some of which might not work
out) and work with us on formulating a procedure that would help other
deployments like yours to overcome this situation.

Again sorry for all the trouble. If we knew the requirement to be able
to migrate between betas earlier we might have done some things differently.
Hope to find understanding on your side and willingness to work with us
on a solution.

Thank you
Dmitri          


> Of course there is no definition of what "beta" means, but really I
> think we're your *ideal* beta testers and you should put in some effort
> to make it possible for us to use the beta releases of FreeIPA.  We are
> a research computing group, so our service level standards are "we can
> live with a 24-36 hours of down time M-F every couple of months, and 1
> week of down time every year".  We have a handful of real users, want to
> integrate apache httpd into using LDAP, want to utilize the web i/f for
> account management, use FreeIPA for NFS mounts, "real" X.509
> certificates, etc.  Even if an automated/smooth transition between beta
> versions or from beta to final release is impossible, then some guidance
> on strategies to transition systems "manually" (and a very rough
> estimate of the time commitment to do that) would be useful.
>
> I wish I understood LDAP better, but I don't see why we cant just dump
> the current FreeIPA LDIF files, tweak the entries as necessary, and
> import them to the latest version of FreeIPA.
>
> We're pretty close right now (as in, the next 4-24 hours) of abandoning
> FreeIPA, so some encouraging words on this front could make a difference
> and keep us with you.
>
> Ian
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110202/e7d25e02/attachment.htm>

More information about the Freeipa-users mailing list