[Freeipa-users] migration plan from local accounts

Dmitri Pal dpal at redhat.com
Thu Jan 5 23:41:32 UTC 2012 

On 01/05/2012 06:27 PM, Sylvain Angers wrote:
> Hi again, 
>
> by moving away from local account, to freeipa do we affect any of
> these numbers?: 
>
> -group name length limits
> -group membership limits
>
> or they remain the same / as the under limit of the local os?
> On linux, I believe there will still be a limitation of 16 id per
> group, right?

This is a very old limitation that is no longer a problem for quite a while.
AFAIR starting AIX5.3 AIX has a decent PAM stack and one can use
pam_ldap and nss_ldap with it.
5.2 does not have proper capabilities. What version do you use?

The limitations you are concerned are really dictated by the
capabilities of the OS and client software.
AFAIK nss_ldap has no limit on number of the users in a group.
IPA assumes that there are no such limitations and allows any number of
users in a group.

> If anyone has some past experience with AIX, feel free to share with me
>
> I am really interested to ear about it
>
> Thank you!
>
> Sylvain Angers
>
> 2012/1/5 Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
>
>     On 01/05/2012 04:20 PM, Sylvain Angers wrote:
>>     Hello
>>
>>     We have a mixed environment of AIX, and linux servers
>>     All our user accounts are still set locally - no NIS, and we do
>>     not have unique uid/gid toward our  hosts!!!
>>     I am evaluating the possibility of using Redhat
>>     Identity management in our environment
>>     I have to figure out what AIX will be able to support - we would
>>     at least want to be able to limit who could access what on aix
>>     so if you have dealt with AIX, let me knows
>>
>>     but here my main question
>>
>>     My question is how do I deal with our current local users?
>
>     This is a tough one... The assumption was that some kind of
>     identity system is already in place.
>
>
>>     When user DAVE get freeipa id 10000000567, do you have to chown
>>     every files he has on a local machine while he might has uid/gid
>>     501 ?
>
>
>     Yes.
>
>
>>
>>     I guess we will have to byte the bullet and have a unique id for
>>     every users - right?
>
>     Correct
>
>
>>     Is there a simple migration plan from local to freeipa?
>
>     You pretty much outlined it here. There is nothing better I know of.
>     You user IDs are probably low enough that there is no overlap with
>     user IDs from IdM.
>
>
>>     do we have to migrate an account at the time do an account at the
>>     time, so if account doe not exist locally, it will check remote?
>
>     This is usually the case when you use files in the nsswitch.conf
>     first and then ldap or sss.
>     So logic would be:
>     1) Create a user in IdM with same name as a local user (if it is
>     not already exists)
>     2) Find all files owned by local user and replace UID/GID with the
>     ones from IPA user with the same name
>     3) Remove local user
>     4) Repeat for all local users
>     5) Repeat on every machine
>
>     Step 1) might be a challenge from AIX machine so you might
>     consider creating a list of all users first, precreating the users
>     in IdM and then running a script that would do the rest on each of
>     the machines you need to convert.
>
>>
>>     I am missing the big picture
>>
>>     thanks in advance
>>     -- 
>>     Sylvain Angers
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IPA project,
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> -- 
> Sylvain Angers
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120105/a3a9d52e/attachment.htm>

More information about the Freeipa-users mailing list