Bug 488891

Summary: Document how to migrate user identities from an existing directory or identity store into IPA
Product: [Retired] freeIPA Reporter: David O'Brien <daobrien>
Component: DocumentationAssignee: David O'Brien <daobrien>
Status: CLOSED DUPLICATE QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0CC: benl, dpal, jgalipea, pzuna
Target Milestone: v2 releaseKeywords: Documentation
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 646210 (view as bug list) Environment:
Last Closed: 2011-01-13 08:47:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 431020, 431022, 489811, 646210, 646217    

Description David O'Brien 2009-03-06 04:35:02 UTC
Description of problem:


Version-Release number of selected component (if applicable):


Additional info:
I'll need more info or draft doc on this to proceed.

Comment 1 David O'Brien 2009-03-08 21:55:21 UTC
Version set to 1.1 by  mistake. Resetting to 2.0

Comment 5 David O'Brien 2009-08-14 03:48:21 UTC
Added to Migration Guide. This guide is still in draft form, untested, and not public yet.

Comment 7 Pavel Zuna 2010-02-24 13:31:02 UTC
We have a command plugin for the purpose of migrating identities from an existing 389/RH DS to IPA. All migration tools can be examined using the built-in interface:

ipa help migration

Only one command is currently available. It can be used to migrate identities from DS or from IPAv1:

ipa migrate-ds LDAP_URI [--bind-dn=BIND_DN] [--user-container=USER_CONT]
                                            [--group-container=GROUP_CONT]
                                            [--exclude-users=EXC_USERS]
                                            [--exclude-groups=EXC_GROUPS]

BIND_DN - DN of the entry the command is going to bind as, defaults to "cn=Directory Manager"
USER_CONT - parent entry under which user identities are stored, defaults to "ou=People"
GROUP_CONT - parent entry under which group information is stored, defaults to "ou=Groups"
EXC_USERS - comma-separated list of user names to be excluded from migration
EXC_GROUPS - comma-separated list of groups to be excluded from migration

After executing the command, you will be prompted to enter the BIND password.

Note that migration mode has to be enabled first, you can do so using:

ipa config-mod --enable-migration=TRUE

To migrate users and groups from an existing default configuration DS reachable at ldap://example.com, it should be enough to execute:

ipa migrate-ds ldap://example.com

To migrate users and groups from an existing default configuration IPAv1 with DS reachable at ldap://example.com, you will need to execute:

ipa migrate-ds --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts ldap://example.com

Hope that helps.

Comment 8 David O'Brien 2010-09-15 01:54:23 UTC
*** Bug 488900 has been marked as a duplicate of this bug. ***

Comment 9 David O'Brien 2011-01-13 08:47:40 UTC

*** This bug has been marked as a duplicate of bug 646210 ***