Bug 891984

Summary: [RFE] ID Views: Support migration from the sync solution to the trust solution
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jcholast, jherrman, jhrozek, mkosek, nsoman, pneedle, pvoborni, sgadekar, sgoveas
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-9.el7 Doc Type: Release Note
Doc Text:
This update implements the new "ID Views" mechanism of user configuration. This enables the migration of FreeIPA users from a WinSync synchronization-based architecture used by Active Directory to an infrastructure based on Cross-Realm Trusts. For the details of "ID Views" and the migration procedure, see the official FreeIPA documentation: http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
 Story Points: ---
Clone Of:
: 1153294 1168344 (view as bug list) Environment:
Last Closed: 2015-03-05 10:08:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1151436    
Bug Blocks: 1153294, 1168344    

Description Dmitri Pal 2013-01-04 17:49:10 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3318

Provide, procedure or tool or both to migrate from the sync based solution to the AD based solution.
Comment 3 Martin Kosek 2014-06-24 07:06:12 UTC 
Related upstream information (the feature is currently planned for FreeIPA 4.1):

Tickets:
https://fedorahosted.org/freeipa/ticket/3318: [RFE] Support migration from the sync solution to the trust solution (a.k.a. the views)
https://fedorahosted.org/freeipa/ticket/3979: [RFE] Add ability to centrally override specific user/group attributes

Design page:
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
Comment 5 Jakub Hrozek 2014-07-02 11:39:27 UTC 
SSSD upstream ticket:
https://fedorahosted.org/sssd/ticket/2375
Comment 6 Petr Vobornik 2014-09-09 15:09:54 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4524
Comment 7 Petr Vobornik 2014-09-11 15:22:21 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4535
Comment 8 Martin Kosek 2014-09-23 15:00:42 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4554
Comment 9 Martin Kosek 2014-09-30 08:45:33 UTC 
Framework part fixed upstream:

master:
https://fedorahosted.org/freeipa/changeset/16f3786d25a59a3f4041d780db64940ee80d269d
https://fedorahosted.org/freeipa/changeset/6b14030e9076e4f9e71ddb641ba959043284c78d
https://fedorahosted.org/freeipa/changeset/be36525dc5169c28a6510ec955607fd3c91db2ce
https://fedorahosted.org/freeipa/changeset/3e2e5a4d288f6943e9437016c7ef43f2f8efb3c2
https://fedorahosted.org/freeipa/changeset/f48a7bb730aa6c6482eb373550b86097ee3a3b41
https://fedorahosted.org/freeipa/changeset/b65b74890bdf6b6fde8379181dce66a1ef9db8d1
https://fedorahosted.org/freeipa/changeset/377ab0c4a6f9f61f2a00844a2cea9233d908bbb1
https://fedorahosted.org/freeipa/changeset/936eaada89061456a30927ba95a9836f76a88045
https://fedorahosted.org/freeipa/changeset/ce42bf282ff19c81062038b4100f7e576686b421
https://fedorahosted.org/freeipa/changeset/6e94d23a926ebbe456e183aac9e60a7119f0a502
https://fedorahosted.org/freeipa/changeset/f3576bd94b4a7cf786ffdf442e3460182390dfc5
https://fedorahosted.org/freeipa/changeset/186c161ef573d7b221c01c30f8995683ce13b216
https://fedorahosted.org/freeipa/changeset/6a798f144f88996046bce9bf19e771bb5a477bc6
https://fedorahosted.org/freeipa/changeset/d03b09beb4855f6ceea505221bf39a0f1369fa73
https://fedorahosted.org/freeipa/changeset/b4a13aeea8354d048828c711b4e1413bd4a0d82e
https://fedorahosted.org/freeipa/changeset/cbf1ad84f1a315cfe5671c08754c39adc3f90919
https://fedorahosted.org/freeipa/changeset/c6d50c456f6984eb6cb5392cdda6fab151fbbf65
https://fedorahosted.org/freeipa/changeset/961790e20a102b6e70a4b83cccd99d1bf24c499e
https://fedorahosted.org/freeipa/changeset/c1f51cff02b0ca1bb41447134c77e5f09544b114
https://fedorahosted.org/freeipa/changeset/3ff410d3a7ef2192fc6c37c77fd9aa80bb518707
https://fedorahosted.org/freeipa/changeset/8fb0e3a2b430d67a554b74a36f78c5b0292c1495
https://fedorahosted.org/freeipa/changeset/277b762d363a3a05bb5ca99e2dc7242704ff0124
https://fedorahosted.org/freeipa/changeset/bba37691965ea2afef7763ee4ab6a9559b8b0e78
https://fedorahosted.org/freeipa/changeset/1d6f591cc50fb3cc37588631e74ea6820467f09e
https://fedorahosted.org/freeipa/changeset/2131187ea9e05a739553df7cfc87a688df569d8c
https://fedorahosted.org/freeipa/changeset/b9425751b421484c97375df956ccda3cb9dc0e70
https://fedorahosted.org/freeipa/changeset/13089eae527ae87cad69148be3d60077511dc517
https://fedorahosted.org/freeipa/changeset/dbf8d97ecf5d82c1e0e1a11cdf64dd670309c2a5
https://fedorahosted.org/freeipa/changeset/47268575c931fd57298617fe979f25cb1a90d1bb
https://fedorahosted.org/freeipa/changeset/902655da5909f79ffde6a06d527bd1dbe9ee5f8a
https://fedorahosted.org/freeipa/changeset/51816930a662e0312589cca2981e8ae4d32da779
https://fedorahosted.org/freeipa/changeset/2a230b6cc16037fbf56d79bfde2fb4d1ab386ef6

ipa-4-1:
https://fedorahosted.org/freeipa/changeset/5b49a37052b708af90fa0ccbd45aecf12887e1d1
https://fedorahosted.org/freeipa/changeset/036ea78a8b2f5a6705f08e344fbe123796d0eeba
https://fedorahosted.org/freeipa/changeset/6d6da4b31bf5a1fbc05bd7f779402572ebc5b07d
https://fedorahosted.org/freeipa/changeset/debfb010f604583d346483589ba45b1391de2c68
https://fedorahosted.org/freeipa/changeset/81e3b1a1a0ed8a099d040b69e38f77214728b87b
https://fedorahosted.org/freeipa/changeset/6f3e3ebef871fa1bd74d181068770b797eb11fbb
https://fedorahosted.org/freeipa/changeset/be916cc671cc986e59df646ab8d7e742ee87bfab
https://fedorahosted.org/freeipa/changeset/1625423d86fb6b1c1a9470936c18958115d9361c
https://fedorahosted.org/freeipa/changeset/457aca1b19353cd1eef6b5ccb1f369e4749a442d
https://fedorahosted.org/freeipa/changeset/3831c9da06c87caf790470ee58111561c8e77317
https://fedorahosted.org/freeipa/changeset/b275ba688fbe9724a763c0fafaba29c48f391fba
https://fedorahosted.org/freeipa/changeset/505039c6ba2dd5ba1d4331e5e8359671bd5ff5a5
https://fedorahosted.org/freeipa/changeset/3d89dffd1064fbdf6bb319b226f73086af131cd5
https://fedorahosted.org/freeipa/changeset/b8e9dea7e5273e5aa95d0f6742a5be571eb70144
https://fedorahosted.org/freeipa/changeset/aa39f40610503c29c11f644ec0966c988eb2e354
https://fedorahosted.org/freeipa/changeset/d6bc04428f3dc98d91e17330dfc82c0ce415b419
https://fedorahosted.org/freeipa/changeset/959a1e0e75281a536ce44c7c7c429949c26b71bc
https://fedorahosted.org/freeipa/changeset/49ef84c087084531e54812ad299f8c288fc2d305
https://fedorahosted.org/freeipa/changeset/8b59dfaa1bd98e8710480d104a5ebb28c04f748f
https://fedorahosted.org/freeipa/changeset/731e7a5ee77bf83bf9da7cf04c1681de76f2ce44
https://fedorahosted.org/freeipa/changeset/7c339a8cd26d8d88117714f204d319e0a1cb0686
https://fedorahosted.org/freeipa/changeset/50fa40b00e4ec7174aa8b9c5157f09ebe4d16cde
https://fedorahosted.org/freeipa/changeset/b8bf4445df84412e02bbf3fdb165fd94b15fe987
https://fedorahosted.org/freeipa/changeset/bdfa7ead0858a490cb4609952594c090c4fe2db6
https://fedorahosted.org/freeipa/changeset/473fbe82e278192102fda8ada5a7a499281a34f6
https://fedorahosted.org/freeipa/changeset/57a08ad940e6fa152d3906b57a9e3d5f2fc5957a
https://fedorahosted.org/freeipa/changeset/860a50f1248d3a70d55d8c94390d827dd67cae35
https://fedorahosted.org/freeipa/changeset/0a7c10b13893f8a0a510da0798236e41b0e3ceef
https://fedorahosted.org/freeipa/changeset/1551ff1ea5645fcebc0d38c731ae0e4a102068ff
https://fedorahosted.org/freeipa/changeset/60ea9065f35f795eef782586fae60094f9ca3394
https://fedorahosted.org/freeipa/changeset/ea1aac1603a41ab7ec341cefd2b6b64d96b83d78
https://fedorahosted.org/freeipa/changeset/f0b6254106f98875e2c94af81bcb836d3ad46681
Comment 10 Martin Kosek 2014-09-30 09:51:59 UTC 
Upgrade fix:

master:
https://fedorahosted.org/freeipa/changeset/00457a9c109c1df0788a979f07c7fb5c0cc3bc8b
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/7ddebb613d1d14ebe11491651eb7bbfe21c64f5b
Comment 11 Petr Vobornik 2014-09-30 09:53:42 UTC 
Web UI:

master:
https://fedorahosted.org/freeipa/changeset/15b6ed67056ce918e11f7ea5c2d193534b5ce6b5
https://fedorahosted.org/freeipa/changeset/26bd309c96446b9eda26a08e6924d6e1b4c621fc
https://fedorahosted.org/freeipa/changeset/27196b92c60917d8488dad8721d2087e9fee716c
https://fedorahosted.org/freeipa/changeset/8b0e2ed991e9a1a49ef92e314d3d4855beb93b46
https://fedorahosted.org/freeipa/changeset/749101db74219681735226664c1f83ebb4dc4aa7
https://fedorahosted.org/freeipa/changeset/ae5a34cbbc0cd3841647a2ad166bdfc65399da19
https://fedorahosted.org/freeipa/changeset/2cc78acf9b45b5f8a2d12e232d53267a31732df6
https://fedorahosted.org/freeipa/changeset/0e76bc1cb65b3eb81b37b4b45ccb71bf91fe5fbc
https://fedorahosted.org/freeipa/changeset/00d598bab043e277d3f57eab5092c04cf5d6f5f8
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/f3c8c4c00f42692f4484dd7875a991a8a0443208
https://fedorahosted.org/freeipa/changeset/1050ec887782d1ebf906d239e6aab98aecfc9db4
https://fedorahosted.org/freeipa/changeset/86fc8ec0c8d22bd32abe157a047148f0fabf0ff9
https://fedorahosted.org/freeipa/changeset/e0c33446799a2f199b181660dd2b03a4ca6636da
https://fedorahosted.org/freeipa/changeset/cd4c337002fa5c67d0dcad271790fc7130af47d1
https://fedorahosted.org/freeipa/changeset/8a4730ce3c971a23d3d3e2ce55d9bb5a0c46124a
https://fedorahosted.org/freeipa/changeset/bdf1e6c2262b09e6d515d09a37e8a33c4a4e85df
https://fedorahosted.org/freeipa/changeset/7b7b98db185efba17225c2029d5728bd794e4650
https://fedorahosted.org/freeipa/changeset/6388aaad80fe5ab18ad4100fb28e3257f55dbca5
Comment 12 Martin Kosek 2014-10-10 12:57:07 UTC 
== Scope ==
Implement a new concept of ''ID Views'' (upstream ticket https://fedorahosted.org/freeipa/ticket/3979) that allows overriding selected attributes (like name, UID, home directory, ...) on users or groups from Active Directory by specifying the overrides either for all IdM clients in ''Default ID View'' or per-host in host/hostgroup-based view.

== Sync to Trust Migration Procedure ==
In a nutshell, synced users (i.e. users with own UID and GID) can be migrated to Trust-based setup following a simple procedure:

1. Select a user/group entry to be migrated
2. Create a default or host-based ID View override specifying previously used UID or other tools 
3. Backup migrated user/group
4. Delete user/group original entry

In future, the procedure will be easier with proposed tool for automated migration - https://fedorahosted.org/freeipa/ticket/4524.

== Design Page ==
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
Comment 13 Petr Vobornik 2014-10-13 10:19:20 UTC 
Allow to override additional attributes: shell, GID, sshkeys, gecos:

master:
https://fedorahosted.org/freeipa/changeset/63be2ee9f0296e1366c77258929c7ce2dad53154
https://fedorahosted.org/freeipa/changeset/ca42d3469a6f83376d33b08d7bb4b43c2e93d604
https://fedorahosted.org/freeipa/changeset/b50524b10c82ed7931a2e84dbb029e8909aa8f3f
https://fedorahosted.org/freeipa/changeset/5ec23ccb5f1d21c6e6c56650c18d1b4296d59ac9
https://fedorahosted.org/freeipa/changeset/6637449ad2d8885f6df43b4098f09289c7405129
https://fedorahosted.org/freeipa/changeset/9fcc9a0163b7f485deae2fd000ae0ab554f9bb72
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/8a8d2e71f384bfa50477042cb8e82f14237caa7c
https://fedorahosted.org/freeipa/changeset/ad6d019b4784853c59fb2a38c5de149b02640841
https://fedorahosted.org/freeipa/changeset/240d93bd80a3fdc9f67640f74380eb748ffff43c
https://fedorahosted.org/freeipa/changeset/aa0f5d35c5221e1d8ae270d354ff21d173b3194e
https://fedorahosted.org/freeipa/changeset/79c0b31c72a8d8db676f3a621371983e5d9cdf53
https://fedorahosted.org/freeipa/changeset/a4798c78372a66545d338b809afb45b5f9ada94d
Comment 14 Martin Kosek 2014-10-21 08:39:15 UTC 
SSSD spec fixed:

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b6b19e0cb84e0cf3ca9040ff650a0caa8620e49e
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/d969f73ed5b45420acc923c3d1d2064da95faea2

Function-wise, feature is complete, moving to POST.
Comment 17 Martin Kosek 2014-10-24 12:21:38 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4664
Comment 18 Martin Kosek 2014-10-24 13:15:42 UTC 
Moving to ASSIGNED until 4664 is fixed.
Comment 19 Martin Kosek 2014-10-24 13:55:51 UTC 
Ticket 4664 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d6b28f29ecffae604801a5380efdff135734785d
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/47ab6351f1dc75cee0f2b868401f38174b67f87a
Comment 20 Martin Kosek 2014-10-29 16:42:36 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4659
Comment 21 Martin Kosek 2014-10-29 16:43:58 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4661
Comment 22 Jan Cholasta 2014-11-11 15:44:30 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0df3119b66e30164d288b4859ff38c5271c7a39f
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/1102db7cd4059b910ad008dc4cf33dbda88ab0fc
Comment 23 Petr Vobornik 2014-11-11 15:49:34 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4685
Comment 24 Martin Kosek 2014-11-12 11:33:48 UTC 
User SSH public key support is close to be completed (client changes in SSSD complete). Upstream ticket:

https://fedorahosted.org/freeipa/ticket/4509
Comment 27 Petr Vobornik 2014-11-24 15:51:44 UTC 
#4461 is not related to ID Views
Comment 28 Jan Cholasta 2014-11-24 16:10:32 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/4650
Comment 29 Jan Cholasta 2014-11-24 16:13:26 UTC 
Ticket 4650 fixed upstream
master: https://fedorahosted.org/freeipa/changeset/b42b1755dcd0a681709525b4d574e12b77bbce13/
ipa-4-1: https://fedorahosted.org/freeipa/changeset/2fc53c9426ff976d4732cc1d16b1b61447cb4313/
Comment 30 Martin Kosek 2014-11-25 15:40:23 UTC 
Given the late release cycle, I am unlinking following tickets from this RFE Bugzilla:

ID views Web UI: offer prefixes of trusted domains on id override add
https://fedorahosted.org/freeipa/ticket/4554

The *-find command does not return errors for unexisting parent objects
https://fedorahosted.org/freeipa/ticket/4659

Neither of them is critical for the release.
Comment 32 shridhar 2015-01-07 14:59:48 UTC 
One of our customer is interested in testing this feature. Do we have test packages? or do we need to wait till 7.1 GA release?
Comment 33 Martin Kosek 2015-01-07 15:32:06 UTC 
The customer can use RHEL-7.1 Beta packages.

Identity Management team even put together instructions and additional information how to test the feature:

https://access.redhat.com/solutions/1281783
Comment 34 Jan Cholasta 2015-01-13 16:18:00 UTC 
Ticket 4659 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/e11e8235ac9af09a587262368ef795cddbdd0e4e
ipa-4-1:
https://fedorahosted.org/freeipa/changeset/44134460b6545b51a17884ce353e556bd8cd753f
Comment 35 Steeve Goveas 2015-01-30 15:03:32 UTC 
Feature was tested as listed in test plan. For issues that were found during testing other bugs were filed.
Comment 37 errata-xmlrpc 2015-03-05 10:08:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html
Comment 38 Martin Kosek 2015-03-22 17:48:13 UTC 
*** Bug 1204505 has been marked as a duplicate of this bug. ***