Red Hat Bugzilla – Bug 891984
[RFE] ID Views: Support migration from the sync solution to the trust solution
Last modified: 2015-03-22 13:48:13 EDT
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3318 Provide, procedure or tool or both to migrate from the sync based solution to the AD based solution.
Related upstream information (the feature is currently planned for FreeIPA 4.1): Tickets: https://fedorahosted.org/freeipa/ticket/3318: [RFE] Support migration from the sync solution to the trust solution (a.k.a. the views) https://fedorahosted.org/freeipa/ticket/3979: [RFE] Add ability to centrally override specific user/group attributes Design page: http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
SSSD upstream ticket: https://fedorahosted.org/sssd/ticket/2375
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4524
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4535
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4554
Framework part fixed upstream: master: https://fedorahosted.org/freeipa/changeset/16f3786d25a59a3f4041d780db64940ee80d269d https://fedorahosted.org/freeipa/changeset/6b14030e9076e4f9e71ddb641ba959043284c78d https://fedorahosted.org/freeipa/changeset/be36525dc5169c28a6510ec955607fd3c91db2ce https://fedorahosted.org/freeipa/changeset/3e2e5a4d288f6943e9437016c7ef43f2f8efb3c2 https://fedorahosted.org/freeipa/changeset/f48a7bb730aa6c6482eb373550b86097ee3a3b41 https://fedorahosted.org/freeipa/changeset/b65b74890bdf6b6fde8379181dce66a1ef9db8d1 https://fedorahosted.org/freeipa/changeset/377ab0c4a6f9f61f2a00844a2cea9233d908bbb1 https://fedorahosted.org/freeipa/changeset/936eaada89061456a30927ba95a9836f76a88045 https://fedorahosted.org/freeipa/changeset/ce42bf282ff19c81062038b4100f7e576686b421 https://fedorahosted.org/freeipa/changeset/6e94d23a926ebbe456e183aac9e60a7119f0a502 https://fedorahosted.org/freeipa/changeset/f3576bd94b4a7cf786ffdf442e3460182390dfc5 https://fedorahosted.org/freeipa/changeset/186c161ef573d7b221c01c30f8995683ce13b216 https://fedorahosted.org/freeipa/changeset/6a798f144f88996046bce9bf19e771bb5a477bc6 https://fedorahosted.org/freeipa/changeset/d03b09beb4855f6ceea505221bf39a0f1369fa73 https://fedorahosted.org/freeipa/changeset/b4a13aeea8354d048828c711b4e1413bd4a0d82e https://fedorahosted.org/freeipa/changeset/cbf1ad84f1a315cfe5671c08754c39adc3f90919 https://fedorahosted.org/freeipa/changeset/c6d50c456f6984eb6cb5392cdda6fab151fbbf65 https://fedorahosted.org/freeipa/changeset/961790e20a102b6e70a4b83cccd99d1bf24c499e https://fedorahosted.org/freeipa/changeset/c1f51cff02b0ca1bb41447134c77e5f09544b114 https://fedorahosted.org/freeipa/changeset/3ff410d3a7ef2192fc6c37c77fd9aa80bb518707 https://fedorahosted.org/freeipa/changeset/8fb0e3a2b430d67a554b74a36f78c5b0292c1495 https://fedorahosted.org/freeipa/changeset/277b762d363a3a05bb5ca99e2dc7242704ff0124 https://fedorahosted.org/freeipa/changeset/bba37691965ea2afef7763ee4ab6a9559b8b0e78 https://fedorahosted.org/freeipa/changeset/1d6f591cc50fb3cc37588631e74ea6820467f09e https://fedorahosted.org/freeipa/changeset/2131187ea9e05a739553df7cfc87a688df569d8c https://fedorahosted.org/freeipa/changeset/b9425751b421484c97375df956ccda3cb9dc0e70 https://fedorahosted.org/freeipa/changeset/13089eae527ae87cad69148be3d60077511dc517 https://fedorahosted.org/freeipa/changeset/dbf8d97ecf5d82c1e0e1a11cdf64dd670309c2a5 https://fedorahosted.org/freeipa/changeset/47268575c931fd57298617fe979f25cb1a90d1bb https://fedorahosted.org/freeipa/changeset/902655da5909f79ffde6a06d527bd1dbe9ee5f8a https://fedorahosted.org/freeipa/changeset/51816930a662e0312589cca2981e8ae4d32da779 https://fedorahosted.org/freeipa/changeset/2a230b6cc16037fbf56d79bfde2fb4d1ab386ef6 ipa-4-1: https://fedorahosted.org/freeipa/changeset/5b49a37052b708af90fa0ccbd45aecf12887e1d1 https://fedorahosted.org/freeipa/changeset/036ea78a8b2f5a6705f08e344fbe123796d0eeba https://fedorahosted.org/freeipa/changeset/6d6da4b31bf5a1fbc05bd7f779402572ebc5b07d https://fedorahosted.org/freeipa/changeset/debfb010f604583d346483589ba45b1391de2c68 https://fedorahosted.org/freeipa/changeset/81e3b1a1a0ed8a099d040b69e38f77214728b87b https://fedorahosted.org/freeipa/changeset/6f3e3ebef871fa1bd74d181068770b797eb11fbb https://fedorahosted.org/freeipa/changeset/be916cc671cc986e59df646ab8d7e742ee87bfab https://fedorahosted.org/freeipa/changeset/1625423d86fb6b1c1a9470936c18958115d9361c https://fedorahosted.org/freeipa/changeset/457aca1b19353cd1eef6b5ccb1f369e4749a442d https://fedorahosted.org/freeipa/changeset/3831c9da06c87caf790470ee58111561c8e77317 https://fedorahosted.org/freeipa/changeset/b275ba688fbe9724a763c0fafaba29c48f391fba https://fedorahosted.org/freeipa/changeset/505039c6ba2dd5ba1d4331e5e8359671bd5ff5a5 https://fedorahosted.org/freeipa/changeset/3d89dffd1064fbdf6bb319b226f73086af131cd5 https://fedorahosted.org/freeipa/changeset/b8e9dea7e5273e5aa95d0f6742a5be571eb70144 https://fedorahosted.org/freeipa/changeset/aa39f40610503c29c11f644ec0966c988eb2e354 https://fedorahosted.org/freeipa/changeset/d6bc04428f3dc98d91e17330dfc82c0ce415b419 https://fedorahosted.org/freeipa/changeset/959a1e0e75281a536ce44c7c7c429949c26b71bc https://fedorahosted.org/freeipa/changeset/49ef84c087084531e54812ad299f8c288fc2d305 https://fedorahosted.org/freeipa/changeset/8b59dfaa1bd98e8710480d104a5ebb28c04f748f https://fedorahosted.org/freeipa/changeset/731e7a5ee77bf83bf9da7cf04c1681de76f2ce44 https://fedorahosted.org/freeipa/changeset/7c339a8cd26d8d88117714f204d319e0a1cb0686 https://fedorahosted.org/freeipa/changeset/50fa40b00e4ec7174aa8b9c5157f09ebe4d16cde https://fedorahosted.org/freeipa/changeset/b8bf4445df84412e02bbf3fdb165fd94b15fe987 https://fedorahosted.org/freeipa/changeset/bdfa7ead0858a490cb4609952594c090c4fe2db6 https://fedorahosted.org/freeipa/changeset/473fbe82e278192102fda8ada5a7a499281a34f6 https://fedorahosted.org/freeipa/changeset/57a08ad940e6fa152d3906b57a9e3d5f2fc5957a https://fedorahosted.org/freeipa/changeset/860a50f1248d3a70d55d8c94390d827dd67cae35 https://fedorahosted.org/freeipa/changeset/0a7c10b13893f8a0a510da0798236e41b0e3ceef https://fedorahosted.org/freeipa/changeset/1551ff1ea5645fcebc0d38c731ae0e4a102068ff https://fedorahosted.org/freeipa/changeset/60ea9065f35f795eef782586fae60094f9ca3394 https://fedorahosted.org/freeipa/changeset/ea1aac1603a41ab7ec341cefd2b6b64d96b83d78 https://fedorahosted.org/freeipa/changeset/f0b6254106f98875e2c94af81bcb836d3ad46681
Upgrade fix: master: https://fedorahosted.org/freeipa/changeset/00457a9c109c1df0788a979f07c7fb5c0cc3bc8b ipa-4-1: https://fedorahosted.org/freeipa/changeset/7ddebb613d1d14ebe11491651eb7bbfe21c64f5b
Web UI: master: https://fedorahosted.org/freeipa/changeset/15b6ed67056ce918e11f7ea5c2d193534b5ce6b5 https://fedorahosted.org/freeipa/changeset/26bd309c96446b9eda26a08e6924d6e1b4c621fc https://fedorahosted.org/freeipa/changeset/27196b92c60917d8488dad8721d2087e9fee716c https://fedorahosted.org/freeipa/changeset/8b0e2ed991e9a1a49ef92e314d3d4855beb93b46 https://fedorahosted.org/freeipa/changeset/749101db74219681735226664c1f83ebb4dc4aa7 https://fedorahosted.org/freeipa/changeset/ae5a34cbbc0cd3841647a2ad166bdfc65399da19 https://fedorahosted.org/freeipa/changeset/2cc78acf9b45b5f8a2d12e232d53267a31732df6 https://fedorahosted.org/freeipa/changeset/0e76bc1cb65b3eb81b37b4b45ccb71bf91fe5fbc https://fedorahosted.org/freeipa/changeset/00d598bab043e277d3f57eab5092c04cf5d6f5f8 ipa-4-1: https://fedorahosted.org/freeipa/changeset/f3c8c4c00f42692f4484dd7875a991a8a0443208 https://fedorahosted.org/freeipa/changeset/1050ec887782d1ebf906d239e6aab98aecfc9db4 https://fedorahosted.org/freeipa/changeset/86fc8ec0c8d22bd32abe157a047148f0fabf0ff9 https://fedorahosted.org/freeipa/changeset/e0c33446799a2f199b181660dd2b03a4ca6636da https://fedorahosted.org/freeipa/changeset/cd4c337002fa5c67d0dcad271790fc7130af47d1 https://fedorahosted.org/freeipa/changeset/8a4730ce3c971a23d3d3e2ce55d9bb5a0c46124a https://fedorahosted.org/freeipa/changeset/bdf1e6c2262b09e6d515d09a37e8a33c4a4e85df https://fedorahosted.org/freeipa/changeset/7b7b98db185efba17225c2029d5728bd794e4650 https://fedorahosted.org/freeipa/changeset/6388aaad80fe5ab18ad4100fb28e3257f55dbca5
== Scope == Implement a new concept of ''ID Views'' (upstream ticket https://fedorahosted.org/freeipa/ticket/3979) that allows overriding selected attributes (like name, UID, home directory, ...) on users or groups from Active Directory by specifying the overrides either for all IdM clients in ''Default ID View'' or per-host in host/hostgroup-based view. == Sync to Trust Migration Procedure == In a nutshell, synced users (i.e. users with own UID and GID) can be migrated to Trust-based setup following a simple procedure: 1. Select a user/group entry to be migrated 2. Create a default or host-based ID View override specifying previously used UID or other tools 3. Backup migrated user/group 4. Delete user/group original entry In future, the procedure will be easier with proposed tool for automated migration - https://fedorahosted.org/freeipa/ticket/4524. == Design Page == http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
Allow to override additional attributes: shell, GID, sshkeys, gecos: master: https://fedorahosted.org/freeipa/changeset/63be2ee9f0296e1366c77258929c7ce2dad53154 https://fedorahosted.org/freeipa/changeset/ca42d3469a6f83376d33b08d7bb4b43c2e93d604 https://fedorahosted.org/freeipa/changeset/b50524b10c82ed7931a2e84dbb029e8909aa8f3f https://fedorahosted.org/freeipa/changeset/5ec23ccb5f1d21c6e6c56650c18d1b4296d59ac9 https://fedorahosted.org/freeipa/changeset/6637449ad2d8885f6df43b4098f09289c7405129 https://fedorahosted.org/freeipa/changeset/9fcc9a0163b7f485deae2fd000ae0ab554f9bb72 ipa-4-1: https://fedorahosted.org/freeipa/changeset/8a8d2e71f384bfa50477042cb8e82f14237caa7c https://fedorahosted.org/freeipa/changeset/ad6d019b4784853c59fb2a38c5de149b02640841 https://fedorahosted.org/freeipa/changeset/240d93bd80a3fdc9f67640f74380eb748ffff43c https://fedorahosted.org/freeipa/changeset/aa0f5d35c5221e1d8ae270d354ff21d173b3194e https://fedorahosted.org/freeipa/changeset/79c0b31c72a8d8db676f3a621371983e5d9cdf53 https://fedorahosted.org/freeipa/changeset/a4798c78372a66545d338b809afb45b5f9ada94d
SSSD spec fixed: Fixed upstream master: https://fedorahosted.org/freeipa/changeset/b6b19e0cb84e0cf3ca9040ff650a0caa8620e49e ipa-4-1: https://fedorahosted.org/freeipa/changeset/d969f73ed5b45420acc923c3d1d2064da95faea2 Function-wise, feature is complete, moving to POST.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4664
Moving to ASSIGNED until 4664 is fixed.
Ticket 4664 fixed upstream master: https://fedorahosted.org/freeipa/changeset/d6b28f29ecffae604801a5380efdff135734785d ipa-4-1: https://fedorahosted.org/freeipa/changeset/47ab6351f1dc75cee0f2b868401f38174b67f87a
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4659
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4661
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0df3119b66e30164d288b4859ff38c5271c7a39f ipa-4-1: https://fedorahosted.org/freeipa/changeset/1102db7cd4059b910ad008dc4cf33dbda88ab0fc
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4685
User SSH public key support is close to be completed (client changes in SSSD complete). Upstream ticket: https://fedorahosted.org/freeipa/ticket/4509
#4461 is not related to ID Views
Upstream ticket: https://fedorahosted.org/freeipa/ticket/4650
Ticket 4650 fixed upstream master: https://fedorahosted.org/freeipa/changeset/b42b1755dcd0a681709525b4d574e12b77bbce13/ ipa-4-1: https://fedorahosted.org/freeipa/changeset/2fc53c9426ff976d4732cc1d16b1b61447cb4313/
Given the late release cycle, I am unlinking following tickets from this RFE Bugzilla: ID views Web UI: offer prefixes of trusted domains on id override add https://fedorahosted.org/freeipa/ticket/4554 The *-find command does not return errors for unexisting parent objects https://fedorahosted.org/freeipa/ticket/4659 Neither of them is critical for the release.
One of our customer is interested in testing this feature. Do we have test packages? or do we need to wait till 7.1 GA release?
The customer can use RHEL-7.1 Beta packages. Identity Management team even put together instructions and additional information how to test the feature: https://access.redhat.com/solutions/1281783
Ticket 4659 fixed upstream master: https://fedorahosted.org/freeipa/changeset/e11e8235ac9af09a587262368ef795cddbdd0e4e ipa-4-1: https://fedorahosted.org/freeipa/changeset/44134460b6545b51a17884ce353e556bd8cd753f
Feature was tested as listed in test plan. For issues that were found during testing other bugs were filed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html
*** Bug 1204505 has been marked as a duplicate of this bug. ***