Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
This update implements the new "ID Views" mechanism of user configuration. This enables the migration of FreeIPA users from a WinSync synchronization-based architecture used by Active Directory to an infrastructure based on Cross-Realm Trusts. For the details of "ID Views" and the migration procedure, see the official FreeIPA documentation:
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3318
Provide, procedure or tool or both to migrate from the sync based solution to the AD based solution.
== Scope ==
Implement a new concept of ''ID Views'' (upstream ticket https://fedorahosted.org/freeipa/ticket/3979) that allows overriding selected attributes (like name, UID, home directory, ...) on users or groups from Active Directory by specifying the overrides either for all IdM clients in ''Default ID View'' or per-host in host/hostgroup-based view.
== Sync to Trust Migration Procedure ==
In a nutshell, synced users (i.e. users with own UID and GID) can be migrated to Trust-based setup following a simple procedure:
1. Select a user/group entry to be migrated
2. Create a default or host-based ID View override specifying previously used UID or other tools
3. Backup migrated user/group
4. Delete user/group original entry
In future, the procedure will be easier with proposed tool for automated migration - https://fedorahosted.org/freeipa/ticket/4524.
== Design Page ==
http://www.freeipa.org/page/V4/Migrating_existing_environments_to_Trust
Given the late release cycle, I am unlinking following tickets from this RFE Bugzilla:
ID views Web UI: offer prefixes of trusted domains on id override add
https://fedorahosted.org/freeipa/ticket/4554
The *-find command does not return errors for unexisting parent objects
https://fedorahosted.org/freeipa/ticket/4659
Neither of them is critical for the release.
The customer can use RHEL-7.1 Beta packages.
Identity Management team even put together instructions and additional information how to test the feature:
https://access.redhat.com/solutions/1281783
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://rhn.redhat.com/errata/RHSA-2015-0442.html