Message info From:Dmitri Pal Subject:Re: [Freeipa-users] Migration from LDAP to IPA Date:Sun, 18 Mar 2012 12:47:51 -0400

On 03/17/2012 06:24 AM, Marco Pizzoli wrote:
by looking at the RHEL6 IPA documentation I can find instructions on how migrate from an existing LDAP server to IPA.

It's cited the step:
ipa config-mod --enable-migration=TRUE

Please, could you explain to me what is the internal scope of this command?

Also, is it normal that (always in the doc) after executing "ipa migrate-ds" I don't have to revert to
ipa config-mod  --enable-migration=FALSE

This enables password migration using SSSD or a special web page. It turns on migration mode.
The issue is when you load the LDIF form the external DS you still need to to generate kerberos hashes for every user's password. But to do this you need to have password in clear. So you options are: to force users to change their password (which is not pleasant), give users a page to authenticate (it gets enabled when you enable migration), allow SSSD to perform a seeming-less migration by realizing that the user does not have a kerberos hash, authenticating via ldap causing to create a hash and then authenticating using Kerberos (turned on by this migration flag).

So the last two migration methods are enabled when you execute the command.
You need to turn it off when all users have kerberos passwords. 

Deon, if this is not clear in the documentation, I think we should add this clarification.

Thanks again
_______________________________________________ Freeipa-users mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?