└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Migrate from OpenLDAP to IPA Server
  2 | 
  3 | Instructions for migrating an OpenLDAP service to IPA.
  4 | 
  5 | ## Config files, data and aspects to consider
  6 | 
  7 | If you haven't installed FreeIPA server, follow this tutorial (including a replica) [
  8 | ](Git)
  9 | 
 10 | Configuration file for the LDAP service  on IPA Server:
 11 | ```
 12 | cat /etc/openldap/ldap.conf
 13 | ```
 14 | 
 15 | This file contains setup data for LDAP service. This file is in line with the IPA Service, containing schemas and parameter set by IPA Server.
 16 | 
 17 | In this case, you would use:
 18 | 
 19 | ```
 20 | ldapsearch -x uid=admin
 21 | ```
 22 | without parameters like *host*, *port*, *URI* o *base-dn*, due to in ```/etc/openldap/ldap.conf``` it has been configured by IPA installation.
 23 | 
 24 | Indifferently you can use IPA commands or LDAP commands to interact with the directory service. We have chosen to perform the migration using the IPA tools and complete some aspects with LDAP.
 25 | 
 26 | 
 27 | ## Starting migration
 28 | 
 29 | 
 30 | Review the your old LDAP Directory in your server and try to create queries, in order to define with branch or tree will be imported.
 31 | 
 32 | Search in your old OpenLDAP server:
 33 | 
 34 | ```
 35 |  ldapsearch -h myOldServerLDAP -D "cn=adm,dc=ugr,dc=es" -W -b "ou=users,dc=ugr,dc=es"
 36 | ```
 37 | Here we use ``admin`` binding, due to we want to show everything (included passwords [hashed]).
 38 | 
 39 | ## Start session on IPA Server
 40 | 
 41 | Start IPA Session with ``admin`` credentials:
 42 | 
 43 | ```
 44 | kinit admin
 45 | ```
 46 | 
 47 | Enable IPA Migration mode (after migration, consider disable migration label)
 48 | ```
 49 | ipa config-mod --enable-migration=TRUE
 50 | ```
 51 | It returns the following: 
 52 | ```
 53 | ipa: ERROR: no modifications to be performed
 54 | ```
 55 | This is correct, because the mode was TRUE.
 56 | 
 57 | ## IPA Migration  from OpenLDAP to IPA Server:
 58 | 
 59 | This command considers:
 60 | 
 61 | - Solve error with attribute SN:  ```missing attribute "sn" required by object class "organizationalPerson"``` adding ```--user-ignore-attribute="sn"``` and ```--user-ignore-objectclass={organizationalPerson,inetOrgPerson,person}```
 62 | - Import all the directory (Users)
 63 | - Import password, due to the use of  ```--bind-dn="cn=admin,ou=...``` , it provides search on the remote LDAP and extract the passwords.
 64 | - Use a remote OpenLDAP server ``myOldServerLDAP``
 65 | 
 66 | 
 67 | Then command is:
 68 | 
 69 | ```
 70 | ipa migrate-ds --base-dn="dc=ugr,dc=es" \
 71 |   --bind-dn="cn=adm,ou=usr,dc=ugr,dc=es" \
 72 |   ldap://myOldServerLDAP --user-objectclass=account  \
 73 |   --group-objectclass=organizationalUnit  \
 74 |   --user-container="ou=users" \
 75 |   --group-container="ou=users" \
 76 |   --group-objectclass="account" \
 77 |   --continue  --group-overwrite-gid --schema="RFC2307" \
 78 |   --user-ignore-attribute="sn" \
 79 |   --user-ignore-objectclass={organizationalPerson,inetOrgPerson,person}
 80 | ```
 81 | 
 82 | *This command is really bad documented, with no examples, many thing as default and error output not really detailed.*
 83 | 
 84 | Once all users and groups are migrated, user needs validate the password, due to  Kerberos, so, each user must to go http://server.ipa/ipa/migration and write down your credentials, in order to enable the password with Kerberos in the new IPA server.
 85 | 
 86 | The output at the end will show:
 87 | 
 88 | ````
 89 | Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts.
 90 | ````
 91 | 
 92 | In this moment you can authenticate in the main FreeIPA website with your credential (*Kerberized*) and change your attributes or similar, and authenticate in Server with SSH if enabled (with IPAClients installed).
 93 | 
 94 | 
 95 | ## How to use LDAP commands in FreeIPA
 96 | 
 97 | Remember, FreeIPA use ``-D "cn=Directory Manager" `` to access main tree.
 98 | 
 99 | Delete entry using OpenLDAP inside FreeIPA:
100 | (Not the old OpenLDAP, the new LDAP provided by FreeIPA)
101 | 
102 | Delete a group:
103 | ````
104 | ldapdelete -D "cn=Directory Manager" -h freeipa.imuds "cn=manuel jesus parra royn,cn=groups,cn=accounts,dc=imuds" -W
105 | ````
106 | 
107 | Delete an user:
108 | ````
109 | ldapdelete -D "cn=Directory Manager" -h freeipa.imuds "cn=mparra,cn=users,cn=accounts,dc=imuds" -W
110 | ````
111 | 
112 | Add new user:
113 | 
114 | This is strongly not recommended because you must know IPA server rules for LDAP, instead you must use ```ipa migrate-ds```
115 | 
116 | Example:
117 | 
118 | ````
119 | ldapadd -x  -h freeipa.imuds -D "cn=Directory Manager" -c -f mparra.ldif
120 | ````
121 | 
122 | If the user definition in the ``ldif`` file contains user password, it return an error: ```Password cannot imported hashed```
123 | 
124 | # Post migration
125 | 
126 | After the migration, only a few directory maintenance tasks remain. If no default group assignment has been specified for imported users, regardless of the group, it will add the users and groups for each user (user group). 
127 | These groups are migrated and associated with the user, but by default IPA assigns them several default groups to have them containerized. So now that users have their correct password within IPA (and migrated from the password migration web), all that is left to do is to re-establish the new user groups or clean them up.
128 | 
129 | # IPA Commands and receipts
130 | 
131 | Search users:
132 | 
133 | ``ipa user-find``
134 | 
135 | Search all users:
136 | 
137 | ``ipa user-find --all``
138 | 
139 | Show user details:
140 | 
141 | ```ipa user-show mparra```
142 | 
143 | Show all user details:
144 | 
145 | ```ipa user-show mparra --all```
146 | 
147 | Create new user:
148 | 
149 | Minimal creation require, user, name, surname and email, all other parameter will be set by default (including uid, guid, etc.).
150 | 
151 | ```ipa user-create mparra --email="mparra@cookingbigdata.com"```
152 | 
153 | Delete users:
154 | 
155 | ```ipa user-del mparra ```
156 | 
157 | Create group:
158 | 
159 | ```ipa group-create bigdata```
160 | 
161 | 


--------------------------------------------------------------------------------