Discussion:
[Freeipa-users] Migration from FreeIPA 3.0 to 4.x
Dagan
2017-03-23 22:51:34 UTC
Permalink
Hi,

I am hoping someone will be able to help answer some questions about migrations.

I have been asked to look at upgrading an existing FreeIPA installation on CentOS 6 (3.0.0) to a new installation on CentOS 7 with a recent stable release (4.4.0).

The existing CentOS 6 installation does not manage DNS or have a CA that is being used (though the may be installed. It's primarily for user authentication and user group management.

There are only a small number of users, groups, and hosts to migrate - less than 100 of each.
But the data is used for LDAP integration in various applications so it needs to be consistent.

Would it be recommended to do a straight LDIF type export and import of the data, and configure the new FreeIPA installation for the new access/sudo rules?

Would that risk leaving behind any data I would need to know about?

We are planning to review the sudo rules, host access lists etc as part of the migration work. So leaving behind some data may not be a blocker to upgrade.

Any suggestions or links welcome.

Cheers,
Dagan McGregor
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Zak Peirce
2017-03-23 23:54:20 UTC
Permalink
I am looking to take this same journey. I found this guide, it seems like
it covers all the bases

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h
tml/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrade-6-to-7.h
tml


-Zak

-----Original Message-----
From: freeipa-users-***@redhat.com
[mailto:freeipa-users-***@redhat.com] On Behalf Of Dagan
Sent: Thursday, March 23, 2017 3:52 PM
To: freeipa-***@redhat.com
Subject: [Freeipa-users] Migration from FreeIPA 3.0 to 4.x

Hi,

I am hoping someone will be able to help answer some questions about
migrations.

I have been asked to look at upgrading an existing FreeIPA installation on
CentOS 6 (3.0.0) to a new installation on CentOS 7 with a recent stable
release (4.4.0).

The existing CentOS 6 installation does not manage DNS or have a CA that
is being used (though the may be installed. It's primarily for user
authentication and user group management.

There are only a small number of users, groups, and hosts to migrate -
less than 100 of each.
But the data is used for LDAP integration in various applications so it
needs to be consistent.

Would it be recommended to do a straight LDIF type export and import of
the data, and configure the new FreeIPA installation for the new
access/sudo rules?

Would that risk leaving behind any data I would need to know about?

We are planning to review the sudo rules, host access lists etc as part of
the migration work. So leaving behind some data may not be a blocker to
upgrade.

Any suggestions or links welcome.

Cheers,
Dagan McGregor
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Christophe TREFOIS
2017-03-24 10:58:34 UTC
Permalink
I’m not expert but I think ipa-replica-prepare is depcrecated in 4.4 as the procedure become more simple.

I think setting up a new cluster of CentOS 7.3 machines and setting up replicas against the old cluster is sufficient.

What do the experts say?
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb <http://www.uni.lu/lcsb>
<https://www.facebook.com/trefex> <https://twitter.com/Trefex> <https://plus.google.com/+ChristopheTrefois/> <https://www.linkedin.com/in/trefoischristophe> <http://skype:Trefex?call>
----
This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original message and any copies.
----
Post by Zak Peirce
I am looking to take this same journey. I found this guide, it seems like
it covers all the bases
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h
tml/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrade-6-to-7.h
tml
-Zak
-----Original Message-----
Sent: Thursday, March 23, 2017 3:52 PM
Subject: [Freeipa-users] Migration from FreeIPA 3.0 to 4.x
Hi,
I am hoping someone will be able to help answer some questions about migrations.
I have been asked to look at upgrading an existing FreeIPA installation on
CentOS 6 (3.0.0) to a new installation on CentOS 7 with a recent stable
release (4.4.0).
The existing CentOS 6 installation does not manage DNS or have a CA that
is being used (though the may be installed. It's primarily for user
authentication and user group management.
There are only a small number of users, groups, and hosts to migrate -
less than 100 of each.
But the data is used for LDAP integration in various applications so it
needs to be consistent.
Would it be recommended to do a straight LDIF type export and import of
the data, and configure the new FreeIPA installation for the new
access/sudo rules?
Would that risk leaving behind any data I would need to know about?
We are planning to review the sudo rules, host access lists etc as part of
the migration work. So leaving behind some data may not be a blocker to
upgrade.
Any suggestions or links welcome.
Cheers,
Dagan McGregor
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Standa Laznicka
2017-03-24 11:39:22 UTC
Permalink
While I don't consider myself an expert, I should note that
ipa-replica-prepare has not been deprecated. The proposed solution to
follow

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrade-6-to-7.html

is indeed the correct one.

Not to be confused about ipa-replica-prepare: this command shall not be
used on domain level 1 machines since the replication is
solved in a smarter and more automatic way. The command would not work
on domain level 1 anyway.

HTH,
Standa
I’m not expert but I think ipa-replica-prepare is depcrecated in 4.4
as the procedure become more simple.
I think setting up a new cluster of CentOS 7.3 machines and setting up
replicas against the old cluster is sufficient.
What do the experts say?
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T:+352 46 66 44 6124
F:+352 46 66 44 6949
http://www.uni.lu/lcsb
Facebook <https://www.facebook.com/trefex>Twitter
<https://twitter.com/Trefex>Google Plus
<https://plus.google.com/+ChristopheTrefois/>Linkedin
<https://www.linkedin.com/in/trefoischristophe>skype
<http://skype:Trefex?call>
----
This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the
original message and any copies.
----
Post by Zak Peirce
I am looking to take this same journey. I found this guide, it seems like
it covers all the bases
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h
tml/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrade-6-to-7.h
tml
-Zak
-----Original Message-----
Sent: Thursday, March 23, 2017 3:52 PM
Subject: [Freeipa-users] Migration from FreeIPA 3.0 to 4.x
Hi,
I am hoping someone will be able to help answer some questions about migrations.
I have been asked to look at upgrading an existing FreeIPA
installation on
CentOS 6 (3.0.0) to a new installation on CentOS 7 with a recent stable
release (4.4.0).
The existing CentOS 6 installation does not manage DNS or have a CA that
is being used (though the may be installed. It's primarily for user
authentication and user group management.
There are only a small number of users, groups, and hosts to migrate -
less than 100 of each.
But the data is used for LDAP integration in various applications so it
needs to be consistent.
Would it be recommended to do a straight LDIF type export and import of
the data, and configure the new FreeIPA installation for the new
access/sudo rules?
Would that risk leaving behind any data I would need to know about?
We are planning to review the sudo rules, host access lists etc as part of
the migration work. So leaving behind some data may not be a blocker to
upgrade.
Any suggestions or links welcome.
Cheers,
Dagan McGregor
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Dagan
2017-03-26 23:08:02 UTC
Permalink
Thanks for the clarification Standa.

Cheers,
Dagan McGregor
Post by Standa Laznicka
While I don't consider myself an expert, I should note that
ipa-replica-prepare has not been deprecated. The proposed solution to
follow
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrade-6-to-7.html
is indeed the correct one.
Not to be confused about ipa-replica-prepare: this command shall not be
used on domain level 1 machines since the replication is
solved in a smarter and more automatic way. The command would not work
on domain level 1 anyway.
HTH,
Standa
Post by Christophe TREFOIS
I’m not expert but I think ipa-replica-prepare is depcrecated in 4.4
as the procedure become more simple.
I think setting up a new cluster of CentOS 7.3 machines and setting
up
Post by Christophe TREFOIS
replicas against the old cluster is sufficient.
What do the experts say?
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T:+352 46 66 44 6124
F:+352 46 66 44 6949
http://www.uni.lu/lcsb
Facebook <https://www.facebook.com/trefex>Twitter
<https://twitter.com/Trefex>Google Plus
<https://plus.google.com/+ChristopheTrefois/>Linkedin
<https://www.linkedin.com/in/trefoischristophe>skype
<http://skype:Trefex?call>
----
This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete
the
Post by Christophe TREFOIS
original message and any copies.
----
Post by Zak Peirce
I am looking to take this same journey. I found this guide, it
seems
Post by Christophe TREFOIS
Post by Zak Peirce
like
it covers all the bases
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h
tml/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrade-6-to-7.h
Post by Christophe TREFOIS
Post by Zak Peirce
tml
-Zak
-----Original Message-----
Sent: Thursday, March 23, 2017 3:52 PM
Subject: [Freeipa-users] Migration from FreeIPA 3.0 to 4.x
Hi,
I am hoping someone will be able to help answer some questions about migrations.
I have been asked to look at upgrading an existing FreeIPA
installation on
CentOS 6 (3.0.0) to a new installation on CentOS 7 with a recent
stable
Post by Christophe TREFOIS
Post by Zak Peirce
release (4.4.0).
The existing CentOS 6 installation does not manage DNS or have a CA
that
Post by Christophe TREFOIS
Post by Zak Peirce
is being used (though the may be installed. It's primarily for user
authentication and user group management.
There are only a small number of users, groups, and hosts to migrate
-
Post by Christophe TREFOIS
Post by Zak Peirce
less than 100 of each.
But the data is used for LDAP integration in various applications so
it
Post by Christophe TREFOIS
Post by Zak Peirce
needs to be consistent.
Would it be recommended to do a straight LDIF type export and import
of
Post by Christophe TREFOIS
Post by Zak Peirce
the data, and configure the new FreeIPA installation for the new
access/sudo rules?
Would that risk leaving behind any data I would need to know about?
We are planning to review the sudo rules, host access lists etc as part of
the migration work. So leaving behind some data may not be a blocker
to
Post by Christophe TREFOIS
Post by Zak Peirce
upgrade.
Any suggestions or links welcome.
Cheers,
Dagan McGregor
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Christophe TREFOIS
2017-03-24 12:30:44 UTC
Permalink
Ok, thanks for clearing that up Alex :)
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc

UNIVERSITÉ DU LUXEMBOURG

LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb <http://www.uni.lu/lcsb>
<https://www.facebook.com/trefex> <https://twitter.com/Trefex> <https://plus.google.com/+ChristopheTrefois/> <https://www.linkedin.com/in/trefoischristophe> <http://skype:Trefex?call>
----
This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the original message and any copies.
----
Post by Christophe TREFOIS
I’m not expert but I think ipa-replica-prepare is depcrecated in 4.4 as
the procedure become more simple.
No, it is not deprecated, that's not true. We have now a concept of
'domain level' which drives certain features. DL 0 uses traditional
method to deploy replicas, DL 1 uses a new one. If you are making new
replica in DL 0 environment, even with new FreeIPA version, you'd
continue using ipa-replica-prepare. For DL 1 environment you would be
using new method -- enroll an IPA client and then promote it to be a
replica.
--
/ Alexander Bokovoy
Dagan
2017-03-26 22:28:17 UTC
Permalink
Hi,

Do you mean by installing FreeIPA using freeipa-replica-install and manually adding using CLI to add replica agreements with the old cluster?
Or relying on newer replica management?

What command options would be needed for the installation in that scenario?

I can see in Google results for improvement in the replica management, but not much on which commands to run to make it work in my case.

Cheers,
Dagan McGregor
Post by Christophe TREFOIS
I’m not expert but I think ipa-replica-prepare is depcrecated in 4.4 as
the procedure become more simple.
I think setting up a new cluster of CentOS 7.3 machines and setting up
replicas against the old cluster is sufficient.
What do the experts say?
--
Dr Christophe Trefois, Dipl.-Ing.
Technical Specialist / Post-Doc
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | House of Biomedicine
6, avenue du Swing
L-4367 Belvaux
T: +352 46 66 44 6124
F: +352 46 66 44 6949
http://www.uni.lu/lcsb <http://www.uni.lu/lcsb>
<https://www.facebook.com/trefex> <https://twitter.com/Trefex>
<https://plus.google.com/+ChristopheTrefois/>
<https://www.linkedin.com/in/trefoischristophe>
<http://skype:Trefex?call>
----
This message is confidential and may contain privileged information.
It is intended for the named recipient only.
If you receive it in error please notify me and permanently delete the
original message and any copies.
----
Post by Zak Peirce
I am looking to take this same journey. I found this guide, it seems
like
Post by Zak Peirce
it covers all the bases
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/h
tml/Linux_Domain_Identity_Authentication_and_Policy_Guide/upgrade-6-to-7.h
Post by Zak Peirce
tml
-Zak
-----Original Message-----
Sent: Thursday, March 23, 2017 3:52 PM
Subject: [Freeipa-users] Migration from FreeIPA 3.0 to 4.x
Hi,
I am hoping someone will be able to help answer some questions about migrations.
I have been asked to look at upgrading an existing FreeIPA
installation on
Post by Zak Peirce
CentOS 6 (3.0.0) to a new installation on CentOS 7 with a recent
stable
Post by Zak Peirce
release (4.4.0).
The existing CentOS 6 installation does not manage DNS or have a CA
that
Post by Zak Peirce
is being used (though the may be installed. It's primarily for user
authentication and user group management.
There are only a small number of users, groups, and hosts to migrate
-
Post by Zak Peirce
less than 100 of each.
But the data is used for LDAP integration in various applications so
it
Post by Zak Peirce
needs to be consistent.
Would it be recommended to do a straight LDIF type export and import
of
Post by Zak Peirce
the data, and configure the new FreeIPA installation for the new
access/sudo rules?
Would that risk leaving behind any data I would need to know about?
We are planning to review the sudo rules, host access lists etc as
part of
Post by Zak Peirce
the migration work. So leaving behind some data may not be a blocker
to
Post by Zak Peirce
upgrade.
Any suggestions or links welcome.
Cheers,
Dagan McGregor
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Dagan
2017-03-26 23:06:42 UTC
Permalink
Thanks for this information Alexander.

I just had a look at the domain levels page. This is very useful to know.

Cheers,
Dagan McGregor
I’m not expert but I think ipa-replica-prepare is depcrecated in 4.4
as
the procedure become more simple.
No, it is not deprecated, that's not true. We have now a concept of
'domain level' which drives certain features. DL 0 uses traditional
method to deploy replicas, DL 1 uses a new one. If you are making new
replica in DL 0 environment, even with new FreeIPA version, you'd
continue using ipa-replica-prepare. For DL 1 environment you would be
using new method -- enroll an IPA client and then promote it to be a
replica.
--
/ Alexander Bokovoy
--
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Loading...