Hi,
I am migrating users off an old 4.3.1 FreeIPA cluster to a new 4.6.4 FreeIPA cluster via the ‘ipa migrate-ds’ command.
ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://172.16.1.156
First issue I ran in to is that it didn’t retain the nsAccountLock flag for users so all my disabled users were enabled again, that was an easy fix.
Second issue I ran in to is that roles were not migrated and applied to users, I could manually create the roles and apply them to users, but I am wondering why these weren’t migrated by migrate-ds?
It is my understanding that this is the intended usage of migrate-ds, to migrate from one FreeIPA to another, dropping important objects like roles seems fairly critical?
Your feedback and suggestions would be greatly appreciated.
Thanks