Mitchell Smith via FreeIPA-users wrote:
Hi,
I am migrating users off an old 4.3.1 FreeIPA cluster to a new 4.6.4 FreeIPA cluster via
the ‘ipa migrate-ds’ command.
ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts
--group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry}
--user-ignore-objectclass=mepOriginEntry --with-compat ldap://172.16.1.156
First issue I ran in to is that it didn’t retain the nsAccountLock flag for users so all
my disabled users were enabled again, that was an easy fix.
Second issue I ran in to is that roles were not migrated and applied to users, I could
manually create the roles and apply them to users, but I am wondering why these weren’t
migrated by migrate-ds?
It is my understanding that this is the intended usage of migrate-ds, to migrate from one
FreeIPA to another, dropping important objects like roles seems fairly critical?
The intended usage is to migrate from a pure LDAP server to IPA. Only
users and groups are migrated. There is a long-standing RFE to implement
IPA to IPA migration:
https://pagure.io/freeipa/issue/3656
rob