ipa-migrate - Man Page

ipa-migrate

Use the ipa-migrate command to migrate one IPA server to an existing local IPA server installation.

Migrate IPA schema, configuration, and database to a local IPA server.  This migration can be done online, where the tool will query the remote server. Or, offline where LDIF files can be provided.  You can mix and match online and offline. So for example you could migrate the schema and configuration online, and then use an exported LDIF file for the database migration portion (this might be more useful for very large databases as you don't need to worry about network interruptions)

prod-mode

In this mode everything will be migrated including the current user SIDs and DNA ranges

stage-mode

In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset

-v,  --verbose

Use verbose output while running the migration tool.

-e, --hostname=HOSTNAME

The host name of the remote IPA server that is being migrated from.

-D, --bind-dn=BIND_DN

The Bind DN (Distinguished Name) or an LDAP entry to bind to the remote IPA server with. Typically this is "cn=directory manager", but it could be any entry that has access to read the userPassword attribute.  If ommitted the default is "cn=directory manager"

-w, --bind-pw=PASSWORD

The password for the Bind DN that is authenticating against the remote IPA server.  If a password is not provided then the tool with prompt for the password if needed.

-Just, --bind-pw-file=FILE_PATH

Path to a file containing the password for the Bind DN.

-Z, --cacertfile=FILE_PATH

Path to a file containing a CA Certificate that the remote server trusts

-l, --log-file=FILE_PATH

Path to a file containing the migration log.  By default the tool will use /var/log/ipa-migrate.log

-x,  --dryrun

Go through the migration process but do not write and data to the new IPA server.

-o, --dryrun-record=FILE_PATH

Go through the migration process but do not write any data to the new IPA server. However, write the migration operations to an LDIF file which can be applied later or reused for multiple migrations.

-r,  --reset-range

Reset the ID range for migrated users/groups. In "stage-mode" this is done automatically

-F,  --force

Ignore any errors and continue to proceed with migration effort.

-q,  --quiet

Only log errors during the migration process.

-B,  --migrate-dns

Migrate thr DNS records

-S,  --skip-schema

Do not migrate the database schema

-C,  --skip-config

Do not migrate the database configuration (dse.ldif/cn=config)

-O,  --schema-overwrite

Overwrite existing schema definitions.  By default duplicate schema is skipped.

-s, --subtree=DN

Specifies a custom database subtree that should be included in the migration. This is only needed if non-default subtrees/branches were added to the database outside of IPA.

-f, --db-ldif=FILE_PATH

LDIF file containing the entire backend. If omitted the tool will query the remote IPA server.

-m, --schema-ldif=FILE_PATH

LDIF file containing the schema. If omitted the tool will query the remote IPA server.

-g, --config-ldif=FILE_PATH

LDIF file containing the entire "cn=config" DIT. If omitted the tool will query the remote IPA server.

-n,  --no-prompt

Do not prompt for confirmation before starting migration.  Use at your own risk!

- The server is left in migration-mode so that the migrated users can more easily reset their passwords either by authenticating via SSSD or using the web-based password migration page. This authentication will generate new Kerberos keys. After passwords are reset the server should be taken out of migration mode.

- All hosts are preserved, but they will need to be re-enrolled using ipa-client-install (e.g. ipa-client-install --uninstall && ipa-client-install).

- All certificates should be re-issued against the new CA.

- Any manually created keytabs will need to be re-created using ipa-getkeytab

- Vaults are not migrated and will have to be re-created.

- Sub CA's are not migrated and will have to be re-created.

0 If the command was successful

1 If an error occurred

2 If the local host or remote host is not an IPA server, the IPA server
 installation is faulty, or the realm can not be determined