ipa-migrate - Man Page
Migrate an IPA server from one machine to another
Synopsis
ipa-migrate
Description
Use the ipa-migrate command to migrate one IPA server to an existing local IPA server installation.
Migrate IPA schema, configuration, and database to a local IPA server. This migration can be done online, where the tool will query the remote server. Or, offline where LDIF files can be provided. You can mix and match online and offline. So for example you could migrate the schema and configuration online, and then use an exported LDIF file for the database migration portion (this might be more useful for very large databases as you don't need to worry about network interruptions)
Positional Arguments
- prod-mode
In this mode everything will be migrated including the current user SIDs and DNA ranges
- stage-mode
In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset
Commands
- -v, --verbose
Use verbose output while running the migration tool.
- -e, --hostname=HOSTNAME
The host name of the remote IPA server that is being migrated from.
- -D, --bind-dn=BIND_DN
The Bind DN (Distinguished Name) or an LDAP entry to bind to the remote IPA server with. Typically this is "cn=directory manager", but it could be any entry that has access to read the userPassword attribute. If ommitted the default is "cn=directory manager"
- -w, --bind-pw=PASSWORD
The password for the Bind DN that is authenticating against the remote IPA server. If a password is not provided then the tool with prompt for the password if needed.
- -Just, --bind-pw-file=FILE_PATH
Path to a file containing the password for the Bind DN.
- -Z, --cacertfile=FILE_PATH
Path to a file containing a CA Certificate that the remote server trusts
- -l, --log-file=FILE_PATH
Path to a file containing the migration log. By default the tool will use /var/log/ipa-migrate.log
- -x, --dryrun
Go through the migration process but do not write and data to the new IPA server.
- -o, --dryrun-record=FILE_PATH
Go through the migration process but do not write any data to the new IPA server. However, write the migration operations to an LDIF file which can be applied later or reused for multiple migrations.
- -r, --reset-range
Reset the ID range for migrated users/groups. In "stage-mode" this is done automatically
- -F, --force
Ignore any errors and continue to proceed with migration effort.
- -q, --quiet
Only log errors during the migration process.
- -B, --migrate-dns
Migrate thr DNS records
- -S, --skip-schema
Do not migrate the database schema
- -C, --skip-config
Do not migrate the database configuration (dse.ldif/cn=config)
- -O, --schema-overwrite
Overwrite existing schema definitions. By default duplicate schema is skipped.
- -s, --subtree=DN
Specifies a custom database subtree that should be included in the migration. This is only needed if non-default subtrees/branches were added to the database outside of IPA.
- -f, --db-ldif=FILE_PATH
LDIF file containing the entire backend. If omitted the tool will query the remote IPA server.
- -m, --schema-ldif=FILE_PATH
LDIF file containing the schema. If omitted the tool will query the remote IPA server.
- -g, --config-ldif=FILE_PATH
LDIF file containing the entire "cn=config" DIT. If omitted the tool will query the remote IPA server.
- -n, --no-prompt
Do not prompt for confirmation before starting migration. Use at your own risk!
Post Migration
- The server is left in migration-mode so that the migrated users can more easily reset their passwords either by authenticating via SSSD or using the web-based password migration page. This authentication will generate new Kerberos keys. After passwords are reset the server should be taken out of migration mode.
- All hosts are preserved, but they will need to be re-enrolled using ipa-client-install (e.g. ipa-client-install --uninstall && ipa-client-install).
- All certificates should be re-issued against the new CA.
- Any manually created keytabs will need to be re-created using ipa-getkeytab
- Vaults are not migrated and will have to be re-created.
- Sub CA's are not migrated and will have to be re-created.
Exit Status
0 If the command was successful
1 If an error occurred
2 If the local host or remote host is not an IPA server, the IPA server
installation is faulty, or the realm can not be determined