{"id":18675454,"url":"https://github.com/manuparra/ipamigration","last_synced_at":"2026-01-23T09:01:41.958Z","repository":{"id":79159298,"uuid":"142776637","full_name":"manuparra/IPAmigration","owner":"manuparra","description":"IPA migration from OpenLDAP","archived":false,"fork":false,"pushed_at":"2018-07-29T16:28:36.000Z","size":3,"stargazers_count":10,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-12-27T20:33:56.022Z","etag":null,"topics":["ipa","ldap","ldap-authentication","openldap"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/manuparra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-29T16:25:16.000Z","updated_at":"2024-11-23T11:11:54.000Z","dependencies_parsed_at":"2023-02-28T01:01:04.662Z","dependency_job_id":null,"html_url":"https://github.com/manuparra/IPAmigration","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manuparra%2FIPAmigration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manuparra%2FIPAmigration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manuparra%2FIPAmigration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manuparra%2FIPAmigration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/manuparra","download_url":"https://codeload.github.com/manuparra/IPAmigration/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239520187,"owners_count":19652644,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ipa","ldap","ldap-authentication","openldap"],"created_at":"2024-11-07T09:24:59.623Z","updated_at":"2025-11-07T05:30:40.700Z","avatar_url":"https://github.com/manuparra.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Migrate from OpenLDAP to IPA Server\n\nInstructions for migrating an OpenLDAP service to IPA.\n\n## Config files, data and aspects to consider\n\nIf you haven't installed FreeIPA server, follow this tutorial (including a replica) [\n](Git)\n\nConfiguration file for the LDAP service  on IPA Server:\n```\ncat /etc/openldap/ldap.conf\n```\n\nThis file contains setup data for LDAP service. This file is in line with the IPA Service, containing schemas and parameter set by IPA Server.\n\nIn this case, you would use:\n\n```\nldapsearch -x uid=admin\n```\nwithout parameters like *host*, *port*, *URI* o *base-dn*, due to in ```/etc/openldap/ldap.conf``` it has been configured by IPA installation.\n\nIndifferently you can use IPA commands or LDAP commands to interact with the directory service. We have chosen to perform the migration using the IPA tools and complete some aspects with LDAP.\n\n\n## Starting migration\n\n\nReview the your old LDAP Directory in your server and try to create queries, in order to define with branch or tree will be imported.\n\nSearch in your old OpenLDAP server:\n\n```\n ldapsearch -h myOldServerLDAP -D \"cn=adm,dc=ugr,dc=es\" -W -b \"ou=users,dc=ugr,dc=es\"\n```\nHere we use ``admin`` binding, due to we want to show everything (included passwords [hashed]).\n\n## Start session on IPA Server\n\nStart IPA Session with ``admin`` credentials:\n\n```\nkinit admin\n```\n\nEnable IPA Migration mode (after migration, consider disable migration label)\n```\nipa config-mod --enable-migration=TRUE\n```\nIt returns the following: \n```\nipa: ERROR: no modifications to be performed\n```\nThis is correct, because the mode was TRUE.\n\n## IPA Migration  from OpenLDAP to IPA Server:\n\nThis command considers:\n\n- Solve error with attribute SN:  ```missing attribute \"sn\" required by object class \"organizationalPerson\"``` adding ```--user-ignore-attribute=\"sn\"``` and ```--user-ignore-objectclass={organizationalPerson,inetOrgPerson,person}```\n- Import all the directory (Users)\n- Import password, due to the use of  ```--bind-dn=\"cn=admin,ou=...``` , it provides search on the remote LDAP and extract the passwords.\n- Use a remote OpenLDAP server ``myOldServerLDAP``\n\n\nThen command is:\n\n```\nipa migrate-ds --base-dn=\"dc=ugr,dc=es\" \\\n  --bind-dn=\"cn=adm,ou=usr,dc=ugr,dc=es\" \\\n  ldap://myOldServerLDAP --user-objectclass=account  \\\n  --group-objectclass=organizationalUnit  \\\n  --user-container=\"ou=users\" \\\n  --group-container=\"ou=users\" \\\n  --group-objectclass=\"account\" \\\n  --continue  --group-overwrite-gid --schema=\"RFC2307\" \\\n  --user-ignore-attribute=\"sn\" \\\n  --user-ignore-objectclass={organizationalPerson,inetOrgPerson,person}\n```\n\n*This command is really bad documented, with no examples, many thing as default and error output not really detailed.*\n\nOnce all users and groups are migrated, user needs validate the password, due to  Kerberos, so, each user must to go http://server.ipa/ipa/migration and write down your credentials, in order to enable the password with Kerberos in the new IPA server.\n\nThe output at the end will show:\n\n````\nPasswords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts.\n````\n\nIn this moment you can authenticate in the main FreeIPA website with your credential (*Kerberized*) and change your attributes or similar, and authenticate in Server with SSH if enabled (with IPAClients installed).\n\n\n## How to use LDAP commands in FreeIPA\n\nRemember, FreeIPA use ``-D \"cn=Directory Manager\" `` to access main tree.\n\nDelete entry using OpenLDAP inside FreeIPA:\n(Not the old OpenLDAP, the new LDAP provided by FreeIPA)\n\nDelete a group:\n````\nldapdelete -D \"cn=Directory Manager\" -h freeipa.imuds \"cn=manuel jesus parra royn,cn=groups,cn=accounts,dc=imuds\" -W\n````\n\nDelete an user:\n````\nldapdelete -D \"cn=Directory Manager\" -h freeipa.imuds \"cn=mparra,cn=users,cn=accounts,dc=imuds\" -W\n````\n\nAdd new user:\n\nThis is strongly not recommended because you must know IPA server rules for LDAP, instead you must use ```ipa migrate-ds```\n\nExample:\n\n````\nldapadd -x  -h freeipa.imuds -D \"cn=Directory Manager\" -c -f mparra.ldif\n````\n\nIf the user definition in the ``ldif`` file contains user password, it return an error: ```Password cannot imported hashed```\n\n# Post migration\n\nAfter the migration, only a few directory maintenance tasks remain. If no default group assignment has been specified for imported users, regardless of the group, it will add the users and groups for each user (user group). \nThese groups are migrated and associated with the user, but by default IPA assigns them several default groups to have them containerized. So now that users have their correct password within IPA (and migrated from the password migration web), all that is left to do is to re-establish the new user groups or clean them up.\n\n# IPA Commands and receipts\n\nSearch users:\n\n``ipa user-find``\n\nSearch all users:\n\n``ipa user-find --all``\n\nShow user details:\n\n```ipa user-show mparra```\n\nShow all user details:\n\n```ipa user-show mparra --all```\n\nCreate new user:\n\nMinimal creation require, user, name, surname and email, all other parameter will be set by default (including uid, guid, etc.).\n\n```ipa user-create mparra --email=\"mparra@cookingbigdata.com\"```\n\nDelete users:\n\n```ipa user-del mparra ```\n\nCreate group:\n\n```ipa group-create bigdata```\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmanuparra%2Fipamigration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmanuparra%2Fipamigration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmanuparra%2Fipamigration/lists"}