Hi, > Hi all, > > I'm part of the CMU Computer Club and our Kerberos/LDAP deployment has > been a pain point for quite some time. I've heard that FreeIPA might > be a solution worth exploring. > > I would like to try to avoid user visible disruption if possible, > however. This means that we would like to keep our Kerberos realm > name, keep AFS cross-realm authentication working, etc. UIDs > remaining the same would be good; I'd have to think about We dont use cross realm. We created a new realm with new name. We used ipa migrade-ds to migrate users/groups with uids.
Because we couldnt migrate the user passwords from old to new realm, we reset the users password in the new IPA realm and let the users input a new password once. > > Essentially all of our clients are various flavors of Debian; mostly > Jessie (we have an unfortunate number of older machines that I hope to > upgrade soon). > > Has anyone done something like this before? Anyone have any ideas > what the migration path would look like or whether this is even > possible? I have the same situation. We have an old MIT Kerberos / OpenLDAP system which we have to migrate. We use FreeIPA 4.2 on Fedora 23 and the current OpenAFS release and simply said: it works. Our first milestone was to migrate webplattforms and all behind them (apache with kerberos auth and data in AFS) first and after them with more experience with the afs / freeipa combination we want to migrate the user homes and client desktops. > > Thanks, > > Grant Wu > gran...@andrew.cmu.edu <mailto:gran...@andrew.cmu.edu> regards, Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project