Re: [Freeipa-users] Export data
Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Export data On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Similarly to users, you just use the right container: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=dns,dc=example,dc=com' There are plenty of resources online how to work with ldapsearch, ldapmodify and resulting LDIFs that could help get you started. Martin On 02/19/2014 04:33 PM, Choudhury, Suhail wrote: Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Export data On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this! paragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Choudhury, Suhail wrote: Hi Martin, Thanks for your previous answer. And how can I export a list of DNS entries using ldapsearch? He included the basics in his previous answer: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' You can append the command with the list of attributes you want, and suppress a bunch of the extraneous output with -LLL, so something like: $ ldapsearch -LLL -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' dn rob Regards, Suhail. DevOps BSkyB. From: Martin Kosek [mko...@redhat.com] Sent: 22 January 2014 13:30 To: Choudhury, Suhail; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Export data On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this! p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Dimitar, this is actually a very good question. Our team have been discussing the best way to back and restore a FreeIPA infrastructure for some time. In FreeIPA 3.2, we introduced ipa-backup and ipa-restore scripts which we are evaluating, but we still think that the best way to backup and restore may be simply creating replicas and/or system snapshots You can read full details in this article: http://www.freeipa.org/page/Backup_and_Restore Feedback welcome, Martin On 01/23/2014 05:03 PM, Dimitar Georgievski wrote: In my case DNS is not an issue, FreeIPA is integrated with existing DNS servers. The above procedure would work for migrating the user's data to a new IPA server that has a new host name. What if I would like to restore the original IPA server ? Could I repeat the above steps with the exception of #4, in which I would restore backed-up certificates and keytab files. This should avoid the need to regenerate them, no? In short how would you perform a full back-up and restore of the Primary IPA server? I understand this is not a trivial task for the IPA server and from what I've learned it is probably not fully supported in the current ver 3.x Thanks, Dimitar On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek mko...@redhat.com wrote: On 01/22/2014 06:57 PM, Petr Viktorin wrote: On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? No, that generally won't work. There's more to IPA than the data in LDAP. Instead of copying data you should install the new server as a replica of the old one. That would give you FreeIPA with the same domain, realm or certificate subject name. If you want to start with different settings, I would recommend: 1) Installing new IPA server 2) Using ipa migrate-ds command to migrate users and groups 3) Use the ldapsearchldapmodify to migrate DNS (you may need to change the DN in the LDIF file to use correct SUFFIX if the realm changed) 4) For all hosts - unenroll and enroll again against the new IPA. This is needed to regenerate the new certificates or host keytab HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
In my case DNS is not an issue, FreeIPA is integrated with existing DNS servers. The above procedure would work for migrating the user's data to a new IPA server that has a new host name. What if I would like to restore the original IPA server ? Could I repeat the above steps with the exception of #4, in which I would restore backed-up certificates and keytab files. This should avoid the need to regenerate them, no? In short how would you perform a full back-up and restore of the Primary IPA server? I understand this is not a trivial task for the IPA server and from what I've learned it is probably not fully supported in the current ver 3.x Thanks, Dimitar On Thu, Jan 23, 2014 at 1:32 AM, Martin Kosek mko...@redhat.com wrote: On 01/22/2014 06:57 PM, Petr Viktorin wrote: On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? No, that generally won't work. There's more to IPA than the data in LDAP. Instead of copying data you should install the new server as a replica of the old one. That would give you FreeIPA with the same domain, realm or certificate subject name. If you want to start with different settings, I would recommend: 1) Installing new IPA server 2) Using ipa migrate-ds command to migrate users and groups 3) Use the ldapsearchldapmodify to migrate DNS (you may need to change the DN in the LDIF file to use correct SUFFIX if the realm changed) 4) For all hosts - unenroll and enroll again against the new IPA. This is needed to regenerate the new certificates or host keytab HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Export data
Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. -- Regards, Suhail. DevOps(Recs), BSkyB. Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone. Please note we reserve the right to monitor all e-mail communication through our internal and external networks. SKY and the SKY marks are trademarks of British Sky Broadcasting Group plc and Sky International AG and are used under licence. British Sky Broadcasting Limited (Registration No. 2906991), Sky-In-Home Service Limited (Registration No. 2067075) and Sky Subscribers Services Limited (Registration No. 2340150) are direct or indirect subsidiaries of British Sky Broadcasting Group plc (Registration No. 2247735). All of the companies mentioned in this p! aragraph are incorporated in England and Wales and share the same registered office at Grant Way, Isleworth, Middlesex TW7 5QD. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Martin Kosek wrote: On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Be aware that there are some search limits too, both in size and time. Some of this is configurable from the client side, some on the server. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
On 22.1.2014 14:40, Rob Crittenden wrote: Martin Kosek wrote: On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Be aware that there are some search limits too, both in size and time. Some of this is configurable from the client side, some on the server. You can use standard zone transfer for DNS: See https://www.redhat.com/archives/freeipa-users/2013-September/msg00022.html https://www.redhat.com/archives/freeipa-users/2013-September/msg00047.html -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? Thanks Dimitar On Wed, Jan 22, 2014 at 8:52 AM, Petr Spacek pspa...@redhat.com wrote: On 22.1.2014 14:40, Rob Crittenden wrote: Martin Kosek wrote: On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect() users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Be aware that there are some search limits too, both in size and time. Some of this is configurable from the client side, some on the server. You can use standard zone transfer for DNS: See https://www.redhat.com/archives/freeipa-users/2013-September/msg00022.html https://www.redhat.com/archives/freeipa-users/2013-September/msg00047.html -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? No, that generally won't work. There's more to IPA than the data in LDAP. Instead of copying data you should install the new server as a replica of the old one. Thanks Dimitar On Wed, Jan 22, 2014 at 8:52 AM, Petr Spacek pspa...@redhat.com mailto:pspa...@redhat.com wrote: On 22.1.2014 14:40, Rob Crittenden wrote: Martin Kosek wrote: On 01/22/2014 01:48 PM, Choudhury, Suhail wrote: Hi guys, I trying to get a dump of all users, hosts and DNS entries from IPA so we can run scripts/Puppet against them. Tried searching for it but cannot find anything, so was hoping someone can give some hints on how best to do this please. You can either export them via ldapsearch: $ kinit admin $ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=users,cn=accounts,dc=__example,dc=com' ... or for write a Python script to do what you want. Very simple example: $ kinit admin $ python from ipalib import api api.bootstrap() api.finalize() api.Backend.xmlclient.connect(__) users = api.Command.user_find() for user in users['result']:... print %s:%s:%s % (user['uid'][0], user['uidnumber'][0], user['gidnumber'][0]) ... admin:191360:191360 tuser:191361:191361 Be aware that there are some search limits too, both in size and time. Some of this is configurable from the client side, some on the server. You can use standard zone transfer for DNS: See https://www.redhat.com/__archives/freeipa-users/2013-__September/msg00022.html https://www.redhat.com/archives/freeipa-users/2013-September/msg00022.html https://www.redhat.com/__archives/freeipa-users/2013-__September/msg00047.html https://www.redhat.com/archives/freeipa-users/2013-September/msg00047.html -- PetrĀ³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Export data
On 01/22/2014 06:57 PM, Petr Viktorin wrote: On 01/22/2014 06:26 PM, Dimitar Georgievski wrote: Would you use ldapmodify -f file-name-with-exported-data to import the data back to a new copy of FreeIPA? No, that generally won't work. There's more to IPA than the data in LDAP. Instead of copying data you should install the new server as a replica of the old one. That would give you FreeIPA with the same domain, realm or certificate subject name. If you want to start with different settings, I would recommend: 1) Installing new IPA server 2) Using ipa migrate-ds command to migrate users and groups 3) Use the ldapsearchldapmodify to migrate DNS (you may need to change the DN in the LDIF file to use correct SUFFIX if the realm changed) 4) For all hosts - unenroll and enroll again against the new IPA. This is needed to regenerate the new certificates or host keytab HTH, Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users