Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Feb 3, 2011, at 11:41 , Dmitri Pal wrote: On 02/03/2011 10:51 AM, Peter Doherty wrote: On Feb 3, 2011, at 10:35 , Stephen Gallagher wrote: - From the earlier points of the discussion, schema migration is planned for upgrades from 2.0.0 to future versions. It's only something that was left out of the alpha/beta process because things were still in churn and those releases were never intended to be in production. Once 2.0.0 is baked, obviously the upgrade path will need to be clean. Is there a plan to include the ability for users of 1.2 to migrate to 2.0? I'd consider setting up and using 1.2 right now if I know that I can migrate to 2.0 when the stable release comes out. This is a use case that we have in mind. v1 is treated as an external DS thought. This migration is planned through the migrate-ds + SSSD or special page to migrate passwords. The v1 and v2 schemas are drastically different but v1 just has users and groups and migrate-ds script takes care of it. This is well covered in the migration guide. snip Thanks Dmitri For the curious out there, I set up a FreeIPA 1.2 server and recreated all the users and groups, and dumped and imported the other LDAP info (mostly automount maps) User passwords were reset. It took most of a day, but things are running again. If/when there's a migration path into v2 I'll look into it. From what I've seen the feature set in v2 is nice, I'm looking forward to seeing the final product. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/02/2011 05:15 PM, Ian Stokes-Rees wrote: Or perhaps there is a very long road of beta versions that will come out over the next several years before a final 2.0 release appears. While I can't comment on the final release schedule for FreeIPA v2, I would like to point you at http://fedoraproject.org/wiki/Features/FreeIPAv2 What you should take away from this is that FreeIPA v2 is expected to be feature-complete by the Fedora 15 Feature Freeze date (February 8th) and must be in its final state by March 22nd in order to be released in Fedora 15. So it's probably safe to assume that 2.0 is not several years away. I'd say we're looking at weeks, not months or years at this point. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1KpxkACgkQeiVVYja6o6O8cgCfZANts75bzbj6A5NVYsVtfAi1 2FsAn3sAhotQ/ehHQ6wJ3jgSXEhQoUbv =3uiC -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
While I can't comment on the final release schedule for FreeIPA v2, I would like to point you at http://fedoraproject.org/wiki/Features/FreeIPAv2 What you should take away from this is that FreeIPA v2 is expected to be feature-complete by the Fedora 15 Feature Freeze date (February 8th) and must be in its final state by March 22nd in order to be released in Fedora 15. So it's probably safe to assume that 2.0 is not "several years" away. I'd say we're looking at weeks, not months or years at this point. Thanks for that link. I see: Targeted release: Fedora 15 Last updated: 01/12/11 Percentage of completion: 80% In a way, I find this even more worrying since it sounds like FreeIPA will either be pushed out too early (can schema migration be left out, or be implemented but untested?) or will miss Fedora 15 and we won't see it until Fedora 16 (end of summer or autumn). I don't see how something as fundamental as a directory server can be mostly finalized (feature freeze, and bug fix only state) in a few weeks when the developers themselves say "we reset our FreeIPA DS from scratch every day", suggesting that no one (?) has tested it in an operational state with real users and systems for an extended period (at least days, but really for weeks or more). If you think one frustrated group (us) right now is annoying, just wait to see what happens if FreeIPA v2.0 *does* go out with Fedora 15 in a few months and lots of people eagerly install it only to discover in the following months that it wasn't ready or that they can't upgrade/migrate their DS contents. Ian As a postscript, a few weeks ago FreeIPA had 20% left to complete before v2.0 was ready. Even if we are kind and estimate that this last 20% will take only 20% of the effort (rather than 80% which we're all familiar with is much more common by the 80/20 rule) it would suggest that about 2 months are required to complete it. Does it suggest that everything that has ever been done to produce FreeIPA v2.0 has been done in the past 10 months (starting March 2010)? Or has the team working on it grown substantially over the past year? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/03/2011 10:29 AM, Ian Stokes-Rees wrote: While I can't comment on the final release schedule for FreeIPA v2, I would like to point you at http://fedoraproject.org/wiki/Features/FreeIPAv2 What you should take away from this is that FreeIPA v2 is expected to be feature-complete by the Fedora 15 Feature Freeze date (February 8th) and must be in its final state by March 22nd in order to be released in Fedora 15. So it's probably safe to assume that 2.0 is not several years away. I'd say we're looking at weeks, not months or years at this point. Thanks for that link. I see: * Targeted release: Fedora 15 http://fedoraproject.org/wiki/Releases/15 * Last updated: 01/12/11 * Percentage of completion: 80% In a way, I find this even more worrying since it sounds like FreeIPA will either be pushed out too early (can schema migration be left out, or be implemented but untested?) or will miss Fedora 15 and we won't see it until Fedora 16 (end of summer or autumn). - From the earlier points of the discussion, schema migration is planned for upgrades from 2.0.0 to future versions. It's only something that was left out of the alpha/beta process because things were still in churn and those releases were never intended to be in production. Once 2.0.0 is baked, obviously the upgrade path will need to be clean. I don't see how something as fundamental as a directory server can be mostly finalized (feature freeze, and bug fix only state) in a few weeks when the developers themselves say we reset our FreeIPA DS from scratch every day, suggesting that no one (?) has tested it in an operational state with real users and systems for an extended period (at least days, but really for weeks or more). If you think one frustrated group (us) right now is annoying, just wait to see what happens if FreeIPA v2.0 *does* go out with Fedora 15 in a few months and lots of people eagerly install it only to discover in the following months that it wasn't ready or that they can't upgrade/migrate their DS contents. Feature freeze means that FreeIPA will not be adding new functionality after this point (which includes schema changes) and will be focusing only on stability and bugfixes until final release. Ian As a postscript, a few weeks ago FreeIPA had 20% left to complete before v2.0 was ready. Even if we are kind and estimate that this last 20% will take only 20% of the effort (rather than 80% which we're all familiar with is much more common by the 80/20 rule) it would suggest that about 2 months are required to complete it. Does it suggest that everything that has ever been done to produce FreeIPA v2.0 has been done in the past 10 months (starting March 2010)? Or has the team working on it grown substantially over the past year? That 80% is the amount of Fedora-related effort, not the upstream completion effort. It hasn't been updated, but I'd ballpark us at nearly about 95% now. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1Kyy4ACgkQeiVVYja6o6MuZACfXboYMLY9Ur/Qai2xxkId5/xe OvUAmgJdwxG0aKHQKPRsiZ0lLb3HINBQ =H6hd -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/03/2011 10:51 AM, Peter Doherty wrote: On Feb 3, 2011, at 10:35 , Stephen Gallagher wrote: - From the earlier points of the discussion, schema migration is planned for upgrades from 2.0.0 to future versions. It's only something that was left out of the alpha/beta process because things were still in churn and those releases were never intended to be in production. Once 2.0.0 is baked, obviously the upgrade path will need to be clean. Is there a plan to include the ability for users of 1.2 to migrate to 2.0? I'd consider setting up and using 1.2 right now if I know that I can migrate to 2.0 when the stable release comes out. This is a use case that we have in mind. v1 is treated as an external DS thought. This migration is planned through the migrate-ds + SSSD or special page to migrate passwords. The v1 and v2 schemas are drastically different but v1 just has users and groups and migrate-ds script takes care of it. This is well covered in the migration guide. The in place update are planned starting v2 meaning that either the bits just can be refreshed on each of the replicas gradually (if schema or related logic is not affected) or will require a rolling upgrade. The rolling upgrade is needed for the cases when there are schema changes and newer replicas can't talk to the old replicas due to potential data corruption cause by schema mismatch. The rolling upgrade procedure will effectively cause a split of the domain. Replicas that still carry old bits and schema will talk to each other and updated replicas will talk to each other. The rolling upgrade procedure fill involve updating replicas one by one so that they move from one set to another. Finally when all replicas are updated they all will be talking to each other again. The changes caused by the client and administrative activity will be propagated to the set of updated replicas as any new converted replica will carry the chunk of changes it already knows about. Upgrades are very complex procedures especially in the replicated environments. There is no silver bullet technology that will make things simple. We though this part through but do not plan supporting rolling upgrades till the next version of IPA (probably 2.1). The foundation for such approach is there. But the tools to actually update in place are not yet implemented. They are a part of the subsequent release. Thanks Dmitri -Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/02/2011 09:28 AM, Peter Doherty wrote: On Feb 2, 2011, at 09:09 , Simo Sorce wrote: On Tue, 1 Feb 2011 22:30:50 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: On Feb 1, 2011, at 15:04 , Dmitri Pal wrote: Also it is worth mentioning that we are planning to come up with Beta 2 later this week so may be it makes sense to wait couple days and move to the latest bits. Can I upgrade from Beta-1 to Beta-2, or are they incompatible? There are small incompatibilities, some new schema and some changes to the DIT. So you can't upgrade from 1.2 to 1.9 and you can't go from 1.9 to 2.0 and you can't go from 2.0 beta-1 to 2.0 beta-2? So why would I want to use a product like that? The version 1.2 is the version that had very limited functionality. When we started working on v2 it became apparent that we will not be able to maintain backward compatibility and the migration from IPA v1 to V2 will be similar to migration for a different LDAP server. Out goal for v2 and beyond to be compatible and to allow smooth migration. However this means that we need to fix as many schema inconstancies and data storage issues before we release v2 otherwise we will be stuck with those forever. This means that the schema is changing in the beta cycle to address issues we find. It is really unfortunate that you are caught in this situation. We are on the verge of releasing beta 2 so everybody is head down fixing issues. We will try to carve some time to come up with a better strategy for you next week if that would help so that you can move to beta2. We hear your frustration and really sorry about the bad experience you have with the project. Thank you Dmitri Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
So you can't upgrade from 1.2 to 1.9 and you can't go from 1.9 to 2.0 and you can't go from 2.0 beta-1 to 2.0 beta-2? So why would I want to use a product like that? Upgrades will be possible within stable releases. Handling upgrades in development versions would cost too much development time w/o any real benefit as schema and DIT will be fixed in stone once 2.0 final will be released. Alpha and Beta release are not meant for production but only for testing environments. Hi, I'm part of the same team that is stuck in this situation. I think you guys (FreeIPA team) need to make it really clear to current adopters that they are going to have to start from scratch if they go with the current v2 releases (1.9, 2.0-beta, etc.) and want to upgrade later. Of course there is no definition of what beta means, but really I think we're your *ideal* beta testers and you should put in some effort to make it possible for us to use the beta releases of FreeIPA. We are a research computing group, so our service level standards are we can live with a 24-36 hours of down time M-F every couple of months, and 1 week of down time every year. We have a handful of real users, want to integrate apache httpd into using LDAP, want to utilize the web i/f for account management, use FreeIPA for NFS mounts, real X.509 certificates, etc. Even if an automated/smooth transition between beta versions or from beta to final release is impossible, then some guidance on strategies to transition systems manually (and a very rough estimate of the time commitment to do that) would be useful. I wish I understood LDAP better, but I don't see why we cant just dump the current FreeIPA LDIF files, tweak the entries as necessary, and import them to the latest version of FreeIPA. We're pretty close right now (as in, the next 4-24 hours) of abandoning FreeIPA, so some encouraging words on this front could make a difference and keep us with you. Ian -- Ian Stokes-Rees, PhDW: http://portal.nebiogrid.org ijsto...@hkl.hms.harvard.eduT: +1.617.432.5608 x75 NEBioGrid, Harvard Medical School C: +1.617.331.5993 attachment: ijstokes.vcf___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/02/2011 12:30 PM, Ian Stokes-Rees wrote: So you can't upgrade from 1.2 to 1.9 and you can't go from 1.9 to 2.0 and you can't go from 2.0 beta-1 to 2.0 beta-2? So why would I want to use a product like that? Upgrades will be possible within stable releases. Handling upgrades in development versions would cost too much development time w/o any real benefit as schema and DIT will be fixed in stone once 2.0 final will be released. Alpha and Beta release are not meant for production but only for testing environments. Hi, I'm part of the same team that is stuck in this situation. I think you guys (FreeIPA team) need to make it really clear to current adopters that they are going to have to start from scratch if they go with the current v2 releases (1.9, 2.0-beta, etc.) and want to upgrade later. It is our mistake that we did not realize that there is an expectation that there will be an easy migration between alphas and betas. We always thought of them as of preparation steps for the actual release and that none would try to use them in producution or load data that would be someothing other than a test set. So expectation was that no migration would be needed. This is why your situation caught us by surprise. I guess you had a lot of faith in the project and this is great. I also completely understand your frustration and desire to abandon it in the current situation. I think it would be mutually beneficial to avoid that and find a solution that would help you to move on. Yes you are ideal testers and we want to continue working with you. We also ask for understanding that such migration requirement was not expected on our side. We reinstall the system every day and run tests with new functionality on a fresh system. During last month between previous beta the team addressed more than 200 issues across the whole project. Some major issues have been addressed that required schema changes. We are planning to release IPA beta2 today or tomorrow this is why we are little bit less responsive than we want to be. But this is all lyrics. The main issue with the migration between betas (as in any case) is passwords and keys. Simo knows the details but in a nutshell the problem is that if you dump and load the LDIF (even if you adjust the records to accommodate schema changes manually) your keys would not match. You need to carry the master key over and may be more than that. We need to sit down and think through the recommendations for a manual procedure like this. We will try to do it ASAP but given that we are releasing any day now it is not realistic to expect it happening today. Can this wait till next week? If not it would be a real pity. We are working hard to deliver the project to research groups like yours and we will do our best to help you to migrate your data forward. To reduce the scope of the effort let me recap the goal: 1) You want to install IPA and load the users (is there anything else?) from the previous installation and abandon the old installation 2) You do not want to loose passwords 3) You are Ok with manual procedure 4) You are Ok to try different approaches (some of which might not work out) and work with us on formulating a procedure that would help other deployments like yours to overcome this situation. Again sorry for all the trouble. If we knew the requirement to be able to migrate between betas earlier we might have done some things differently. Hope to find understanding on your side and willingness to work with us on a solution. Thank you Dmitri Of course there is no definition of what beta means, but really I think we're your *ideal* beta testers and you should put in some effort to make it possible for us to use the beta releases of FreeIPA. We are a research computing group, so our service level standards are we can live with a 24-36 hours of down time M-F every couple of months, and 1 week of down time every year. We have a handful of real users, want to integrate apache httpd into using LDAP, want to utilize the web i/f for account management, use FreeIPA for NFS mounts, real X.509 certificates, etc. Even if an automated/smooth transition between beta versions or from beta to final release is impossible, then some guidance on strategies to transition systems manually (and a very rough estimate of the time commitment to do that) would be useful. I wish I understood LDAP better, but I don't see why we cant just dump the current FreeIPA LDIF files, tweak the entries as necessary, and import them to the latest version of FreeIPA. We're pretty close right now (as in, the next 4-24 hours) of abandoning FreeIPA, so some encouraging words on this front could make a difference and keep us with you. Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
Can this wait till next week? If not it would be a real pity. We are working hard to deliver the project to research groups like yours and we will do our best to help you to migrate your data forward. We will probably decide what path to take tomorrow. I'm not sure if we're prepared to wait, since waiting 1 week will probably only get us using the new Beta-2, and won't solve any problems for Beta-3 or official release of 2.0. To reduce the scope of the effort let me recap the goal: 1) You want to install IPA and load the users (is there anything else?) from the previous installation and abandon the old installation I'm not sure the details of everything that is in FreeIPA, but I think right now it is at least user information and NFS mounts. Possible more. We have 10-20 accounts, so not much. 2) You do not want to loose passwords I don't really care about this. We can loose all passwords as far as I'm concerned. Peter, the other person who has been on this thread and the one who has done all the work, may have a different opinion. 3) You are Ok with manual procedure 4) You are Ok to try different approaches (some of which might not work out) and work with us on formulating a procedure that would help other deployments like yours to overcome this situation. Yes, we're OK to try manual procedures and different approaches, *if* we decide it is worth sticking with FreeIPA. Again sorry for all the trouble. If we knew the requirement to be able to migrate between betas earlier we might have done some things differently. Hope to find understanding on your side and willingness to work with us on a solution. How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. Regards, Ian -- Ian Stokes-Rees, PhDW: http://portal.nebiogrid.org ijsto...@hkl.hms.harvard.eduT: +1.617.432.5608 x75 NEBioGrid, Harvard Medical School C: +1.617.331.5993 attachment: ijstokes.vcf___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/02/2011 04:02 PM, Ian Stokes-Rees wrote: Can this wait till next week? If not it would be a real pity. We are working hard to deliver the project to research groups like yours and we will do our best to help you to migrate your data forward. We will probably decide what path to take tomorrow. I'm not sure if we're prepared to wait, since waiting 1 week will probably only get us using the new Beta-2, and won't solve any problems for Beta-3 or official release of 2.0. To reduce the scope of the effort let me recap the goal: 1) You want to install IPA and load the users (is there anything else?) from the previous installation and abandon the old installation I'm not sure the details of everything that is in FreeIPA, but I think right now it is at least user information and NFS mounts. Possible more. We have 10-20 accounts, so not much. NFS mount schema is the same and standard 2307bis so there is no difference between the versions. The only issue can be the location of the container since we did some rearrangement of the tree recently. But there is no crypto or hashes there so dumping the cn=automount and loading it into the new version should be straightforward exercise. For the users migrate-ds should be used then. It will take user accounts from the old installation and move to the new one. If you use SSSD on the client in the migration mode then it will recreated migrated kerberos hashes behind the scenes as soon as you log into a client machine using SSSD after migration. If migrate-ds does not work for you then we need to know all the details and logs of what went wrong so that we can fix the issue. 2) You do not want to loose passwords I don't really care about this. We can loose all passwords as far as I'm concerned. Peter, the other person who has been on this thread and the one who has done all the work, may have a different opinion. The procedure described above, i.e. using SSSD on the client will solve the problem of the password migration if you care. 3) You are Ok with manual procedure 4) You are Ok to try different approaches (some of which might not work out) and work with us on formulating a procedure that would help other deployments like yours to overcome this situation. Yes, we're OK to try manual procedures and different approaches, *if* we decide it is worth sticking with FreeIPA. This is your decision to make. Again sorry for all the trouble. If we knew the requirement to be able to migrate between betas earlier we might have done some things differently. Hope to find understanding on your side and willingness to work with us on a solution. How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. They are not migratable versions. Frankly I have not heard of any product of such complexity that would support migration between the alpha-beta-rc drops. Sorry but your expectation is wrong. It is our fault that we have not clearly stated it but this is the case. And yes, just to set expectations straight, when we release IPA v2 we expect it to be a fresh install and users migrated to it using migrate-ds and passwords migrated using SSSD or a special migration page we provide. Other parts of the tree can be migrated piecemeal and we will be happy to help you do it if migrating this part of information is possible. For example migrating hosts and service will not be possible but sudo, HBAC, DNS etc. will be, so discretion should be used depending upon what you have in your deployment. However if we are talking about 10-20 accounts it might be easier to recreate them manually or with a simple script. Overall we appreciate your business and would be glad to help within the reasonable expectations. Thank you, Dmitri Regards, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Wed, Feb 2, 2011 at 10:02 PM, Ian Stokes-Rees ijsto...@hkl.hms.harvard.edu wrote: How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. If you read the release notes (http://freeipa.org/page/IPAv2_beta), in the paragraph 'migration' it is quite clearly stated that migration from v1 to v2 of freeipa is not possible. You are right that it is not clearly stated that migrations between 1.9.whatever and 2 are not possible but ... ... as a sysadmin, whenever I read 'alpha|beta', all alarms go off :-). I do follow the project, but I would never run any kind of production on it just yet. I think that blaming redhat for your using a beta version of software in production is a bit harsh. I understand you are under stress and upset, but this was not supposed to be running in a production environment. Do not blame redhat for something that clearly is not their fault. This project is going to be awesome for unix networks. All the pieces of the puzzle were out there, but these guys are putting them together in a nice package. Having dealt with a share of ldap+kerberos environments, I can tell you this is it. It is not there yet, but it is getting there. It is your choice to not use it. -- groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
Thank you Natxo. We are working hard to get it there and when we do .. it will awesome! Jenny Natxo Asenjo wrote: On Wed, Feb 2, 2011 at 10:02 PM, Ian Stokes-Rees ijsto...@hkl.hms.harvard.edu wrote: How did you expect anyone to seriously try to use FreeIPA if they couldn't migrate between versions? Surely installation and extended use (weeks/months) by non-developers is part of any beta-testing plan. If you read the release notes (http://freeipa.org/page/IPAv2_beta), in the paragraph 'migration' it is quite clearly stated that migration from v1 to v2 of freeipa is not possible. You are right that it is not clearly stated that migrations between 1.9.whatever and 2 are not possible but ... ... as a sysadmin, whenever I read 'alpha|beta', all alarms go off :-). I do follow the project, but I would never run any kind of production on it just yet. I think that blaming redhat for your using a beta version of software in production is a bit harsh. I understand you are under stress and upset, but this was not supposed to be running in a production environment. Do not blame redhat for something that clearly is not their fault. This project is going to be awesome for unix networks. All the pieces of the puzzle were out there, but these guys are putting them together in a nice package. Having dealt with a share of ldap+kerberos environments, I can tell you this is it. It is not there yet, but it is getting there. It is your choice to not use it. -- groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Jenny Galipeau jgali...@redhat.com Principal Software QA Engineer Red Hat, Inc. Security Engineering Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
... as a sysadmin, whenever I read 'alpha|beta', all alarms go off :-). I do follow the project, but I would never run any kind of production on it just yet. Our whole group thinks FreeIPA looks really exciting. We really do *want* to use it. We want the project to succeed, and we'd be happy to be part of the (non-developer) community that helps get you guys there. We are just disappointed that right now it doesn't look like we can stick with you to make this happen, which is particularly frustrating because we've invested a lot of time (at least several weeks at this point) into getting to know and use FreeIPA. We have 4 active users, and about a dozen others. This is part of a research computing cluster infrastructure and does not hold home directories for anyone (no mail, no critical files, etc). As I've said, it seems like we have an ideal environment for beta testing. Are you only planning on testing version migration/upgrade abilities in the final release? Or perhaps there is a very long road of beta versions that will come out over the next several years before a final 2.0 release appears. It did not seem unreasonable for us to assume that some kind of migration capability would be part of (at least) the beta releases. I think that blaming redhat for your using a beta version of software in production is a bit harsh. I understand you are under stress and upset, We're not blaming the FreeIPA team. We are surprised that for such a significant project where clearly so much time and work *has* been invested (even into things like documentation) that something so critical as migration didn't get more attention sooner. I appreciate the issues that arise with developing good schemas, and the complexities of being able to translate data between different schemas. The backup plan I'm now considering (but it isn't just my decision) is OpenLDAP or Dir-389 + WebMin + UserMin (not sure if Dir-389 will work well with WebMin LDAP module). Cheers, Ian attachment: ijstokes.vcf___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] export entire ldap/kerberos/etc onto a new host
I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Thanks! Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? Thanks! Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 02:51 PM, Peter Doherty wrote: On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA May be the writeup will help. It is not final but at least this portion has been reviewed. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 12:51 PM, Peter Doherty wrote: On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. That definitely won't work. migrate-ds is used to migrate very old 389-ds-base servers to the latest version. There is no tool to migrate/upgrade from an ipa alpha release to an ipa beta release. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 03:00 PM, Dmitri Pal wrote: On 02/01/2011 02:51 PM, Peter Doherty wrote: On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA May be the writeup will help. It is not final but at least this portion has been reviewed. Also it is worth mentioning that we are planning to come up with Beta 2 later this week so may be it makes sense to wait couple days and move to the latest bits. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Feb 1, 2011, at 15:04 , Dmitri Pal wrote: Also it is worth mentioning that we are planning to come up with Beta 2 later this week so may be it makes sense to wait couple days and move to the latest bits. Can I upgrade from Beta-1 to Beta-2, or are they incompatible? Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users