Install the IPA server, including any custom LDAP directory schema^[4], on a different machine from the existing LDAP directory.

Enable the IPA server to allow migration:

# ipa config-mod --enable-migration=TRUE

Run the IPA migration script, ipa migrate-ds. At its most basic, this requires only the LDAP URL of the LDAP directory instance to migrate:

# ipa migrate-ds ldap://ldap.example.com:389

The ipa migrate-ds command connects to the LDAP directory and binds as the Directory Manager and extracts all entries with the person object class from the ou=People subtree, by default. A different subtree can be specified using the --user-container option.

This script also exports all entries from the ou=Groups subtree to maintain group memberships. The group can be changed using the --group-container option.

Once the information is exported, the script adds all required IPA object classes and attributes and coverts DNs in attributes to match the IPA directory tree.

For example:

ipa migrate-ds --user-container=ou=employees --group-container="ou=employee groups" ldap://ldap.example.com:389

Update the client configuration to use PAM_LDAP and NSS_LDAP to connect to IPA instead of connecting to an LDAP directory, NIS, or local files.

Optional. Set up SSSD. Using SSSD migrates user passwords without additional user interaction, as described in Section 17.1.2, “Planning Password Migration”.

Instruct users to log into IPA using either SSSD client or the migration web page if SSSD is not available on the client. Both methods automatically migrate the user password into Identity Management.

Optional. Reconfigure non-SSSD clients to use Kerberos authentication (pam_krb5) instead of LDAP authentication (pam_ldap).

When the migration of all clients and users is complete, decommission the LDAP directory.