Red Hat SummitChapter 4. Migrating from one IdM server to another
Use the ipa-migrate tool to migrate all Identity Management (IdM) data, including configurations, schema, and database content, from one IdM server to another. This tool is useful for moving a deployment from staging to production or for migrating data between production servers.
4.1. IdM to IdM migration
You can use the ipa-migrate admin tool to migrate IdM data between two servers, such as when moving a deployment from staging to production. Run the tool on the new, local IdM server to transfer schema, configuration, and database content from the original, remote IdM server.
Using the tool, you can transfer most of the data from the remote server:
- Schema: All LDAP object classes and attributes.
-
Configuration: Core Directory Server settings (
dse.ldif), including performance tuning, security settings, plugins, and database settings. - Database: Most subtrees and entries, including users, groups, roles, hosts, services, sudo rules, HBAC rules, and DNS records (optional).
However, for security reasons, some items are excluded:
- Kerberos master key
- Self-signed CA certificates and KRA keys
-
The
adminand Directory Manager passwords - Data stored in Custodia
You can perform the migration online, using an LDAP connection, or offline, using LDIF files from the remote server. You can also combine the online and offline methods by using a mixed approach. For large databases, a mixed approach is often the most efficient. For example, you can migrate the configuration and schema online and then use an LDIF file for the database migration, which is faster and more stable than transferring thousands of entries over the network.
Before committing to a migration, you can perform a dry run to preview the changes without writing any data to the new server. You can also record the LDAP operations to an LDIF file for detailed inspection or for replaying the migration at a later time.
The ipa-migrate tool offers the following migration modes:
Production mode
This mode assumes the remote server is a fully functional, production environment. It migrates all data, including DNA ranges, IDs, and SIDs, as is.
Staging mode
This mode is intended for migrating from a staging environment. It does not migrate DNA ranges and ID attributes like
uidNumberandgidNumber, but regenerates them on the new server.
The migration process automatically converts the remote server’s realm, domain, and suffixes to match the new local server’s configuration. You can choose whether to migrate ID ranges, and you have the option to skip migrating DNS records, configuration, or schema. Using the tool, you can also include non-IdM content stored in the database tree by specifying the subtree in a command-line option.
After a successful migration, you must re-enroll IdM clients to the new deployment, and users must reset their passwords to generate new Kerberos keys.
4.2. Migrating an IdM environment from staging to production
You can use the ipa-migrate tool in staging mode to transfer an IdM environment from a staging server to a production server, regenerating identity numbers for the new environment.
This example uses a mixed migration approach, where the database is migrated offline using an LDIF file for improved performance and stability, while the configuration and schema are migrated online. The migration is performed in staging-mode to ensure that identity numbers (UIDs/GIDs) are regenerated for the new production environment.
Prerequisites
- You are using RHEL 10.1 or later.
On the new production (local) server:
- You have performed a standard installation of IdM.
- The IdM domain and realm are set to their final production values.
On the staging (remote) server:
- You have root access to export the user database.
- You have the Directory Manager password.
Procedure
On the remote staging server, for example
remote.server.com, export theuserRootdatabase to an LDIF file, such asuserroot.ldif:Stop the DS instance:
# dsctl slapd-EXAMPLE-COM stopExport the database:
# dsctl slapd-EXAMPLE-COM db2ldif userroot /root/userroot.ldifRestart the DS instance:
# dsctl slapd-EXAMPLE-COM start
-
Copy the
userroot.ldifto the new local production server, for example to/root/userroot.ldif. On the local production server, execute a dry run of the migration to validate the process and preview changes without writing any data. Use
stage-modeto ensure that DNA ranges and ID attributes are reset for the new production environment:# ipa-migrate stage-mode remote.server.com --db-ldif=/root/userroot.ldif --dryrun- Review the output to confirm that the tool identifies the correct entries for migration.
Execute the migration command without the
--dryrunoption. You will be prompted for the Directory Manager password for the remote server:# ipa-migrate stage-mode remote.server.com --db-ldif=/root/userroot.ldifNoteThe migration process includes running the
ipa-server-upgradetask, which may take a significant amount of time depending on the size of your database.
Verification
On the new production server, verify that the IdM services are running correctly:
# ipactl status- Confirm that IdM data, such as users, groups, and sudo rules, has been successfully migrated using ipa user-find and ipa sudorule-find.
The primary log file for the migration tool is located at /var/log/ipa-migrate.log. This file is appended to on each run, preserving the history of multiple migration attempts.
Next steps
- Re-enroll clients: All IdM clients that were connected to the old staging server must be re-enrolled into the new production IdM deployment. You can follow the steps in Re-enrolling na IdM client.
- Migrate user passwords: Users must log in to generate new Kerberos keys, as passwords are not migrated directly. Inform your users about the need to reset their passwords upon their first login to the new production environment. See Managing user passwords in IdM.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}