Este contenido no está disponible en el idioma seleccionado.

Chapter 7. Migrating Existing Environments from Synchronization to Trust


Synchronization and trust are two possible approaches to indirect integration. Synchronization is generally discouraged, and Red Hat recommends to use the approach based on Active Directory (AD) trust instead. See Section 1.3, “Indirect Integration” for details.
This chapter describes how to migrate an existing synchronization-based setup to AD trust. The following migrating options are available in IdM:

7.1. Migrate from Synchronization to Trust Automatically Using ipa-winsync-migrate

Important

The ipa-winsync-migrate utility is only available on systems running Red Hat Enterprise Linux 7.2 or later.

7.1.1. How Migration Using ipa-winsync-migrate Works

The ipa-winsync-migrate utility migrates all synchronized users from an AD forest, while preserving the existing configuration in the Winsync environment and transferring it into the AD trust. For each AD user created by the Winsync agreement, ipa-winsync-migrate creates an ID override in the Default Trust View (see Section 8.1, “Active Directory Default Trust View”).
After the migration completes:
  • The ID overrides for the AD users have the following attributes copied from the original entry in Winsync:
    • Login name (uid)
    • UID number (uidnumber)
    • GID number (gidnumber)
    • Home directory (homedirectory)
    • GECOS entry (gecos)
  • The user accounts in the AD trust keep their original configuration in IdM, which includes:
    • POSIX attributes
    • User groups
    • Role-based access control rules
    • Host-based access control rules
    • SELinux membership
    • sudo rules
  • The new AD users are added as members of an external IdM group.
  • The original Winsync replication agreement, the original synchronized user accounts, and all local copies of the user accounts are removed.

    Note

    The user must make sure before calling ipa-winsync-migrate that there is no entry on the AD side with the same name as the IdM administrator ("admin" by default). Otherwise ipa-winsync-migrate will remove the local copy of the "admin" user account, meaning that it will delete IdM admin user.

7.1.2. How to Migrate Using ipa-winsync-migrate

Before you begin:
  • Back up your IdM setup using the ipa-backup utility. See Backing Up and Restoring Identity Management in the Linux Domain Identity, Authentication, and Policy Guide.
    Reason: The migration affects a significant part of the IdM configuration and many user accounts. Creating a backup enables you to restore your original setup if necessary.
To migrate:
  1. Run ipa-winsync-migrate and specify the AD realm and the host name of the AD domain controller:
    # ipa-winsync-migrate --realm example.com --server ad.example.com
    If a conflict occurs in the overrides created by ipa-winsync-migrate, information about the conflict is displayed, but the migration continues.
  2. Uninstall the Password Sync service from the AD server. This removes the synchronization agreement from the AD domain controllers.
See the ipa-winsync-migrate(1) man page for more details about the utility.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.