Chapter 7. Migrating Existing Environments from Synchronization to Trust
Synchronization and trust are two possible approaches to indirect integration. Synchronization is generally discouraged, and Red Hat recommends to use the approach based on Active Directory (AD) trust instead. See Section 1.3, “Indirect Integration” for details.
This chapter describes how to migrate an existing synchronization-based setup to AD trust. The following migrating options are available in IdM:
7.1. Migrate from Synchronization to Trust Automatically Using
ipa-winsync-migrate utility is only available on systems running Red Hat Enterprise Linux 7.2 or later.
7.1.1. How Migration Using
ipa-winsync-migrate utility migrates all synchronized users from an AD forest, while preserving the existing configuration in the Winsync environment and transferring it into the AD trust. For each AD user created by the Winsync agreement,
ipa-winsync-migrate creates an ID override in the Default Trust View (see Section 8.1, “Active Directory Default Trust View”).
After the migration completes:
- The ID overrides for the AD users have the following attributes copied from the original entry in Winsync:
- Login name (
- UID number (
- GID number (
- Home directory (
- GECOS entry (
- The user accounts in the AD trust keep their original configuration in IdM, which includes:
- POSIX attributes
- User groups
- Role-based access control rules
- Host-based access control rules
- SELinux membership
- The new AD users are added as members of an external IdM group.
- The original Winsync replication agreement, the original synchronized user accounts, and all local copies of the user accounts are removed.
7.1.2. How to Migrate Using
Before you begin:
- Back up your IdM setup using the
ipa-backuputility. See Backing Up and Restoring Identity Management in the Linux Domain Identity, Authentication, and Policy Guide.Reason: The migration affects a significant part of the IdM configuration and many user accounts. Creating a backup enables you to restore your original setup if necessary.
- Create a trust with the synchronized domain. See Chapter 5, Creating Cross-forest Trusts with Active Directory and Identity Management.
ipa-winsync-migrateand specify the AD realm and the host name of the AD domain controller:
# ipa-winsync-migrate --realm example.com --server ad.example.comIf a conflict occurs in the overrides created by
ipa-winsync-migrate, information about the conflict is displayed, but the migration continues.
- Uninstall the Password Sync service from the AD server. This removes the synchronization agreement from the AD domain controllers.
See the ipa-winsync-migrate(1) man page for more details about the utility.