README.md
FreeIPA Scripts
This repository contains a small collection of scripts written to migrate my existing LDAP/DNS setup (MacOS Server) to FreeIPA and manage my setup afterwards. These scripts provide functionality unavailable in the FreeIPA command line tools. They use the FreeIPA API as much as possible as I didn't like the provided alternatives for migration to directly update the FreeIPA LDAP database. Most of these script / commands are meant to synchronize between an existing situation and FreeIPA and are safe to run multiple times. As side-effect, this also makes them suitable to support a gradual migration over time (where a source system is still in production until final cut-over)
The latest versions, documentation and a bug tracker are available on my GitLab instance
Copyright (c) 2018 Frederik Lindenaar. free for distribution under the GNU General Public License, see below
Contents
This repository contains the following scripts:
- users2freeipa.py is a migration script to transfer/synchronize LDAP users to/with FreeIPA
- freeipa-dns.py is a script providing functionality not available in FreeIPA itself to migrate/synchronize and maintain DNS zones in FreeIPA
users2freeipa.py
This script uses LDAP to obtain users from a MacOS Server (or other LDAP) server and synchronizes the results with the users registered in FreeIPA. Since it synchronizes data it is safe to run multiple times and users can be imported also as stage users initially.
The intent is to migrate user data and to not drag on a legacy setup. For this reason, the script will create new user and group IDs and not copy homedir and shell information by default. For the IDs, the legacy information can be stored in an FreeIPA ID View so it remains available, other items can be copied over using command line options. Passwords can be copied-over (if available in a usable format), and the script also supports having FreeIPA generate random passwords and store these in a file for further processing/sharing with users.
Users can be copied from an existing (generic) LDAP database and a MacOS Server
OpenDirectory-flavor LDAP server. In this case, additional information (e.g.
Apple's generatedUID) will be copied over as well. Please note that this does
require customizing the FreeIPA LDAP schema, which the script will check for
and can install (option -U
). As the setup is modular it should be easy
to tweak or add other migrations.
By default all users will be migrated/synchronized, but it is also possible to
limit this to specific user(s) or group(s) or specifically exclude specific
users or groups. An example to copy all users in the group workgroup
except admin
from an Apple MacOS OpenDirectory server:
./users2freeipa.py -v -O -U -c "Legacy LDAP" -g workgroup -x admin -G \
-P -p passwords.txt ldap://ldap.mydomain.tld
This will also install the OpenDirectory-specific schema customization, create
groups and copy group memberships, copy usuable passwords and ensure that all
users have a password (storing generated passwords to passwords.txt
)
Before running a production user migration, it is important to have FreeIPA setup and configured correctly so that the right defaults are used for new users. Best is to start with a single user and add that as a stage user (please note that this will not yet assign userIDs, group memberships and a password as FreeIPA does not yet support that) and use an ID View to store legacy data.
For all available command-line options, run users2freeipa.py -h
freeipa-dns.py
This script provides functionality not provided by FreeIPA to migrate and/or synchronize / maintain DNS data in FreeIPA. Currently the following commands are implemented:
- axfr - import/synchronize a DNS zone in FreeIPA using a zone-xfer.
for example, to migrate / synchronize fromain
domain.tld
from DNS server192.168.1.53
without checking DNS overlap, issue the command: ~~~ ./freeipa-dns.py -v axfr -T 172.1.2.53 -n -f none 192.168.1.53 domain.tld ~~~ in addition, this will ensure zone-xfers are allowed from172.1.2.53
and disable forwarding in FreeIPA. - copy - copy a DNS record in FreeIPA within or between zones
for example, to copy
A
andAAAA
from hostwwww.domain.tld
to the domaindomain.tld
itself, issue the command: ~~~ ./freeipa-dns.py -v copy -l A AAAA wwww.domain.tld -T domain.tld ~~~ - move - move a DNS record in FreeIPA from one one to another
for example, to move
host1.int
in zonedomain.tld
tohost
in zoneint.domain.tld
issue the command: ~~~ ./freeipa-dns.py -v move -z domain.tld host.int host.int.domain.tld ~~~ - serial - update (set) zone serial(s) in FreeIPA, supporting both RFC1912
style serials (YYYYMMDD##) based on current date and setting the serial to
a specific value. To set the serial of a zone to revision 2 of today for
zones
zone1.mydomain.tld
andzone2.mydomain.tld
, run: ~~~~ ./freeipa-dns.py -v serial -t 2 zone1.mydomain.tld zone2.mydomain.tld ~~~~ by default this command will set the serial to a larger value (which can be overridden with the-f
/--force
flag) - generate - generate number-range DNS records/attributes in FreeIPA
This is meant to generate series of hosts or attributes, for example, to
generate hosts
dhcp-01
todhcp-10
in zoneint.mydomain.tld
with ip addresses starting from192.168.2.100
issue to command: ~~~ ./freeipa-dns.py -v generate int.mydomain.tld dhcp-%02d -4 192.168.2.100 \ --auto-increment-a -n 5 ~~~ it can also be used to generate a farm of web servers in different subnets with the command: ~~~ ./freeipa-dns.py -v generate int.mydomain.tld www -4 192.168.%d.80 -n 5 ~~~ - reverse-ptr - create/update reverse DNS (PTR) entries in FreeIPA
With this command reverse-zones can be automatically maintained. it scans
the zones in FreeIPA for
A
andAAAA
records and creates the corresponding records in thein-addr.arpa
andip6.arpa
zones. The reverse zones must exist, and can also be created with this command by: ~~~ ./freeipa-dns.py -v reverse-ptr -n -p -c 10. 10.100 192.168 2001:0db8:85a3 ~~~ which will create the reverse zones for prefixes 10.* 10.100.* 192.168.* and ipv6 prefix 2001:0db8:85a3. Reverse (PTR) records will automatically be created in the correct zone with the following command: ~~~ ./freeipa-dns.py -v reverse-ptr -a ~~~ by default, the command will not overwrite existing records, (which can be overridden with the-o
/--override
flag). To force a PTR record to point to a specific host, e.g.www.mydomain.tld
run the command: ~~~ ./freeipa-dns.py -v reverse-ptr -o -z mydomain.tld -H www ~~~
for available commands run freeipa-dns.py -h
and to get an overview of
the available options for each commmand run freeipa-dns.py <command> -h
License
These scripts, documentation & configration examples are free software: you can redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This script, documenatation and configuration examples are distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, download it from http://www.gnu.org/licenses/.