> Alexander Bokovoy created the feature 
> https://github.com/SSSD/sssd/issues/5482. Once
> implemented you will be able to Kerberos check authentication indicators like 
> OTP from a
> PAM service.

Yeah, this seems like the way to go, thanks.

> You have a couple of options to speed up migration and improve performance:
> 
> You could disable memberOf plugin during migration. According to an old 
> benchmark it can
> make provisioning up to 20 times faster. You need to restart DS after you 
> have disabled or
> enabled the plugin and run a memberOf task to fixup attributes,
> https://www.freeipa.org/page/V4/Performance_Improvements#Memberof_plugin 

Thanks, I'll try that.

> It might be worth a shot to remove a couple of indices during migration and 
> re-create them
> afterwards. This could speed up migration a bit, too.

Any idea how I could pick the right indices? Is there some index size report 
that I could look at?

> You could a two-pass migration: First migrate all users to the new instance 
> while the old
> FAS is online. Then shutdown old FAS and only migrate users entries that have 
> changed
> since the initial migration. You can use the modificationTimestamp for that. 
> Every entry
> in DS has a modificationTimestamp attribute. It's an operational attribute 
> which is
> maintained by the server. 

Yeah, the problem is that FAS does not expose the modification timestamp, so I 
need to get that information out of FAS and into the migration script.

> Do you need the compat tree or NIS? slapi-nis and compat tree require 
> additional
> resources. You can disable the features with ipa-compat-manage and 
> ipa-nis-manage
> commands. You need to disable them on each server separately and restart DS.

I don't think we do, we only use IPA for Kerberos currently. Could other infra 
sysadmins confirm that?

Thanks for all the help

Aurélien
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to