> Alexander Bokovoy created the feature https://github.com/SSSD/sssd/issues/5482. Once > implemented you will be able to Kerberos check authentication indicators like OTP from a > PAM service. Yeah, this seems like the way to go, thanks. > You have a couple of options to speed up migration and improve performance: > > You could disable memberOf plugin during migration. According to an old benchmark it can > make provisioning up to 20 times faster. You need to restart DS after you have disabled or > enabled the plugin and run a memberOf task to fixup attributes, > https://www.freeipa.org/page/V4/Performance_Improvements#Memberof_plugin Thanks, I'll try that. > It might be worth a shot to remove a couple of indices during migration and re-create them > afterwards. This could speed up migration a bit, too. Any idea how I could pick the right indices? Is there some index size report that I could look at? > You could a two-pass migration: First migrate all users to the new instance while the old > FAS is online. Then shutdown old FAS and only migrate users entries that have changed > since the initial migration. You can use the modificationTimestamp for that. Every entry > in DS has a modificationTimestamp attribute. It's an operational attribute which is > maintained by the server. Yeah, the problem is that FAS does not expose the modification timestamp, so I need to get that information out of FAS and into the migration script. > Do you need the compat tree or NIS? slapi-nis and compat tree require additional > resources. You can disable the features with ipa-compat-manage and ipa-nis-manage > commands. You need to disable them on each server separately and restart DS. I don't think we do, we only use IPA for Kerberos currently. Could other infra sysadmins confirm that? Thanks for all the help Aurélien _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
