14. September 2016

Migrate LinOTP to privacyIDEA

The authentication system LinOTP 2 has been around since 2010. privacyIDEA is a fork that was introduced in 2014 which features a more modern architecture.

This post explains to you, how you can easily migrate all your authentication tokens and user settings to privacyIDEA. This is done by installing privacyIDEA with a copy of all your productive data. The LinOTP installation is not modified. This way you can test the migration and switch machines, when everything is fine.

If you want to migrate another, proprietary OTP solution, please read this post.

Backup LinOTP data

Under the hood privacyIDEA dropped the single-table configuration and uses database tables for logical structures like the resolver and realm definition. So I recommend to backup your data and work with the backed up data.

First dump your LinOTP database to a file:

mysqldump -u linotp2 -p LinOTP2 > linotp2.sql

You can find the password of the database user “linotp2” in the file /etc/linotp2/linotp.ini.

Also copy the encryption key /etc/linotp2/encKey.

Install privacyIDEA

Perform a clean installation of privacyIDEA. You can follow any installation procedure in the online documentation.

Copy the encryption file to /etc/privacyidea/enckey. Note that privacyIDEA by default does not use the uppercase “K” anymore.

Checkout and remember the database URI SQLALCHEMY_DATABASE_URI in /etc/privacyidea/pi.cfg.

 

Create a local copy of LinOTP database

On the privacyIDEA server you can now create a copy of the LinOTP database.

# mysql -u root -p
mysql> create database linotpdump;
mysql> grant all privileges on linotpdump.* to "linotp"@"localhost" identified by "topSecret";

 

You now can use the database URI mysql://linotp:topSecret@localhost/linotpdump.

Migrate the data

Download the migration script from github. In newer versions, this script might also already be packed with the privacyIDEA server.

In the script you need to adapt the lines

LINOTP_URI = "mysql://linotp2:testtest@localhost/LinOTP2"
PRIVACYIDEA_URI = "mysql://pi:pi@localhost/pi"

accordingly.

Now you can run the script

python privacyidea-migrate-linotp.py

As privacyIDEA uses internal token administrators, you should setup your first administrator

pi-manage admin add superuser

Now you can login to the WebUI as superuser and checkout all tokens.

What data is migrated?

The migration script migrates the resolver definitions, the realm definitions and all token data with all user assignments. The resolvers and realms are stored in the new privacyIDEA style. The additional tokeninfo is stored in the new extra privacyIDEA tokeninfo table.

Audit, System Config and Polcies are not migrated. We recommned creating the policies in privacyIDEA anew.

Note: At the moment only LDAP-Resolvers are migrated. Please ask us for automatic migration of any other resolver type.

Latest news
26. June 2024
Auf der Suche nach neuen Kolleginnen und Kollegen
The NetKnights team had the pleasure of being part of the job fair at the University of Kassel’s Department of Electronic Engineering and Computer Science. Many interesting talks with motivated students and career starters were held.
18. June 2024
Wir feiern Jubiläum!
To celebrate the 10th anniversary of NetKnights, we celebrated our anniversary party last week at the Renthof in Kassel. Companions, coaches, employees and their partners came together to celebrate this special event. Together we looked back on 10 years of NetKnights’ history.

Suche

Drücken Sie "Enter" zum Starten der Suche

Search

Press "Enter" to start the search