The authentication system LinOTP 2 has been around since 2010. privacyIDEA is a fork that was introduced in 2014 which features a more modern architecture.

This post explains to you, how you can easily migrate all your authentication tokens and user settings to privacyIDEA. This is done by installing privacyIDEA with a copy of all your productive data. The LinOTP installation is not modified. This way you can test the migration and switch machines, when everything is fine.

If you want to migrate another, proprietary OTP solution, please read this post.

Backup LinOTP data

Under the hood privacyIDEA dropped the single-table configuration and uses database tables for logical structures like the resolver and realm definition. So I recommend to backup your data and work with the backed up data.

First dump your LinOTP database to a file:

mysqldump -u linotp2 -p LinOTP2 > linotp2.sql

You can find the password of the database user “linotp2” in the file /etc/linotp2/linotp.ini.

Also copy the encryption key /etc/linotp2/encKey.

Install privacyIDEA

Perform a clean installation of privacyIDEA. You can follow any installation procedure in the online documentation.

Copy the encryption file to /etc/privacyidea/enckey. Note that privacyIDEA by default does not use the uppercase “K” anymore.

Checkout and remember the database URI SQLALCHEMY_DATABASE_URI in /etc/privacyidea/pi.cfg.

 

Create a local copy of LinOTP database

On the privacyIDEA server you can now create a copy of the LinOTP database.

# mysql -u root -p
mysql> create database linotpdump;
mysql> grant all privileges on linotpdump.* to "linotp"@"localhost" identified by "topSecret";

 

You now can use the database URI mysql://linotp:topSecret@localhost/linotpdump.

Migrate the data

Download the migration script from github. In newer versions, this script might also already be packed with the privacyIDEA server.

In the script you need to adapt the lines

LINOTP_URI = "mysql://linotp2:testtest@localhost/LinOTP2"
PRIVACYIDEA_URI = "mysql://pi:pi@localhost/pi"

accordingly.

Now you can run the script

python privacyidea-migrate-linotp.py

As privacyIDEA uses internal token administrators, you should setup your first administrator

pi-manage admin add superuser

Now you can login to the WebUI as superuser and checkout all tokens.

What data is migrated?

The migration script migrates the resolver definitions, the realm definitions and all token data with all user assignments. The resolvers and realms are stored in the new privacyIDEA style. The additional tokeninfo is stored in the new extra privacyIDEA tokeninfo table.

Audit, System Config and Polcies are not migrated. We recommned creating the policies in privacyIDEA anew.

Note: At the moment only LDAP-Resolvers are migrated. Please ask us for automatic migration of any other resolver type.