I used the following command trsnafere acc/group from 3.0 -4.0 successfuly

ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts  --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://abc.cde.com

BUT not all users transfer Kerberos account  http://abc.cde.com/ipa/migration

The strange is that I use abc.cde.com:389 in some 3rd party apps it can still read all users 's passwords.

SO  kerberos account and ldap accounts are different things ? LDAP passwords success transferred?  I no need to askall users to http://abc.cde.com/ipa/migration change right ?

the Admin UI only need admin to launch ..