Bug 1108232

Summary: [RFE] ipa migrate-ds should have an argument to specify cert to use for DS connection
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: ksiddiqu, rcritten
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.0.3-1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:12:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2014-06-11 14:58:32 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3243

Right now if one wants to migrate from the LDAP server that uses TLS he needs to import the cert into the NSS database on the IPA server manually. It would be nice if he could specify a cert file to use remotely and the command ipa migrate-ds would stick the cert into the NSS on his behalf. It might even remove it after the migration is done.
Comment 1 Martin Kosek 2014-06-11 15:23:28 UTC 
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
Comment 3 Kaleem 2015-01-28 10:33:22 UTC 
Verified.

IPA Version:
============
[root@mgmt3 ~]# rpm -q ipa-server
ipa-server-4.1.0-16.el7.x86_64
[root@mgmt3 ~]# 

(1)Enable migration mode

[root@mgmt3 ~]# ipa config-mod --enable-migration TRUE
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.test
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: TRUE
  Certificate Subject base: O=TESTRELM.TEST
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  Default PAC types: nfs:NONE, MS-PAC
[root@mgmt3 ~]#
[root@mgmt3 ~]#ipa config-show|grep migration
  Enable migration mode: TRUE
[root@mgmt3 ~]#

(2)Provide LDAP's CA cert in --ca-cert-file option of migrate-ds command,

[root@mgmt3 ~]# echo xxxxxxxx | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://ipaqavmd.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt
-----------
migrate-ds:
-----------
Migrated:
  user: puser1, puser2, philomena_hazen
  group: accounting managers, hr managers, qa managers, pd managers, group1, group2
Failed user:
Failed group:
----------
Passwords have been migrated in pre-hashed format.
IPA is unable to generate Kerberos keys unless provided
with clear text passwords. All migrated users need to
login at https://your.domain/ipa/migration/ before they
can use their Kerberos accounts.
[root@mgmt3 ~]#
Comment 5 errata-xmlrpc 2015-03-05 10:12:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html