Bug 901673

Summary: document how to migrate over SSL
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Aneta Šteflová Petrová <apetrova>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: low    
Version: 7.0CC: apetrova, ksiddiqu, mkosek, rcritten, tcapek
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-10 12:05:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-01-18 19:13:16 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3364

A user reported difficulties in migrating from an SSL-secured server and it took a bit of time to work out the details.

I found a way that works, we should probably put this into the migration docs.

IPA uses the openldap client libraries to connect to the remote LDAP server. It does this within the context of Apache on the IPA server.

You need to provide a location of the CA certificate(s) to the openldap library. There are several options, all of which involve editing /etc/openldap/ldap.conf:

1. Comment out TLS_CACERT and add a new one pointing to the PEM file for the CA of the remote LDAP server
2. Add the remote LDAP CA file to an NSS database and point to that database with TLS_CACERTDIR
3. Add the remote LDAP CA file to a directory and point to that directory with TLS_CACERTDIR

In all cases the httpd service needs to be restarted after making the change.
Comment 1 Dmitri Pal 2013-01-18 19:19:07 UTC 
Then you run ipa migrate-ds.

Also you'll want to reverse whatever changes made to ldap.conf after the migration. Mostly just because it isn't really needed any more, and depending on what you change you could cause future weird problems (like not trusting the IPA CA).
Comment 2 Deon Ballard 2013-01-18 22:27:10 UTC 
Changing the product to RHEL 7.
Comment 4 Rob Crittenden 2013-01-21 16:06:56 UTC 
Recommend putting the remote LDAP CA certificate into /etc/ipa/remote.crt. 

Be sure to run restorecon /etc/ipa/remote.crt. Label should be unconfined_u:object_r:etc_t:s0
Comment 7 Kaleem 2015-02-13 11:45:51 UTC 
Verified.