Red Hat Bugzilla – Bug 1108232
[RFE] ipa migrate-ds should have an argument to specify cert to use for DS connection
Last modified: 2015-03-05 05:12:14 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/3243 Right now if one wants to migrate from the LDAP server that uses TLS he needs to import the cert into the NSS database on the IPA server manually. It would be nice if he could specify a cert file to use remotely and the command ipa migrate-ds would stick the cert into the NSS on his behalf. It might even remove it after the migration is done.
This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.
Verified. IPA Version: ============ [root@mgmt3 ~]# rpm -q ipa-server ipa-server-4.1.0-16.el7.x86_64 [root@mgmt3 ~]# (1)Enable migration mode [root@mgmt3 ~]# ipa config-mod --enable-migration TRUE Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: TRUE Certificate Subject base: O=TESTRELM.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: nfs:NONE, MS-PAC [root@mgmt3 ~]# [root@mgmt3 ~]#ipa config-show|grep migration Enable migration mode: TRUE [root@mgmt3 ~]# (2)Provide LDAP's CA cert in --ca-cert-file option of migrate-ds command, [root@mgmt3 ~]# echo xxxxxxxx | ipa migrate-ds --user-container="ou=People,dc=example,dc=com" --group-container="ou=groups,dc=example,dc=com" ldaps://ipaqavmd.testrelm.test:636 --ca-cert-file=/etc/ipa/remoteds.crt ----------- migrate-ds: ----------- Migrated: user: puser1, puser2, philomena_hazen group: accounting managers, hr managers, qa managers, pd managers, group1, group2 Failed user: Failed group: ---------- Passwords have been migrated in pre-hashed format. IPA is unable to generate Kerberos keys unless provided with clear text passwords. All migrated users need to login at https://your.domain/ipa/migration/ before they can use their Kerberos accounts. [root@mgmt3 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0442.html