<div dir="ltr"><div>Hi Rcrit, </div><div>As Outlined in the IRC channel. Please find the ldap.conf from the open ldap server below. URI ldap://<a href="http://ldap.example.com">ldap.example.com</a> ldap://<a href="http://ldap1.example.com">ldap1.example.com</a> BASE dc=example,dc=com TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt </div><div>I then copy the file /etc/pki/tls/certs/ca-bundle.crt from the openldap server over to the test IPA server and on the IPA server I run the following command. certutil -A -d /etc/httpd/alias -n 'openldap CA' -t CT,, -a -i ca-bundle.crt </div><div>The openldap server is using a certificate signed by a CA. The IPA server is using the self signed certificate it generated when starting up. </div><div>I still get the error after adding the CA bundle for openldap server to the apache cert db on IPA server. </div><div>After explaining all this, I feel that the problem lies with the self signed cert on the IPA server. Can I confirm with someone the process in which the migration of data occurs? </div><div>I gather the it something like this. </div><div>1 >IPA binds/creates a connection to the remote server via SSL/TSL and creates a connection 2> It then binds to a socket locally </div><div> 3> Then contacts the apache server for some reason (no idea why this is contacting apache on 443?) </div><div> </div><div>Regards </div><div>John </div></div><div class="gmail_extra"> <div class="gmail_quote"> On Mon, Jan 14, 2013 at 6:09 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="im">Johnathan Phan wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Anyone know the details of the low level system steps for the migration script to work? so I can try and backwards engineer or troubleshoot each system as I go along so I can actually migrate the data from openldap to ipa? </blockquote> </div> The migration is taking place in the context of the web server. So any trust needs to be added to /etc/httpd/alias (and the httpd service restarted). It needs to trust the signer of the remote LDAP server. What I don't know is how you add trust in NSS for a self-signed server certificate. You might be best off issuing new SSL certs for your openldap server which uses a CA to issue the server cert in order to perform the migration. rob <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"> Regards John On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan <<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a> </div><div class="im"> <mailto:<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a>>> wrote: Hi Aquino, thanks for the input, however. There is a CRT in there already and it was set to allow on both the IPA server and the target openldap server. the core of the issue seems to be that IPA does not accept the cert either locally or remotely as it does not trust it. anyone know how I can troubleshot this. I have reviewed the dirsrv logs for ldap and I can't spot anything/. Regards John On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino <<a href="mailto:JR.Aquino@citrix.com" target="_blank">JR.Aquino@citrix.com</a> </div><div class="im"> <mailto:<a href="mailto:JR.Aquino@citrix.com" target="_blank">JR.Aquino@citrix.com</a>>> wrote: Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps "Keeping your head in the cloud" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117<x-apple-data-detectors://0/0> T: <a href="tel:%2B1%20805.690.3478" value="+18056903478" target="_blank">+1 805.690.3478</a> </div> <tel:%2B1%20805.690.3478><tel:+1%C2%A0805.690.3478> C: <a href="tel:%2B1%20805.717.0365" value="+18057170365" target="_blank">+1 805.717.0365</a> <tel:%2B1%20805.717.0365><tel:+1%20805.717.0365> <a href="mailto:jr.aquino@citrix.com" target="_blank">jr.aquino@citrix.com</a> <mailto:<a href="mailto:jr.aquino@citrix.com" target="_blank">jr.aquino@citrix.com</a>><mailto:<a href="mailto:jr.aquino@citrixonline.com" target="_blank">jr.aquino@citrixonline.com</a><div class="im"> <mailto:<a href="mailto:jr.aquino@citrixonline.com" target="_blank">jr.aquino@citrixonline.com</a>>> <a href="http://www.citrixonline.com" target="_blank">http://www.citrixonline.com</a><<a href="http://www.citrixonline.com/" target="_blank">http://www.citrixonline.com/</a>> On Jan 11, 2013, at 8:05 AM, Johnathan Phan <<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a> </div> <mailto:<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a>><mailto:<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a><div class="im"> <mailto:<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a>>>> wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com" --user-container="ou=users,ou=live,dc=example,dc=com" --group-container="ou=groups,ou=live,dc=example,dc=com" ldaps://<a href="http://ldap1.live.example.com" target="_blank">ldap1.live.example.com</a> </div> <<a href="http://ldap1.live.example.com" target="_blank">http://ldap1.live.example.com</a>><<a href="http://ldap1.live.example.com/" target="_blank">http://ldap1.live.example.com/</a>><div class="im"> I get the following error. ipa: DEBUG: Caught fault 4203 from server <a href="http://fedoraipaserver.test.example.com/ipa/xml" target="_blank">http://fedoraipaserver.test.example.com/ipa/xml</a>: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. I have summarized that the IPA server does not trust the cert served by the openldap or the other way around. Does anyone know how to get around this? Or allow me to finish the migration of user data. Regards John -- Johnathan Phan </div> T: <a href="tel:%2B44%20%280%29784%20118%207080" value="+447841187080" target="_blank">+44 (0)784 118 7080</a> <tel:%2B44%20%280%29784%20118%207080><div class="im"> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> </div> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><div class="im"> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> -- Johnathan Phan ox-consulting </div> T: <a href="tel:%2B44%20%280%29784%20118%207080" value="+447841187080" target="_blank">+44 (0)784 118 7080</a> <tel:%2B44%20%280%29784%20118%207080> <a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a> <mailto:<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a>> <a href="http://www.ox-consulting.com" target="_blank">www.ox-consulting.com</a> <<a href="http://www.ox-consulting.com" target="_blank">http://www.ox-consulting.com</a>><div class="im"> OX CONSULTING Ltd is registered in England & Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please notify the sender immediately. -- Johnathan Phan ox-consulting T: <a href="tel:%2B44%20%280%29784%20118%207080" value="+447841187080" target="_blank">+44 (0)784 118 7080</a> </div><a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a> <mailto:<a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a>> <a href="http://www.ox-consulting.com" target="_blank">www.ox-consulting.com</a> <<a href="http://www.ox-consulting.com" target="_blank">http://www.ox-consulting.com</a>><div class="im"> OX CONSULTING Ltd is registered in England & Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please notify the sender immediately. </div><div class="im"> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> </div><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote> </blockquote></div> -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 <a href="mailto:john@ox-consulting.com" target="_blank">john@ox-consulting.com</a> <a href="http://www.ox-consulting.com" target="_blank">www.ox-consulting.com</a> OX CONSULTING Ltd is registered in England & Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please notify the sender immediately.<div style="padding:0px;margin-left:0px;margin-top:0px;overflow:hidden;word-wrap:break-word;color:black;font-size:10px;text-align:left;line-height:130%"> </div> </div>