[Freeipa-users] OS Migration path

[James Roman]

I am currently running free-ipa 1.2.1 on a FC9 install with fedora-ds 
1.2.0-4. I would like to upgrade the operating system for my IPA server 
to FC10. I'd like to hear some recommendations for migrating the server 
to FC10 without losing the IPA server LDAP database (or at least, not 
losing the users and groups).

I am running the server in a VM, so I can easily recover the server to 
its original state from snapshot.

My initial plans are this:

   1. Export PKCS12 server certificate for /etc/dirsv/slapd-INSTANCE and
      /etc/httpd/alias certificates.
   2. Use db2bak to backup the entire DS database
   3. Backup all the directories in
      http://freeipa.org/docs/1.2/Administration_Guide/en-US/html/chap-Administration_Guide-Backup_and_Recovery.html
      to a separate disk partition.
   4. export the "dc=realm,dc=com" and "cn=etc" directory branches  to ldif
   5. Disable automatic start of dirsrv, ipa_kpasswd and ipa_webgui
   6. Boot VM from Fedora 10 DVD and choose to upgrade existing install
   7. After install reboots, log into server and run "yum upgrade" to
      bring OS up to date (This will also migrate fedora-ds to 389-ds).
   8. Verify dirsrv, ipa_kpasswd and ipa_webgui won't restart
      automatically again. Reboot server once more to run upgraded OS.
   9. Start dirsrv, ipa_kpasswd and ipa_webgui manually. Address any
      issues that arise.
  10. Configure dirsrv, ipa_kpasswd and ipa_webgui to restart automatically.

Questions:
Do I need to change authentication in any way to remove LDAP 
dependencies while dirsrv is disabled?
Are there any risks from the directory server upgrade?
Should I only upgrade the the OS packages during the "yum upgrade" and 
make sure that the directory server loads properly prior to upgrading 
the directory server and freeipa?
Will the OS upgrade overwrite or modify any of the existing fedora 
database configurations?
Will the OS upgrade overwrite or modify any of the certificate databases?