[Freeipa-users] OS Migration path

Rob Crittenden rcritten at redhat.com
Mon Sep 28 14:56:15 UTC 2009 

James Roman wrote:
> I am currently running free-ipa 1.2.1 on a FC9 install with fedora-ds 
> 1.2.0-4. I would like to upgrade the operating system for my IPA server 
> to FC10. I'd like to hear some recommendations for migrating the server 
> to FC10 without losing the IPA server LDAP database (or at least, not 
> losing the users and groups).
> 
> I am running the server in a VM, so I can easily recover the server to 
> its original state from snapshot.
> 
> My initial plans are this:
> 
>   1. Export PKCS12 server certificate for /etc/dirsv/slapd-INSTANCE and
>      /etc/httpd/alias certificates.

If you are using our self-signed CA be sure to backup the CA certificate 
in the DS instance. Also back up /var/lib/ipa/ca_serialno.

>   2. Use db2bak to backup the entire DS database
>   3. Backup all the directories in
>      
> http://freeipa.org/docs/1.2/Administration_Guide/en-US/html/chap-Administration_Guide-Backup_and_Recovery.html 
> 
>      to a separate disk partition.
>   4. export the "dc=realm,dc=com" and "cn=etc" directory branches  to ldif

I'd add dse.ldif which is found in your DS instance dir.

>   5. Disable automatic start of dirsrv, ipa_kpasswd and ipa_webgui

If you disable dirsrv you'll want to disable krb5kdc as well. I'd also 
back up /var/kerberos/krb5kdc/

>   6. Boot VM from Fedora 10 DVD and choose to upgrade existing install
>   7. After install reboots, log into server and run "yum upgrade" to
>      bring OS up to date (This will also migrate fedora-ds to 389-ds).
>   8. Verify dirsrv, ipa_kpasswd and ipa_webgui won't restart
>      automatically again. Reboot server once more to run upgraded OS.
>   9. Start dirsrv, ipa_kpasswd and ipa_webgui manually. Address any
>      issues that arise.
>  10. Configure dirsrv, ipa_kpasswd and ipa_webgui to restart automatically.
> 
> Questions:
> Do I need to change authentication in any way to remove LDAP 
> dependencies while dirsrv is disabled?

You could run ipa-client-install --uninstall to restore auth to its 
previous state. Then run ipa-client-install again when the server comes 
back up. IMPORTANT, include the --on-master flag when you set it up again.

> Are there any risks from the directory server upgrade?

I don't think so. I upgraded on my F-11 from fedora-ds-base to 
389-ds-base with no problems.

> Should I only upgrade the the OS packages during the "yum upgrade" and 
> make sure that the directory server loads properly prior to upgrading 
> the directory server and freeipa?

I'm not sure it would make a difference. If you're worried then yes, you 
can do this.

> Will the OS upgrade overwrite or modify any of the existing fedora 
> database configurations?

It shouldn't. The DS instances are not affected by the DS package.

> Will the OS upgrade overwrite or modify any of the certificate databases?

It shouldn't though the backups you propose will protect you.

Good luck and let us know how things go.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090928/b5a1c465/attachment.bin>

More information about the Freeipa-users mailing list