[Freeipa-users] openldap to ipa
Rob Crittenden
rcritten at redhat.com
Mon Jan 14 18:09:50 UTC 2013
Johnathan Phan wrote:
> Anyone know the details of the low level system steps for the migration
> script to work? so I can try and backwards engineer or troubleshoot each
> system as I go along so I can actually migrate the data from openldap to
> ipa?
The migration is taking place in the context of the web server. So any
trust needs to be added to /etc/httpd/alias (and the httpd service
restarted). It needs to trust the signer of the remote LDAP server. What
I don't know is how you add trust in NSS for a self-signed server
certificate. You might be best off issuing new SSL certs for your
openldap server which uses a CA to issue the server cert in order to
perform the migration.
rob
>
> Regards
>
> John
>
>
> On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan <john at ox-consulting.com
> <mailto:john at ox-consulting.com>> wrote:
>
> Hi Aquino,
>
> thanks for the input, however. There is a CRT in there already and
> it was set to allow on both the IPA server and the target openldap
> server.
> the core of the issue seems to be that IPA does not accept the cert
> either locally or remotely as it does not trust it.
>
> anyone know how I can troubleshot this. I have reviewed the dirsrv
> logs for ldap and I can't spot anything/.
>
> Regards
> John
>
>
> On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino <JR.Aquino at citrix.com
> <mailto:JR.Aquino at citrix.com>> wrote:
>
> Try editing /etc/openldap/ldap.conf:
>
> TLS_CACERT /etc/ipa/ca.crt
> TLS_REQCERT allow
>
>
> See if that helps
>
> "Keeping your head in the cloud"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino | Sr. Information Security Specialist
> GIAC Exploit Researcher and Advanced Penetration Tester |
> GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
> Citrix Online | 7408 Hollister Avenue | Goleta, CA
> 93117<x-apple-data-detectors://0/0>
> T: +1 805.690.3478
> <tel:%2B1%20805.690.3478><tel:+1%C2%A0805.690.3478>
> C: +1 805.717.0365 <tel:%2B1%20805.717.0365><tel:+1%20805.717.0365>
> jr.aquino at citrix.com
> <mailto:jr.aquino at citrix.com><mailto:jr.aquino at citrixonline.com
> <mailto:jr.aquino at citrixonline.com>>
> http://www.citrixonline.com<http://www.citrixonline.com/>
>
> On Jan 11, 2013, at 8:05 AM, Johnathan Phan
> <john at ox-consulting.com
> <mailto:john at ox-consulting.com><mailto:john at ox-consulting.com
> <mailto:john at ox-consulting.com>>> wrote:
>
> Hi There,
>
> This is driving me up the wall.
>
> I have two servers. 1 is a live openldap/kerberous AAA server
> running on RHEL6. The LDAP service has SSL/TS support. The
> second server is a test environment running on fedora and has
> 3.1 IPA installed.
>
> As a last step of my POC I need to migrate the users and
> passwords from the LDAP server to IPA server.
>
> I ran this command perfectly fine.
>
> ipa config-mod --enable-migration=TRUE
>
> However the next step was where my issues began.
>
> In the end after a lot of IRC communication and troubleshooting
> I now run the following command.
>
> ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com"
> --user-container="ou=users,ou=live,dc=example,dc=com"
> --group-container="ou=groups,ou=live,dc=example,dc=com"
> ldaps://ldap1.live.example.com
> <http://ldap1.live.example.com><http://ldap1.live.example.com/>
>
> I get the following error.
>
> ipa: DEBUG: Caught fault 4203 from server
> http://fedoraipaserver.test.example.com/ipa/xml: Can't contact
> LDAP server: TLS error -8179:Peer's Certificate issuer is not
> recognized.
> ipa: DEBUG: Destroyed connection context.xmlclient
> ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's
> Certificate issuer is not recognized.
>
> I have summarized that the IPA server does not trust the cert
> served by the openldap or the other way around. Does anyone know
> how to get around this? Or allow me to finish the migration of
> user data.
>
> Regards
>
> John
>
> --
> Johnathan Phan
>
> T: +44 (0)784 118 7080 <tel:%2B44%20%280%29784%20118%207080>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com><mailto:Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> --
> Johnathan Phan
> ox-consulting
>
>
> T: +44 (0)784 118 7080 <tel:%2B44%20%280%29784%20118%207080>
> john at ox-consulting.com <mailto:john at ox-consulting.com>
>
> www.ox-consulting.com <http://www.ox-consulting.com>
>
> OX CONSULTING Ltd is registered in England & Wales, number:
> 07113039, registered address as above.
>
> The information contained in this email message may be privileged,
> confidential or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> use, dissemination, distribution or copying of this transmission is
> strictly prohibited. If you have received this communication in
> error, or if any problems occur with transmission, please notify the
> sender immediately.
>
>
>
>
> --
> Johnathan Phan
> ox-consulting
>
> T: +44 (0)784 118 7080
> john at ox-consulting.com <mailto:john at ox-consulting.com>
>
> www.ox-consulting.com <http://www.ox-consulting.com>
>
> OX CONSULTING Ltd is registered in England & Wales, number: 07113039,
> registered address as above.
>
> The information contained in this email message may be privileged,
> confidential or exempt from disclosure under applicable law. If you are
> not the intended recipient, you are hereby notified that any use,
> dissemination, distribution or copying of this transmission is strictly
> prohibited. If you have received this communication in error, or if any
> problems occur with transmission, please notify the sender immediately.
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list