[Freeipa-users] Gave Up on RHEL6->7 migration, starting over. (ipa migrate-ds)

Martin Kosek mkosek at redhat.com
Tue Mar 17 16:29:25 UTC 2015 

On 03/17/2015 05:16 PM, Benjamin Reed wrote:
> On 3/17/15 12:09 PM, Martin Kosek wrote:
>> I would still wished we fixed the original root cause why replication was
>> failing for you - as this is the obviously expected way of upgrading to
>> RHEL/CentOS 7.1 from RHEL-6 environment and I think/hope it would be less work
>> than starting over (depends on how populated is your existing IPA instance).
> 
> Yeah, I totally get that, but I've actually been holding up a product
> launch trying to get things working, or I'd try to work through it
> longer.  :(
> 
> I'm actually going to just shut down the old server's IPA but not
> uninstall it, so if there is any progress made on the issue I've opened
> I may be able to try it with a fresh replication target still.

Ok, thank you.

> I did run into one snag.  Our IPA servers are on the public internet, so
> I've disabled anonymous bind.  However, it appears that the
> /ipa/migration/ tool requires it; at least, I'm getting this error in
> httpd/error_log:
> 
>> migration context search failed: Insufficient access: Inappropriate
>> authentication: Anonymous access is not allowed.

I am CCing Peter Vobornik for the UI part. I think you are right. I quickly
checked the code, it indeed does an anonymous search and it also does not use
the CA certificate for TLS authentication when LDAPI is not available.

IMO, a ticket creation is due, to use IPA API object to get the basedn that is
read in the anonymous connection and to also use TLS when LDAPI is not available.

> Is there a way to make migration work without anonymous bind?  A config
> file I can change somewhere to force the migration tool to bind as a user?

Hmm, if the migration page is not working for you, I see following options:

1) Migrate users via SSSD and simply SSH or log in to any machine enrolled to
the new IPA, as I showed in the example

2) Implement your own migration tool, doing an LDAP BIND for the migrated user
(this is what SSSD does too anyway).

3) (hackish) Until the potential ticket is fixed, you can try to fix
/usr/share/ipa/migration/migration.py on the IPA server yourself. This is the
migration script that is used. If you actually fix it, you may even think about
contributing the fix to FreeIPA project as a patch, it would be very welcome :-)

More information about the Freeipa-users mailing list