[Freeipa-users] copying through intermediate host.

Tony Brian Albers tba at statsbiblioteket.dk
Fri Jul 8 09:58:42 UTC 2016 

Replying to myself here, I do that sometimes when I feel alone ;)

I actually tried ssh port forwarding and relaying through workstation1,
like so:

ssh -L 9000:localhost:389 root at server2  (in one terminal)

ssh -R 9100:localhost:9000 root at server1 (in another terminal)

And then, on server1:

echo password | ipa migrate-ds --bind-dn="cn=Directory Manager"
--user-container=cn=users,cn=accounts
--group-container=cn=groups,cn=accounts --group-objectclass=posixgroup
--user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://localhost:9100

But I get:
ipa: ERROR: Insufficient access:  Invalid credentials

Even though the password _is_ correct and port 9100 is connected to ipa
on server2:

[server1]# ldapsearch -x -h localhost:9100  -b dc=server2,dc=server2net
uid=admin
# extended LDIF
#
# LDAPv3
# base <dc=server2,dc=server1net> with scope subtree
# filter: uid=admin
# requesting: ALL
#

# admin, users, compat, server2.server2net
dn: uid=admin,cn=users,cn=compat,dc=server2,dc=server2net
cn: Administrator
objectClass: posixAccount
objectClass: ipaOverrideTarget
........


So, I can connect to server2 on server1's port 9100 but I can't get ipa
migrate-ds to use it.

And I did a kinit admin on server1 first ;)

Any suggestione are appreciated.

/tony


On Fri, 2016-07-08 at 08:50 +0000, Tony Brian Albers wrote:
> Hi Guys,
> 
> I'm trying to copy relevant users and groups from one IPA
> server(server1) to another(server2). This is they can't talk to one
> another, they can't even establish connections to something outside
> their own networks. SSH into the servers from where I am(workstation1)
> works fine for both of them.
> 
> Is there a way to use ipa migrate-ds and get it to dump to a file that I
> can import on server2?
> 
> The network layout is like this
> server1----<<firewall1<<----workstation1---->>firewall2>>----server2
> 
> So, the firewalls allow connections from workstation1 to server 1 and
> server2, but not from server1 to server2 or from either server1 or
> server2 to workstation1.
> 
> The easy solution would be dumping the necessary info from the IPA
> server to a file and then import it on the other server.
> 
> Any suggestions?  I've looked a bit at ssh port forwarding, but I can't
> really get an idea as how to relay the two connections to the servers to
> oneanother.
> 
> Thanks,
> 
> Tony
> 
> -- 
> Best regards,
> 
> Tony Albers
> Systems administrator, IT-development
> State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
> Tel: +45 8946 2316
> 
> 
> 
> 

-- 
Best regards,

Tony Albers
Systems administrator, IT-development
State and University Library, Victor Albecks Vej 1, 8000 Aarhus C, Denmark.
Tel: +45 8946 2316

More information about the Freeipa-users mailing list