Thanks Rafael for answering my Q's.. Kinda bummed about not being able
to find out from the server which clients have been used... I think I'm
going to investigate this more ; there's got to be something in LDAP or
KDC that is storing this info. (could be a waste of time but if I find a
way, I'll let you know)
Anyway, I took your advice and built me a RHEL8 IDM replica and logins
work just fine. It was fairly straight-forward. The only issue I have is
that the ipa-ca-install command fails and I see a 404 client error
http://my.replica.server.name:8080/ca/admin/ca/getStatus
About a page up in the syslog I can see where I get the failed
connection: "Connection failed:
HTTPConnectionPool(host=my.replica.server.name, port=8080) Max retries
exceeded with url: /ca/admin/ca/getStatus
Not sure if this is related but I also saw a line stating "flags used:
-D com.redhat.fips=false" BUT both of my servers are running FIPS.
On the original master server (the Cent7 box) I ran "ipa
server-role-find --role "CA Server" and it reported back to me that my
new replica server is a CA server but it's current state is "configured"
and not "enabled" like I would expect.
Also, when I do a "ipactl status" on the new eplica the pki service
isn't in the list at all...
Any light you (or anyone else) could shed on why pki-tomcat fails to
start during the install process.
Thanks for the help so far.
v/r,
justin
On 11/12/2023 9:19 PM, Rafael Jeffman wrote:
Hi Justin,
On Sun, Nov 12, 2023 at 2:01 PM Justin Sanderson via FreeIPA-users
<[email protected]> wrote:
>
>
> All - I've posted here before a while back. Long story short, I
> inherited a FreeIPA server and am now looking at building out a more
> robust environment.
>
> Two things I'd like to ask some input for:
>
>
> 1) Is there a way to determine when a client was last used for
> authentication? I'm looking at a list of about 1500 client systems -
> majority of which I'm sure haven't been used (retired client systems,
> etc.) in a decent amount of time. I'd like to clean these systems up so
> I have a more accurate representation of what is actually authenticating
> against my IDM.
>
I'm not sure if this is possible at all without looking at logs in the
clients.
>
> 2) After cleanup, I'm interested in building a replica (or two) to
> facilitate and upgrade. The current server is CentOS 7. We've had
> numerous problems from this server and would like to upgrade to a more
> supported/newer version of OS and IDM software.
>
> a) Is it possible to install a replica server as RHEL9 IDM server
> from my existing CentOS 7 server? Essentially, what I'd like to occur
> is we use the RHEL9 replica as a means to "migrate" and upgrade the
> existing services and eventually poweroff the original Cent7 server.
>
Do not skip major versions. The recommended procedure is to update to
CentOS/RHEL 8 and then to RHEL9.
You want to follow these docs:
* Upgrade to RHEL 8:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/migrating_to_identity_management_on_rhel_8/migrating
* Upgrade to RHEL 9:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/migrating_to_identity_management_on_rhel_9/assembly_migrating-your-idm-environment-from-rhel-8-servers-to-rhel-9-servers_migrating-to-idm-on-rhel-9
HTH,
Rafael
>
> The replica installation process seems to be fairly straight-forward,
> but I was wondering if anyone out there has tried this before and any
> painful "lessons learned" after the upgrade/migration...
>
>
> Any help or insight would be appreciated.
>
>
>
>
> --
> This email has been checked for viruses by AVG antivirus software.
> www.avg.com <http://www.avg.com>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
[email protected]
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Rafael Guterres Jeffman
Senior Software Engineer
FreeIPA - Red Hat
--
This email has been checked for viruses by AVG antivirus software.
www.avg.com
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
