Johnathan Phan wrote:
Anyone know the details of the low level system steps for the migration
script to work? so I can try and backwards engineer or troubleshoot each
system as I go along so I can actually migrate the data from openldap to
ipa?


The migration is taking place in the context of the web server. So any trust needs to be added to /etc/httpd/alias (and the httpd service restarted). It needs to trust the signer of the remote LDAP server. What I don't know is how you add trust in NSS for a self-signed server certificate. You might be best off issuing new SSL certs for your openldap server which uses a CA to issue the server cert in order to perform the migration.

rob


Regards

John


On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan <j...@ox-consulting.com
<mailto:j...@ox-consulting.com>> wrote:

    Hi Aquino,

    thanks for the input, however. There is a CRT in there already and
    it was set to allow on both the IPA server and the target openldap
    server.
    the core of the issue seems to be that IPA does not accept the cert
    either locally or remotely as it does not trust it.

    anyone know how I can troubleshot this. I have reviewed the dirsrv
    logs for ldap and I can't spot anything/.

    Regards
    John


    On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino <jr.aqu...@citrix.com
    <mailto:jr.aqu...@citrix.com>> wrote:

        Try editing /etc/openldap/ldap.conf:

        TLS_CACERT      /etc/ipa/ca.crt
        TLS_REQCERT allow


        See if that helps

        "Keeping your head in the cloud"
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        Jr Aquino | Sr. Information Security Specialist
        GIAC Exploit Researcher and Advanced Penetration Tester |
        GIAC Certified Incident Handler | GIAC WebApp Penetration Tester
        Citrix Online | 7408 Hollister Avenue | Goleta, CA
        93117<x-apple-data-detectors://0/0>
        T: +1 805.690.3478
        <tel:%2B1%20805.690.3478><tel:+1%C2%A0805.690.3478>
        C: +1 805.717.0365 <tel:%2B1%20805.717.0365><tel:+1%20805.717.0365>
        jr.aqu...@citrix.com
        <mailto:jr.aqu...@citrix.com><mailto:jr.aqu...@citrixonline.com
        <mailto:jr.aqu...@citrixonline.com>>
        http://www.citrixonline.com<http://www.citrixonline.com/>

        On Jan 11, 2013, at 8:05 AM, Johnathan Phan
        <j...@ox-consulting.com
        <mailto:j...@ox-consulting.com><mailto:j...@ox-consulting.com
        <mailto:j...@ox-consulting.com>>> wrote:

        Hi There,

        This is driving me up the wall.

        I have two servers. 1 is a live openldap/kerberous AAA server
        running on RHEL6. The LDAP service has SSL/TS support. The
        second server is a test environment running on fedora and has
        3.1 IPA installed.

        As a last step of my POC I need to migrate the users and
        passwords from the LDAP server to IPA server.

        I ran this command perfectly fine.

        ipa config-mod --enable-migration=TRUE

        However the next step was where my issues began.

        In the end after a lot of IRC communication and troubleshooting
        I now run the following command.

        ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com"
        --user-container="ou=users,ou=live,dc=example,dc=com"
        --group-container="ou=groups,ou=live,dc=example,dc=com"
        ldaps://ldap1.live.example.com
        <http://ldap1.live.example.com><http://ldap1.live.example.com/>

        I get the following error.

        ipa: DEBUG: Caught fault 4203 from server
        http://fedoraipaserver.test.example.com/ipa/xml: Can't contact
        LDAP server: TLS error -8179:Peer's Certificate issuer is not
        recognized.
        ipa: DEBUG: Destroyed connection context.xmlclient
        ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's
        Certificate issuer is not recognized.

        I have summarized that the IPA server does not trust the cert
        served by the openldap or the other way around. Does anyone know
        how to get around this? Or allow me to finish the migration of
        user data.

        Regards

        John

        --
        Johnathan Phan

        T: +44 (0)784 118 7080 <tel:%2B44%20%280%29784%20118%207080>



        _______________________________________________
        Freeipa-users mailing list
        Freeipa-users@redhat.com
        <mailto:Freeipa-users@redhat.com><mailto:Freeipa-users@redhat.com 
<mailto:Freeipa-users@redhat.com>>
        https://www.redhat.com/mailman/listinfo/freeipa-users




    --
    Johnathan Phan
    ox-consulting


    T: +44 (0)784 118 7080 <tel:%2B44%20%280%29784%20118%207080>
    j...@ox-consulting.com <mailto:j...@ox-consulting.com>

    www.ox-consulting.com <http://www.ox-consulting.com>

    OX CONSULTING Ltd is registered in England & Wales, number:
    07113039, registered address as above.

    The information contained in this email message may be privileged,
    confidential or exempt from disclosure under applicable law. If you
    are not the intended recipient, you are hereby notified that any
    use, dissemination, distribution or copying of this transmission is
    strictly prohibited. If you have received this communication in
    error, or if any problems occur with transmission, please notify the
    sender immediately.




--
Johnathan Phan
ox-consulting

T: +44 (0)784 118 7080
j...@ox-consulting.com <mailto:j...@ox-consulting.com>

www.ox-consulting.com <http://www.ox-consulting.com>

OX CONSULTING Ltd is registered in England & Wales, number: 07113039,
registered address as above.

The information contained in this email message may be privileged,
confidential or exempt from disclosure under applicable law. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, distribution or copying of this transmission is strictly
prohibited. If you have received this communication in error, or if any
problems occur with transmission, please notify the sender immediately.


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to