On 2/5/2014, 1:35 AM, Rob Crittenden wrote:
> Will Sheldon wrote:  
> >  
> > Hello IPA users :)  
> >  
> > We have implemented IPA using the packaged version in centos 6.5 (which  
> > is 3.0.0-37.el6), but have been playing with the more recent version in  
> > Fedora 19 (3.3.3-2.fc19) and are quite keen to take advantage of the  
> > shiny new features, so are thinking about migrating.  
> >  
> > Has anyone done this? Is there an easy way to migrate/upgrade?  
> > What would happen if I tried to setup a FC19 replica, would it get angry  
> > and break?  
> >  
> > We only have users in production so far, (no production clients or  
> > issued certs) so maybe the user migration script mentioned in previous  
> > posts would be the best bet?  
> >  
> > Any pointers would be hugely appreciated..  
> This is exactly the way to migrate between versions. You'll want to set up a 
> CA on the F19 server for sure, and DNS if you're using that. The idea is that 
> you set up the new master, spend some time (days, weeks not months) verifying 
> that things are working ok, then remove the old server and things should 
> continue to just work. We also recommend having at least two masters with CAs 
> for redundancy and avoiding a single point of failure.  
> We have discovered a bug in the way clients are enrolled though. We store the 
> name of the master you enroll against. Normally this isn't a big deal, 
> especially if you use SRV records. The problem is if that some tools use the 
> master from this file to connect to and not SRV records, so you may want to 
> run around to your clients and change this in /etc/ipa/default.conf once the 
> migration is complete.  
> rob  
Yay! That’s easier than I thought it would be, thanks Rob.  

Would this work as a solution?

1) Leave current centos server (ipa.domain.com (http://ipa.domain.com)) in 
2) Configure new FC19 ipa server as a replica (newipa.domain.com 
(http://newipa.domain.com)) using the server install script
3) Check that newipa.domain.com (http://newipa.domain.com) is functioning as 
4) Remove centos server from production (not checked, but I assume there is a 
documented process for this)
5) Install new FC19 replica using same IP and DNS name as the old centos server 

Freeipa-users mailing list

Reply via email to