Re: [Freeipa-users] IPA server certificate update and Directory Manager password
On Jan 20, 2011, at 17:32 , Rob Crittenden wrote: Yes, that was going to be my next question. While throwing any old self-signed cert in there might get the server up other things won't work, notably replication. Ok, here are some steps I worked out that I think will get you back in business. I'm going to try to renew your 389-ds certificate using IPA. First we need to get 389-ds back up and running. I'm going to use REALM in place of the instance name for your 399-ds install. 1. Make a backup of /etc/dirsrv.slapd-REALM/dse.ldif 2. Make a backup of your dirsrv NSS database (so /etc/dirsrv/slapd- REALM/*.db) 2. Edit dse.ldif and set nsslapd-security to off 3. Try starting dirsrv: service start dirsrv REALM 4. Get a kerberos ticket for admin: kinit admin 5. Generate a new CSR for your directory server: certutil -R -k 'NSS Certificate DB:Server-Cert' -s 'cn=nebio- directory.in.hwlab,O=IPA' -d /etc/dirsrv/slapd-REALM/ -f /etc/dirsrv/ slapd-REALM/pwdfile.txt -a renew.csr 6. Get a new certificate: ipa cert-request renew.csr --principal=ldap/nebio-directory.in.hwlab 7. Paste the value in the output for Certificate into a file. This is a base64-encoded blob of text probably starting with MII and ending with ==. 8. Add this new cert to your 389-ds database certutil -A -d /etc/dirsrv/slapd-REALM -n Server-Cert -t u,u,u -a cert.txt 9. service dirsrv stop REALM 10. edit dse.ldif and set nsslapd-security to on 11. service dirsrv start REALM I ran the majority of these steps against my own IPA installation and nothing caught on fire. I hope you have equal success. Rob, any more advice on this? Step 5 fails, but it works if I remove the NSS Cert part or of I use IPA... something or other that I figured out. But then step 6 fails, I get a No Modification Requried result when I run the command, and nothing I did could get past that. If I want to start from scratch with the new Beta release, how would I dump the entire LDAP/KRB database so that I could import it into a new server? The Docs mention doing regular backups, but they don't even tell how to backup the data, whether to backups files (which ones?!) or to dump the data into a file, and backup that. Can I convert from the 1.9 alpha to a 2.0beta freeipa instance? Best, Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] export entire ldap/kerberos/etc onto a new host
I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Thanks! Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? Thanks! Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 02:51 PM, Peter Doherty wrote: On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA May be the writeup will help. It is not final but at least this portion has been reviewed. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IPA server certificate update and Directory Manager password
On Tue, 1 Feb 2011 12:38:50 -0500 Peter Doherty dohe...@hkl.hms.harvard.edu wrote: If I want to start from scratch with the new Beta release, how would I dump the entire LDAP/KRB database so that I could import it into a new server? The Docs mention doing regular backups, but they don't even tell how to backup the data, whether to backups files (which ones?!) or to dump the data into a file, and backup that. database dumps + filesystem backups Can I convert from the 1.9 alpha to a 2.0beta freeipa instance? Not easy, and it depends on what you mean by convert. A simple rpm update will give you issues because we still made minor changes to the DIT and schema between the 1.9 alpha and the beta. If you have many keys in your kerberos database I can describe a procedure that *should* work to dump the keys and reload them in a new server where you manually/script migrate the users/host/services data by using the ipa user-add/host-add/srvice-add commands. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 12:51 PM, Peter Doherty wrote: On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. That definitely won't work. migrate-ds is used to migrate very old 389-ds-base servers to the latest version. There is no tool to migrate/upgrade from an ipa alpha release to an ipa beta release. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On 02/01/2011 03:00 PM, Dmitri Pal wrote: On 02/01/2011 02:51 PM, Peter Doherty wrote: On Feb 1, 2011, at 14:43 , Dmitri Pal wrote: On 02/01/2011 02:30 PM, Peter Doherty wrote: I hope someone can help with this. I've got a freeipa server running the 1.9 alpha release. It's broken, (the x509 cert expired and can't be renewed) and I want to just abandon it. I set up a new host and installed the 2.0 beta release (from the git archives, because the regular archive includes a broken version, it won't install) Is there anyway to get all the user data, passwords, groups, automount maps, etc...from the old freeipa server on to the new one? Is it Ok to reset all passwords or you want to try to preserve those? I want to preserve them. But at this point, i'd take just about anything. I just discovered the migrate-ds tool. But I can't make it work. http://obriend.fedorapeople.org/freeIPA2.0/Identity_and_Policy_Management_Guide/html-single/#chap-Enterprise_Identity_Management_Guide-Migrating_from_a_Directory_Server_to_IPA May be the writeup will help. It is not final but at least this portion has been reviewed. Also it is worth mentioning that we are planning to come up with Beta 2 later this week so may be it makes sense to wait couple days and move to the latest bits. Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] export entire ldap/kerberos/etc onto a new host
On Feb 1, 2011, at 15:04 , Dmitri Pal wrote: Also it is worth mentioning that we are planning to come up with Beta 2 later this week so may be it makes sense to wait couple days and move to the latest bits. Can I upgrade from Beta-1 to Beta-2, or are they incompatible? Peter ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
