Re: [Freeipa-users] missing objects during migration steps
Hi Rob and Simo, Is there a way to make the schema readable so the error does not show up? Or is that pointless? What is the migrate-ds looking for specifically? Can I manually create it for now? Regards John On Wed, Jan 23, 2013 at 4:42 PM, Rob Crittenden rcrit...@redhat.com wrote: Simo Sorce wrote: On Wed, 2013-01-23 at 10:41 -0500, Rob Crittenden wrote: Johnathan Phan wrote: Hi Rob, Please find the output from /usr/sbin/slapd -VV that shows the current openldap version thats running on the ldap server. @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $ mockbu...@x86-001.build.bos.**redhat.com:/builddir/build/** BUILD/openldap-2.4.23/**openldap-2.4.23/build-servers/**servers/slapd ps. I have opened a ticket for this. https://fedorahosted.org/**freeipa/ticket/3372https://fedorahosted.org/freeipa/ticket/3372 Can I assume you have a away to turn this check off. As in IRC there does not seem to be one. Or are you saying I can allow the scheme value to be checked if I create one or make it readable some how? There is no way to turn this check off, we always try to retrieve cn=schema. I'd have sworn that openldap already did online schema this way. Please open a bug, we should no depend on the remote schema being readable. Simo. He already opened a ticket. rob -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 j...@ox-consulting.com www.ox-consulting.com OX CONSULTING Ltd is registered in England Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please notify the sender immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap to ipa
For record sake. This issue was resolved. I resolved the issue by following the following guidance provided in the following bug report. https://fedorahosted.org/freeipa/ticket/3364 On Tue, Jan 15, 2013 at 9:35 AM, Johnathan Phan j...@ox-consulting.comwrote: Hi Rcrit, As Outlined in the IRC channel. Please find the ldap.conf from the open ldap server below. URI ldap://ldap.example.com ldap://ldap1.example.com BASE dc=example,dc=com TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt I then copy the file /etc/pki/tls/certs/ca-bundle.crt from the openldap server over to the test IPA server and on the IPA server I run the following command. certutil -A -d /etc/httpd/alias -n 'openldap CA' -t CT,, -a -i ca-bundle.crt The openldap server is using a certificate signed by a CA. The IPA server is using the self signed certificate it generated when starting up. I still get the error after adding the CA bundle for openldap server to the apache cert db on IPA server. After explaining all this, I feel that the problem lies with the self signed cert on the IPA server. Can I confirm with someone the process in which the migration of data occurs? I gather the it something like this. 1 IPA binds/creates a connection to the remote server via SSL/TSL and creates a connection 2 It then binds to a socket locally 3 Then contacts the apache server for some reason (no idea why this is contacting apache on 443?) Regards John On Mon, Jan 14, 2013 at 6:09 PM, Rob Crittenden rcrit...@redhat.comwrote: Johnathan Phan wrote: Anyone know the details of the low level system steps for the migration script to work? so I can try and backwards engineer or troubleshoot each system as I go along so I can actually migrate the data from openldap to ipa? The migration is taking place in the context of the web server. So any trust needs to be added to /etc/httpd/alias (and the httpd service restarted). It needs to trust the signer of the remote LDAP server. What I don't know is how you add trust in NSS for a self-signed server certificate. You might be best off issuing new SSL certs for your openldap server which uses a CA to issue the server cert in order to perform the migration. rob Regards John On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi Aquino, thanks for the input, however. There is a CRT in there already and it was set to allow on both the IPA server and the target openldap server. the core of the issue seems to be that IPA does not accept the cert either locally or remotely as it does not trust it. anyone know how I can troubleshot this. I have reviewed the dirsrv logs for ldap and I can't spot anything/. Regards John On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com wrote: Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps Keeping your head in the cloud ~~**~~~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors:/**/0/0 T: +1 805.690.3478 tel:%2B1%20805.690.3478tel:**+1%C2%A0805.690.3478 C: +1 805.717.0365 tel:%2B1%20805.717.0365tel:** +1%20805.717.0365 jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com**mailto:jr.aquino@citrixonline.** com jr.aqu...@citrixonline.com mailto:jr.aquino@**citrixonline.comjr.aqu...@citrixonline.com http://www.citrixonline.comht**tp://www.citrixonline.com/http://www.citrixonline.com/ On Jan 11, 2013, at 8:05 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com**mailto:john@ox-consulting.** com j...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=users,ou=**live,dc=example,dc=com
[Freeipa-users] missing objects during migration steps
Hi everyone, k pass authentication issues now. It's now complaining about objects not there. ipa: ERROR: uri=ldaps://ldap1.example.com:636: Unable to retrieve LDAP schema: No such object: However when I run the following commands on the new IPA server. ldapsearch -x -H ldaps://ldap.example.com:636 -b ou=groups,ou=live,dc=example,dc=com -D cn=admin,dc=example,dc=com -W or ldapsearch -x -H ldaps://ldap.example.com:636 -b ou=ib,dc=example,dc=com -D cn=admin,dc=example,dc=com -W and I get output Ldap shows the users and groups in the old system. It just dumps out the whole content of the OU. I have tried to run the following two commands and I still get the same error ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=ib,dc=example,dc=com ldaps://ldap1.example.com:636 or ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=ib,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps:// ldap1.example.com:636 What is IPA complaining about specifically? I know objects are in these ou's Is it expecting something different? Regards John ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] missing objects during migration steps
Hi Rob, Please find the output from /usr/sbin/slapd -VV that shows the current openldap version thats running on the ldap server. @(#) $OpenLDAP: slapd 2.4.23 (Jul 31 2012 10:47:00) $ mockbu...@x86-001.build.bos.redhat.com: /builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd ps. I have opened a ticket for this. https://fedorahosted.org/freeipa/ticket/3372 Can I assume you have a away to turn this check off. As in IRC there does not seem to be one. Or are you saying I can allow the scheme value to be checked if I create one or make it readable some how? On Wed, Jan 23, 2013 at 2:00 PM, Rob Crittenden rcrit...@redhat.com wrote: Johnathan Phan wrote: Hi everyone, k pass authentication issues now. It's now complaining about objects not there. ipa: ERROR: uri=ldaps://ldap1.example.com:**636http://ldap1.example.com:636 http://ldap1.example.com:636**: Unable to retrieve LDAP schema: No such object: However when I run the following commands on the new IPA server. ldapsearch -x -H ldaps://ldap.example.com:636 http://ldap.example.com:636 -b ou=groups,ou=live,dc=example,**dc=com -D cn=admin,dc=example,dc=com -W or ldapsearch -x -H ldaps://ldap.example.com:636 http://ldap.example.com:636 -b ou=ib,dc=example,dc=com -D cn=admin,dc=example,dc=com -W and I get output Ldap shows the users and groups in the old system. It just dumps out the whole content of the OU. I have tried to run the following two commands and I still get the same error ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=ib,dc=**example,dc=com ldaps:// ldap1.example.com:636 http://ldap1.example.com:636 or ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=ib,dc=**example,dc=com --group-container=ou=groups,**ou=live,dc=example,dc=com ldaps://ldap1.example.com:636 http://ldap1.example.com:636 What is IPA complaining about specifically? I know objects are in these ou's Is it expecting something different? It is failing trying to query cn=schema. We fetch the schema from the remote server to know what types of data we're dealing with. What version of openldap is this? rob -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 j...@ox-consulting.com www.ox-consulting.com OX CONSULTING Ltd is registered in England Wales, number: 07113039, registered address as above. The information contained in this email message may be privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution or copying of this transmission is strictly prohibited. If you have received this communication in error, or if any problems occur with transmission, please notify the sender immediately. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openldap to ipa
Hi Rcrit, As Outlined in the IRC channel. Please find the ldap.conf from the open ldap server below. URI ldap://ldap.example.com ldap://ldap1.example.com BASE dc=example,dc=com TLS_CACERT /etc/pki/tls/certs/ca-bundle.crt I then copy the file /etc/pki/tls/certs/ca-bundle.crt from the openldap server over to the test IPA server and on the IPA server I run the following command. certutil -A -d /etc/httpd/alias -n 'openldap CA' -t CT,, -a -i ca-bundle.crt The openldap server is using a certificate signed by a CA. The IPA server is using the self signed certificate it generated when starting up. I still get the error after adding the CA bundle for openldap server to the apache cert db on IPA server. After explaining all this, I feel that the problem lies with the self signed cert on the IPA server. Can I confirm with someone the process in which the migration of data occurs? I gather the it something like this. 1 IPA binds/creates a connection to the remote server via SSL/TSL and creates a connection 2 It then binds to a socket locally 3 Then contacts the apache server for some reason (no idea why this is contacting apache on 443?) Regards John On Mon, Jan 14, 2013 at 6:09 PM, Rob Crittenden rcrit...@redhat.com wrote: Johnathan Phan wrote: Anyone know the details of the low level system steps for the migration script to work? so I can try and backwards engineer or troubleshoot each system as I go along so I can actually migrate the data from openldap to ipa? The migration is taking place in the context of the web server. So any trust needs to be added to /etc/httpd/alias (and the httpd service restarted). It needs to trust the signer of the remote LDAP server. What I don't know is how you add trust in NSS for a self-signed server certificate. You might be best off issuing new SSL certs for your openldap server which uses a CA to issue the server cert in order to perform the migration. rob Regards John On Mon, Jan 14, 2013 at 9:19 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi Aquino, thanks for the input, however. There is a CRT in there already and it was set to allow on both the IPA server and the target openldap server. the core of the issue seems to be that IPA does not accept the cert either locally or remotely as it does not trust it. anyone know how I can troubleshot this. I have reviewed the dirsrv logs for ldap and I can't spot anything/. Regards John On Fri, Jan 11, 2013 at 5:55 PM, JR Aquino jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com wrote: Try editing /etc/openldap/ldap.conf: TLS_CACERT /etc/ipa/ca.crt TLS_REQCERT allow See if that helps Keeping your head in the cloud ~~**~~~ Jr Aquino | Sr. Information Security Specialist GIAC Exploit Researcher and Advanced Penetration Tester | GIAC Certified Incident Handler | GIAC WebApp Penetration Tester Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117x-apple-data-detectors:/**/0/0 T: +1 805.690.3478 tel:%2B1%20805.690.3478tel:**+1%C2%A0805.690.3478 C: +1 805.717.0365 tel:%2B1%20805.717.0365tel:** +1%20805.717.0365 jr.aqu...@citrix.com mailto:jr.aqu...@citrix.com**mailto:jr.aquino@citrixonline.** com jr.aqu...@citrixonline.com mailto:jr.aquino@**citrixonline.com jr.aqu...@citrixonline.com http://www.citrixonline.comht**tp://www.citrixonline.com/http://www.citrixonline.com/ On Jan 11, 2013, at 8:05 AM, Johnathan Phan j...@ox-consulting.com mailto:j...@ox-consulting.com**mailto:john@ox-consulting.**comj...@ox-consulting.com mailto:j...@ox-consulting.com** wrote: Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=**example,dc=com --user-container=ou=users,ou=**live,dc=example,dc=com --group-container=ou=groups,**ou=live,dc=example,dc=com ldaps://ldap1.live.example.com http://ldap1.live.example.com**http://ldap1.live.example.** com/ http://ldap1.live.example.com/ I get the following error. ipa: DEBUG: Caught fault 4203 from
[Freeipa-users] openldap to ipa
Hi There, This is driving me up the wall. I have two servers. 1 is a live openldap/kerberous AAA server running on RHEL6. The LDAP service has SSL/TS support. The second server is a test environment running on fedora and has 3.1 IPA installed. As a last step of my POC I need to migrate the users and passwords from the LDAP server to IPA server. I ran this command perfectly fine. ipa config-mod --enable-migration=TRUE However the next step was where my issues began. In the end after a lot of IRC communication and troubleshooting I now run the following command. ipa migrate-ds --bind-dn=cn=admin,dc=example,dc=com --user-container=ou=users,ou=live,dc=example,dc=com --group-container=ou=groups,ou=live,dc=example,dc=com ldaps:// ldap1.live.example.com I get the following error. ipa: DEBUG: Caught fault 4203 from server http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. ipa: DEBUG: Destroyed connection context.xmlclient ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate issuer is not recognized. I have summarized that the IPA server does not trust the cert served by the openldap or the other way around. Does anyone know how to get around this? Or allow me to finish the migration of user data. Regards John -- Johnathan Phan T: +44 (0)784 118 7080 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] cross domain trust between two IPA servers
Hi everyone, Is it possible to create a cross domain trust between two IPA servers? I would have thought FreeIPA would have dealt with this use case first rather than jump directly into integrating with AD. The reason for this is because your more likely to have satellite sites of Redhat servers you want to manage. Example of this is shown below. You require user details to be separated for two separate organizations that merge together. In the interim period or permanently you may want members data to be stored in the two separate Realms for either legal reasons or for company structure reasons (Management). As you do this quiet freqently with Microsoft AD environments when corporations merge or buy one another out. Or a parent company buys a smaller company but want to hook the two systems together with out merging them completely to keep the companies identity and major operations separate. Is there anyway to do this with two IPA servers? -- Johnathan Phan ox-consulting T: +44 (0)784 118 7080 j...@ox-consulting.com ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users