[Freeipa-users] IPA DS migration
Hello, I need to migrate the users from an existing IPA server to a new IPA server on an isolated network. It appears that “ipa migrate-ds” works only when direct connection to source LDAP server is possible. I have searched with no success for a method that would be more like an LDIF-based migration. These servers are in different realms and so have different base DNs. My hope is that I could create an LDIF file from a query against the source server, modify records to reflect the new base DN, copy result to destination server, and import it there. Can anyone direct me to some good resources or other recommendations to accomplish this? The source server in this case is CentOS 7 with FreeIPA v4.1.0. The planned destination server is RHEL 7 with FreeIPA v4.2.0. Thanks much in advance! Sean -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] how to chain CA certs
Not sure if I should start a new thread for this, but... I am now trying to follow the instructions given in this thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. I think this configuration should work well with our deployment strategy. I feel like I am following the steps exactly but always end up with "full certificate chain is not present in /etc/ipa/pki/example.org.p12² during ipa-server-install. Have others followed this process more recently? I am wondering if there might have been any changes so that these steps no longer work, or possibly there is an easier way to do this now. I am running version: ipa-server-4.1.0-18.el7.centos.4.x86_64. On 11/1/15, 10:40 PM, "Fraser Tweedale" <ftwee...@redhat.com> wrote: >On Mon, Nov 02, 2015 at 01:29:48AM +, Sean Conley - US wrote: >> Hello, >> >> I am new to FreeIPA and am attempting to stand up my first >> operational instance. We do have a commercial wildcard >> certificate (*.internal.example.org) that should cover the IPA >> server itself (ipa.internal.example.org). I used the -external-CA >> option when running the setup and so a CSR was generated. Since >> we have a wildcard cert, I wasn't sure if I really need to submit >> the CSR to our PKI vendor. At the same time, it's not clear to me >> through searching documents how I would extend the CA chain. Do I >> need to submit that CSR or is there a way for me to do this on my >> own? >> >Welcome to FreeIPA :) > >If you have a relationship with a Certificate Authority willing to >sign an intermediate CA certificate for you, then you can use the >--external-ca option, submit the generate CSR to your CA and once >you receive your signed CA certificate, continue ipa-server-install. > >For a publicly-trusted intermediate CA cert, you are probably >looking at $10,000s or $100,000s in fees, infrastructure and >compliance costs to achieve this. Public CAs much prefer to keep >you coming back to them for publicly trusted certificates :) > >If you already have some internal CA for your organisation, you can >use it to sign the CSR. > >Otherwise, you can install FreeIPA with its own root CA (this is the >default). > >HTH, >Fraser > >> Any assistance is much appreciated. >> >> Sean >> > >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] using wildcard cert from external CA
Sorry for the redundancy but I thought it would be better to start a new thread since I am really asking a different question at this point. We are trying to stand up an IPA instance using real certs (wildcard) for our domain, so that external users get a valid cert when coming the the https UI. I am trying to follow the steps given in this thread: https://www.redhat.com/archives/freeipa-users/2014-August/msg00338.html. It seems no matter what I do, I end up with: "full certificate chain is not present in /etc/ipa/pki/example.org.p12". Has this process been documented more completely anywhere? Is this still a valid process? I know that there is now an -external-ca option to ipa-server-install, but I have questions about the CSR process from my CA and they are not being very responsive. I have also been told that this option would require a reseller arrangement potentially costing a lot of money... we don't want to be in the CA business... we just want our external users to be able to securely access IPA. Thanks again in advance for any assistance. Sean -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] how to chain CA certs
Hello, I am new to FreeIPA and am attempting to stand up my first operational instance. We do have a commercial wildcard certificate (*.internal.example.org) that should cover the IPA server itself (ipa.internal.example.org). I used the -external-CA option when running the setup and so a CSR was generated. Since we have a wildcard cert, I wasn't sure if I really need to submit the CSR to our PKI vendor. At the same time, it's not clear to me through searching documents how I would extend the CA chain. Do I need to submit that CSR or is there a way for me to do this on my own? Any assistance is much appreciated. Sean -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project