However, once I thought - could I just migrate without disturbing users too much? So I tried it out, installing brand new set of virtual machines with CentOS 7 and latest FreeIPa 4.5.4. Migration worked more or less flawlessly, following FreeIPA migration Howto at https://www.freeipa.org/page/Howto/Migration#Migrating_from_other_FreeIPA_to_FreeIPA
I did it like this:
ipa config-mod --enable-migration=TRUE
ipa migrate-ds --with-compat --user-container="cn=users,cn=accounts,dc=MYIPA,dc=MY" --group-container="cn=groups,cn=accounts,dc=MYIPA,dc=MY" ldap://ipa0.MYIPA.MY:389
ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://ipa0.MYIPA.MY
ipa migrate-ds --bind-dn="cn=Directory Manager" --user-container=cn=users,cn=accounts --group-container=cn=groups,cn=accounts --group-objectclass=posixgroup --user-ignore-attribute={krbPrincipalName,krbextradata,krblastfailedauth,krblastpwdchange,krblastsuccessfulauth,krbloginfailedcount,krbpasswordexpiration,krbticketflags,krbpwdpolicyreference,mepManagedEntry} --user-ignore-objectclass=mepOriginEntry --with-compat ldap://ipa0.MYIPA.MY
Kerberos information from old IPA 3 was discarded, because it was not possible to save old CA certs...
Because I decided to install new IPA master using it's own CA, IPA management web-page had un-trusted/unknown certificates for all users. And it is really not nice to tell your users to visit a suspicious web-page for updating/migrating their Kerberos passwords. There is a known solution for that - configuring web server and directory server to use trusted third-party certificates. There is even a Howto for that, namely https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
Most probably everything works well, when server certificate depends only on single CA certificate, but it is not that straightforward when server certificate is obtained from company that is using intermediate certificates. Like e.g. DigiCert ones.
Most probably everything works well, when server certificate depends only on single CA certificate, but it is not that straightforward when server certificate is obtained from company that is using intermediate certificates. Like e.g. DigiCert ones.
So, I ordered DigiCert certificate for IPA master server (be it here master.ipa.NEWIPA.MY) and tried to install it to mod_nss database. I don't remember how many times I tried and failed (Googled a lot, found few question about the topic but not a single solution), but finally I figured out how to do that. So following is how I did it.
- Downloading all three certs - DigiCert Assured ID Root CA, TERENA SSL CA 3 and master.ipa.NEWIPA.MY - from DigiCert portal, all three in .PEM format. Commanding ipa-certupdate is definitely needed after adding each cert in the entire chain:
ipa-cacert-manage -n DigiCert-Assured-ID-Root-CA -t C,, install DigiCert_Assured_ID_Root_CA.pem
ipa-certupdate
ipa-cacert-manage -n TERENA_SSL_CA_3 -t C,, install TERENA_SSL_CA_3.pem
ipa-certupdate - Checking that all the required certs are installed in addition to IPA CA
[root@master dir]# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
IPA.TO.EE IPA CA CT,C,C
CN=master.ipa.newipa.my,O=My Company,L=Mylocation,C=MY u,u,u
DigiCert-Assured-ID-Root-CA C,,
TERENA_SSL_CA_3 C,, - After that install trusted Digicert server cert for FreeIPA master:
[root@master dir]# ipa-server-certinstall -w -d master_ipa_NEWIPA_MY.key master.ipa.NEWIPA.MY.pem
Directory Manager password:
Enter private key unlock password:
Please restart ipa services after installing certificate (ipactl restart)
The ipa-server-certinstall command was successful - And now just restart either all IPA services or just httpd and dirsrv:[root@master dir]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
ipa: INFO: The ipactl command was successful
After that, when users are going to http://master.ipa.NEWIPA.MY/ipa/migration , they see fully correct login page, with trusted certs etc.
