A user reported difficulties in migrating from an SSL-secured server and it took a bit of time to work out the details.
I found a way that works, we should probably put this into the migration docs.
IPA uses the openldap client libraries to connect to the remote LDAP server. It does this within the context of Apache on the IPA server.
You need to provide a location of the CA certificate(s) to the openldap library. There are several options, all of which involve editing /etc/openldap/ldap.conf:
In all cases the httpd service needs to be restarted after making the change.
I assume after you did one of the following you run ipa migrade-ds?[[BR]] Do you need need to restore the configuration file after? Clean the certs from NSS DB?
Good point. Yeah, you'll want to reverse whatever changes made to ldap.conf after the migration. Mostly just because it isn't really needed any more, and depending on what you change you could cause future wierd problems (like not trusting the IPA CA).
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=901673
Rename component.
FreeIPA project no longer actively maintains an upstream guide (see details). This ticket is already cloned to RHEL downstream guide so the issue should fixed at least there. Closing the upstream ticket.
Metadata Update from @rcritten: - Issue assigned to elladeon - Issue set to the milestone: FreeIPA 3.x Documentation
Login to comment on this ticket.