#3364 document how to migrate over SSL
Closed: Invalid None Opened 11 years ago by rcritten.

A user reported difficulties in migrating from an SSL-secured server and it took a bit of time to work out the details.

I found a way that works, we should probably put this into the migration docs.

IPA uses the openldap client libraries to connect to the remote LDAP server. It does this within the context of Apache on the IPA server.

You need to provide a location of the CA certificate(s) to the openldap library. There are several options, all of which involve editing /etc/openldap/ldap.conf:

  1. Comment out TLS_CACERT and add a new one pointing to the PEM file for the CA of the remote LDAP server
  2. Add the remote LDAP CA file to an NSS database and point to that database with TLS_CACERTDIR
  3. Add the remote LDAP CA file to a directory and point to that directory with TLS_CACERTDIR

In all cases the httpd service needs to be restarted after making the change.


I assume after you did one of the following you run ipa migrade-ds?[[BR]]
Do you need need to restore the configuration file after? Clean the certs from NSS DB?

Good point. Yeah, you'll want to reverse whatever changes made to ldap.conf after the migration. Mostly just because it isn't really needed any more, and depending on what you change you could cause future wierd problems (like not trusting the IPA CA).

FreeIPA project no longer actively maintains an upstream guide (see details). This ticket is already cloned to RHEL downstream guide so the issue should fixed at least there. Closing the upstream ticket.

Metadata Update from @rcritten:
- Issue assigned to elladeon
- Issue set to the milestone: FreeIPA 3.x Documentation

7 years ago

Login to comment on this ticket.

Metadata