[Freeipa-users] openldap to ipa
Johnathan Phan
john at ox-consulting.com
Fri Jan 11 16:05:25 UTC 2013
Hi There,
This is driving me up the wall.
I have two servers. 1 is a live openldap/kerberous AAA server running on
RHEL6. The LDAP service has SSL/TS support. The second server is a test
environment running on fedora and has 3.1 IPA installed.
As a last step of my POC I need to migrate the users and passwords from the
LDAP server to IPA server.
I ran this command perfectly fine.
ipa config-mod --enable-migration=TRUE
However the next step was where my issues began.
In the end after a lot of IRC communication and troubleshooting I now run
the following command.
ipa migrate-ds --bind-dn="cn=admin,dc=example,dc=com"
--user-container="ou=users,ou=live,dc=example,dc=com"
--group-container="ou=groups,ou=live,dc=example,dc=com" ldaps://
ldap1.live.example.com
I get the following error.
ipa: DEBUG: Caught fault 4203 from server
http://fedoraipaserver.test.example.com/ipa/xml: Can't contact LDAP server:
TLS error -8179:Peer's Certificate issuer is not recognized.
ipa: DEBUG: Destroyed connection context.xmlclient
ipa: ERROR: Can't contact LDAP server: TLS error -8179:Peer's Certificate
issuer is not recognized.
I have summarized that the IPA server does not trust the cert served by the
openldap or the other way around. Does anyone know how to get around this?
Or allow me to finish the migration of user data.
Regards
John
--
Johnathan Phan
T: +44 (0)784 118 7080
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130111/46e91d22/attachment.htm>
More information about the Freeipa-users
mailing list