On pe, 04 marras 2022, Martin Gignac via FreeIPA-users wrote:
Hello,
I would like to take a RedHat IDM installation running on RHEL 7 and
migrate it to a Fedora 36 installation running FreeIPA. Since the jump
in version is too big to simply make the Fedora 36 server a replica of
the RHEL 7 installation, and since I'd like to change the domain name
from 'country.example.com' to 'example.com', I've decided to use the
API to extract users and groups from the RHEL installation and populate
them in the Fedora 36 server. The Python script I wrote to run this
seems to work fine. However I am left with two remaining things I would
like to migrate: passwords and the root CA certificate.
1. Is there a way to transfer over the hashed passwords from the RHEL 7
install to the Fedora 36 one? (I expect that the answer will be "no",
but I gotta ask anyway!)
The answer is no, in general. Kerberos keys for each account encrypted
with the master key of that deployment so they will be unusable in the
new one. Hashed passwords for LDAP auth would probably continue working
but since we maintain them in sync with Kerberos keys, you'd need to
remove the Kerberos keys (and that means all Kerberos
attributes/objectclasses) and switch to migration mode to get SSSD to
request regeneration of the Kerberos keys. It is not a simple task.
2. Is there away to extract the root CA from the RHEL 7 install and
use
it as the root CA for all generated certificates on the Fedora 36 one?
I would like to keep the same root CA so that I don't have to go and
change that certificate on all of my LDAPS clients.
It is also not an easy thing. Since your new deployment uses a different
Kerberos realm, it also would have a different CA subject DN. The best
you could do is to take an NSS database of the RHEL7 deployment, do a
new setup with externally signed CA and sign that CA certificate request
by the old RHEL7 CA NSS database. This way new deployment's CA would be
issued by the old one and existing LDAPS clients will trust it. New
certificates will be issued by the new CA.
See Fraser articles around CA handling:
https://frasertweedale.github.io/blog-redhat/tags/certificates.html
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland