Migrating identity managment from redhat ES 6 to version es 7

Latest response

I'm following the red hat doc https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/migrate-6-to-7 and I get an error after following 8.2.3:

ipa-replica-prepare rhel7.example.com --ip-address I get this error:

Preparing replica for ldap01.webdom.lsnet.ucla.edu from ldap.webdom.lifesci.ucla.edu
preparation of replica failed: cannot connect to u'ldaps://myserv.domain.com:7390': LDAP Server Down
cannot connect to u'ldaps://myserv.domain.com:7390': LDAP Server Down
File "/usr/sbin/ipa-replica-prepare", line 529, in

File "/usr/sbin/ipa-replica-prepare", line 391, in main

File "/usr/sbin/ipa-replica-prepare", line 247, in update_pki_admin_password

File "/usr/lib/python2.6/site-packages/ipalib/backend.py", line 63, in connect
conn = self.create_connection(*args, **kw)

File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 846, in create_connection

File "/usr/lib/python2.6/site-packages/ipaserver/plugins/ldap2.py", line 736, in handle_errors
error=u'LDAP Server Down')

Is anyone familiar with this error and how to handle it?


Hi Marcello,

Have you tested connection to LDAP? ldaps://myserv.domain.com:7390': LDAP Server Down

Hi Sam,

Thank you for your post, yes I have tested the ldap connection on our server on port 7390 and is working. Basically I discovered that the /usr/sbin/ipa-prepare-replica was stopping on line 392 were it calls the update_pki_admin password, within this method there is a call to the IPA server on port 7390 .

382 else: 383 try: 384 if not certs.ipa_self_signed(): 385 # FIXME, need option for location of CA backup 386 if ipautil.file_exists(options.ca_file): 387 # Since it is possible that the Directory Manager password 388 # has changed since ipa-server-install, we need to regenerate 389 # the CA PKCS#12 file and update the pki admin user password 390 regenerate_ca_file(dirman_password, options.ca_file) 391 #--MG 41619 this cause the manager to fail. 392 #update_pki_admin_password(dirman_password) 393 shutil.copy(options.ca_file, dir + "/cacert.p12")

So I comment out that call and after re running the script I was able to generate the replica file. Then we we had issue with installing the replica file on the replica IPA it failed at the CA certificate. We decide to go to a different route. Install a new IPA server and then we will try to migrate account/groups/rules ecc.. with the migrate-ds , worst case scenario I'll port all this stuff manually. Thank you again for your post.