I have migrated users from an old/broken FreeIPA server using Martin Kosek's recommendations here: http://news.gmane.org/find-root.php?message_id=550810EF.2030705%40redhat.com
My servers are on the public internet, so for obvious reasons I immediately disabled anonymous bind.
Now, everything is working except that the migration UI (at https://server/ipa/migration/) does not work when anonymous bind is disabled. I get the following message in HTTPD's error_log:
[Tue Mar 17 11:57:13.169949 2015] [:error] [pid 13589] ipa: ERROR: migration unable to get base dn
[Tue Mar 17 11:57:30.729802 2015] [:error] [pid 13588] ipa: ERROR: migration context search failed: Insufficient access: Inappropriate authentication: Anonymous access is not allowed.
FreeIPA version is ipa-server-4.1.0-18.el7.centos.x86_64
Thanks for report. I think this should not be a difficult fix. My initial suggestion from the thread:
I am CCing Peter Vobornik for the UI part. I think you are right. I quickly
checked the code, it indeed does an anonymous search and it also does not use
the CA certificate for TLS authentication when LDAPI is not available.
IMO, a ticket creation is due, to use IPA API object to get the basedn that is
read in the anonymous connection and to also use TLS when LDAPI is not available.
Quick workaround, if one does not want to wait for the fix:
Replace in /usr/share/ipa/migration/migration.py
Retrieve LDAP server base DN.
conn = IPAdmin(ldap_uri=ldap_uri)
base_dn = get_ipa_basedn(conn)
except Exception, e:
root_logger.error('migration context search failed: %s' % e)
with (with your base dn)
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1205264
4.1.4 was released, moving to new milestone
Metadata Update from @rangerrick:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.1.5
to comment on this ticket.