Description
This test case verifies the ipa-migrate
command in production mode migrates users, groups, HBAC rules, sudo rules, and other IPA configurations from a remote IPA server to a local IPA server while maintaining consistency and ensuring smooth operation post-migration.
Setup
- Install Fedora 41 on both local and remote servers.
- Set up a remote IPA server with the domain
testrelm.test
and ensure it is running. - Create the following on the remote IPA server:
* A user (user1
) with valid configuration. * Groups. * HBAC Rule:hbacrule1
. * Sudo Rule:sudorule1
.
- Set up a local IPA server with the same domain
testrelm.test
and ensure it is running.
How to test
- Install the IPA server on the remote system and configure it with the domain
testrelm.test
. - Create sample entries on the remote IPA server:
* Useruser1
. * Groups. * HBAC Rule:hbacrule1
. * Sudo Rule:sudorule1
.
- Install and configure the IPA server on the local system with the same domain
testrelm.test
. - Run the
ipa-migrate
command in production mode: - [root@local ~]# ipa-migrate prod-mode remote.testrelm.test -w pwd
- Confirm the migration operation by checking the logs and reviewing the migration summary.
- Validate migrated data on the local server.
Expected Results
The following must be true to consider this a successful test run:
- The
ipa-migrate
command executes without errors and displays the migration summary. - The output confirms successful migration of users, groups, HBAC rules, sudo rules, and DNA plugin configuration.
- Verify the migrated user (
user1
) on the local server using:
[root@local ~]# ipa user-find User login: user1 First name: user1 Last name: s Home directory: /home/user1 Login shell: /bin/sh Principal name: user1@TESTRELM.TEST Principal alias: user1@TESTRELM.TEST Email address: user1@testrelm.test UID: 1662400003 GID: 1662400003 Account disabled: False
- Confirm UID and GID consistency between the remote and local
server
[root@remote ~]# id user1 uid=1662400003(user1) gid=1662400003(user1) groups=1662400003(user1)
[root@local ~]# id user1 uid=1662400003(user1) gid=1662400003(user1) groups=1662400003(user1)
- Validate the migrated sudo rule on the local server:
- [root@local ~]# ipa sudorule-find Rule name: sudorule1 Enabled: True
- Validate the migrated HBAC rule on the local server:
- [root@local ~]# ipa hbacrule-find Rule name: hbacrule1 Enabled: True
- Verify that certificates from the previous CA are removed, as indicated by the logs:
DEBUG Removed IPA issued userCertificate from: krbprincipalname=ldap/remote.testrelm.test@TESTRELM.TEST,cn=services,cn=accounts,dc=testrelm,dc=test DEBUG Skipping remote certificate entry: 'cn=TESTRELM.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test'
Optional
- Optionally validate the migration of additional configurations or extended use cases such as DNS and custom plugins.
- Confirm that all post-migration action items are addressed:
- Restart SSSD. - Take the server out of migration mode once migration is complete. - Reset the admin password if needed.