From Fedora Project Wiki

Description

This test case verifies the ipa-migrate command in production mode migrates users, groups, HBAC rules, sudo rules, and other IPA configurations from a remote IPA server to a local IPA server while maintaining consistency and ensuring smooth operation post-migration.

Setup

  • Install Fedora 41 on both local and remote servers.
  • Set up a remote IPA server with the domain testrelm.test and ensure it is running.
  • Create the following on the remote IPA server:
 * A user (user1) with valid configuration.
 * Groups.
 * HBAC Rule: hbacrule1.
 * Sudo Rule: sudorule1.
  • Set up a local IPA server with the same domain testrelm.test and ensure it is running.

How to test

  1. Install the IPA server on the remote system and configure it with the domain testrelm.test.
  2. Create sample entries on the remote IPA server:
 * User user1.
 * Groups.
 * HBAC Rule: hbacrule1.
 * Sudo Rule: sudorule1.
  1. Install and configure the IPA server on the local system with the same domain testrelm.test.
  2. Run the ipa-migrate command in production mode:
  3. [root@local ~]# ipa-migrate prod-mode remote.testrelm.test -w pwd
  4. Confirm the migration operation by checking the logs and reviewing the migration summary.
  5. Validate migrated data on the local server.

Expected Results

The following must be true to consider this a successful test run:

  1. The ipa-migrate command executes without errors and displays the migration summary.
  2. The output confirms successful migration of users, groups, HBAC rules, sudo rules, and DNA plugin configuration.
  3. Verify the migrated user (user1) on the local server using:

[root@local ~]# ipa user-find User login: user1 First name: user1 Last name: s Home directory: /home/user1 Login shell: /bin/sh Principal name: user1@TESTRELM.TEST Principal alias: user1@TESTRELM.TEST Email address: user1@testrelm.test UID: 1662400003 GID: 1662400003 Account disabled: False

  1. Confirm UID and GID consistency between the remote and local

server

[root@remote ~]# id user1 uid=1662400003(user1) gid=1662400003(user1) groups=1662400003(user1) [root@local ~]# id user1 uid=1662400003(user1) gid=1662400003(user1) groups=1662400003(user1)

  1. Validate the migrated sudo rule on the local server:
  2. [root@local ~]# ipa sudorule-find Rule name: sudorule1 Enabled: True
  3. Validate the migrated HBAC rule on the local server:
  4. [root@local ~]# ipa hbacrule-find Rule name: hbacrule1 Enabled: True
  5. Verify that certificates from the previous CA are removed, as indicated by the logs:

DEBUG Removed IPA issued userCertificate from: krbprincipalname=ldap/remote.testrelm.test@TESTRELM.TEST,cn=services,cn=accounts,dc=testrelm,dc=test DEBUG Skipping remote certificate entry: 'cn=TESTRELM.TEST IPA CA,cn=certificates,cn=ipa,cn=etc,dc=testrelm,dc=test'

Optional

  • Optionally validate the migration of additional configurations or extended use cases such as DNS and custom plugins.
  • Confirm that all post-migration action items are addressed:

- Restart SSSD. - Take the server out of migration mode once migration is complete. - Reset the admin password if needed.