Chapter 3. Migrating to IdM on RHEL 9 from FreeIPA on non-RHEL Linux distributions

download PDF

To migrate a FreeIPA deployment on a non-RHEL Linux distribution to an Identity Management (IdM) deployment on RHEL 9 servers, you must first add a new RHEL 9 IdM Certificate Authority (CA) replica to your existing FreeIPA environment, transfer certificate-related roles to it, and then retire the non-RHEL FreeIPA servers.


Performing an in-place conversion of a non-RHEL FreeIPA server to a RHEL 9 IdM server using the Convert2RHEL tool is not supported.


Because the use of the SHA-1 algorithm is disabled in the DEFAULT system-wide cryptographic policy in RHEL 9, multiple known issues might arise if a RHEL 9 system is used in the same IdM deployment as a non-RHEL-9 system. For details, see:


After upgrading your IdM replica to RHEL 9.2, the IdM Kerberos Distribution Centre (KDC) might fail to issue ticket-granting tickets (TGTs) to users who do not have Security Identifiers (SIDs) assigned to their accounts. Consequently, the users cannot log in to their accounts.

To work around the problem, generate SIDs by running # ipa config-mod --enable-sid --add-sids as an IdM administrator on another IdM replica in the topology. Afterward, if users still cannot log in, examine the Directory Server error log. You might have to adjust ID ranges to include user POSIX identities.


On the RHEL 9 system:

  1. The latest version of Red Hat Enterprise Linux is installed on the system. For more information, see Performing a standard RHEL 9 installation.
  2. Ensure the system is an IdM client enrolled into the domain for which the FreeIPA server is authoritative. For more information, see Installing an IdM client: Basic scenario.
  3. Ensure the system meets the requirements for IdM server installation. See Preparing the system for IdM server installation.
  4. Ensure the system is authorized for the installation of an IdM replica. See Authorizing the installation of a replica on an IdM client.

On the non-RHEL FreeIPA server:

  1. Ensure you know the time server that the system is synchronized with:

    [root@freeipaserver ~]# ntpstat
    synchronised to NTP server ( at stratum 3
       time correct to within 42 ms
       polling server every 1024 s
  2. Update the ipa-* packages to their latest version:

    [root@freeipaserver ~]# dnf update ipa-*


  1. To perform the migration, follow the same procedure as Migrating your IdM environment from RHEL 8 servers to RHEL 9 servers, with your non-RHEL FreeIPA CA replica acting as the RHEL 8 server:

    1. Configure a RHEL 9 server and add it as an IdM replica to your current FreeIPA environment on the non-RHEL Linux distribution. For details, see Installing the RHEL 9 Replica.
    2. Make the RHEL 9 replica the certificate authority (CA) renewal server. For details, see Assigning the CA renewal server role to the RHEL 9 IdM server.
    3. Stop generating the certificate revocation list (CRL) on the non-RHEL server and redirect CRL requests to the RHEL 9 replica. For details, see Stopping CRL generation on a RHEL 8 IdM CA server.
    4. Start generating the CRL on the RHEL 9 server. For details, see Starting CRL generation on the new RHEL 9 IdM CA server.
    5. Stop and decommission the original non-RHEL FreeIPA CA renewal server. For details, see Stopping and decommissioning the RHEL 8 server.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.