Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 5. Migrating to IdM on RHEL 10 from FreeIPA on non-RHEL Linux distributions

To migrate a FreeIPA deployment on a non-RHEL Linux distribution to Identity Management (IdM) on RHEL 10, you must add a new RHEL 10 IdM Certificate Authority (CA) replica to your existing FreeIPA environment, transfer certificate-related roles to it, and then retire the non-RHEL FreeIPA servers.

Warning

Performing an in-place conversion of a non-RHEL FreeIPA server to a RHEL 10 IdM server using the Convert2RHEL tool is not supported.

Important

If your environment has a trust with Active Directory (AD) and uses Public Key Cryptography for Initial Authentication (PKINIT), be aware that RHEL 10 disables SHA-1 by default. Older versions of AD require SHA-1 for PKINIT.

If you are integrating with an AD environment older than Windows Server 2025, you must set the LEGACY cryptographic policy on the RHEL 10 server to allow PKINIT to function:
```
# update-crypto-policies --set LEGACY
```
Windows Server 2025 and later versions support SHA-2, so the LEGACY policy is not required.

Prerequisites

On the RHEL 10 system:

The latest version of Red Hat Enterprise Linux is installed on the system. For more information, see Interactively installing RHEL from installation media.
Ensure the system is an IdM client enrolled into the domain for which the FreeIPA server is authoritative. For more information, see Installing an IdM client: Basic scenario.
Ensure the system meets the requirements for IdM server installation. See Preparing the system for IdM server installation.
Ensure the system is authorized for the installation of an IdM replica. See Authorizing the installation of a replica on an IdM client.

On the non-RHEL FreeIPA server:

Ensure you know the time server that the system is synchronized with:

[root@freeipaserver ~]# ntpstat
synchronised to NTP server (ntp.example.com) at stratum 3
   time correct to within 42 ms
   polling server every 1024 s

Update the ipa-* packages to their latest version:
```
[root@freeipaserver ~]# dnf update ipa-*
```

Procedure

To perform the migration, follow the same procedure as Migrating your IdM environment from RHEL 9 servers to RHEL 10 servers, with your non-RHEL FreeIPA CA replica acting as the RHEL 9 server:
1. Configure a RHEL 10 server and add it as an IdM replica to your current FreeIPA environment on the non-RHEL Linux distribution. For details, see Installing the RHEL 10 Replica.
2. Make the RHEL 10 replica the certificate authority (CA) renewal server. For details, see Assigning the CA renewal server role to the RHEL 10 IdM server.
3. Stop generating the certificate revocation list (CRL) on the non-RHEL server and redirect CRL requests to the RHEL 10 replica. For details, see Stopping CRL generation on the RHEL 9 IdM CA server.
4. Start generating the CRL on the RHEL 10 server. For details, see Starting CRL generation on the new RHEL 10 IdM CA server.
5. Stop and decommission the original non-RHEL FreeIPA CA renewal server. For details, see Stopping and decommissioning the RHEL 9 server.

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 5. Migrating to IdM on RHEL 10 from FreeIPA on non-RHEL Linux distributions

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Rendre l’open source plus inclusif

À propos de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links