On Аўт, 24 чэр 2025, Ian Pilcher wrote:
On 6/24/25 10:42 AM, Rob Crittenden wrote:
Your Kerberos realm with dots replaced by dash. You can also tell the
naming based on the instance name: /etc/dirsrv/slapd-EXAMPLE-TEST
OK. Looks like I'm using the 'bdb' database format.
Looking back at this thread, I see this:
On 6/24/25 6:03 AM, Alexander Bokovoy wrote:
On Аўт, 24 чэр 2025, Tomasz Torcz wrote:
Some FreeIPA installations (like mine) were created long before F40
and upgraded over the years.
Yes, you need to follow major RHEL IdM upgrade procedure that all RHEL
users follow for ~15 years now.
RHEL IdM documentation for RHEL9 to RHEL10 migration:
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/
html-single/migrating_to_identity_management_on_rhel_10/
index#migrating_idm_from_rhel_9_to_rhel_10
This procedure is probably fine for most enterprises, but it's somewhere
between incredibly painful and not doable at all for many SOHO users.
In fact, I "bit the bullet" and changed from using a RHEL-based IdM
server to Fedora (manually recreating all of the entries) precisely to
avoid this process.
The process will have to be done somehow because bdb library is going
away, so there is no way to get forward. A suggestion 389-ds team has is
to do manual conversion:
1. Export database content to LDIF
2. Upgrade 389-ds and switch the database driver
3. Import LDIF back.
It will be painful this way and will require a downtime anyway. Using a
separate replica is easier and is what we recommend upstream and in RHEL
IdM documentation.
Keeping in mind that some people won't be aware of this change before
they pull the trigger on the update from F42 -> F43, this seems like it
will render their IdM servers completely broken, with basically no path
to recover it.
The only realistic thing we can do is to completely inhibit in-place
upgrade. We already decided to do so for major version upgrades in
freeipa-container project.
https://github.com/freeipa/freeipa-container/issues/664
Otherwise we will never be able to remove BDB library. This whole
https://fedoraproject.org/wiki/Changes/Libdb_deprecated is there for
more than 5 years now, whole 10 Fedora releases, particularly due to
389-ds dependency.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
