Versions Compared

Old Version 22

changes.mady.by.user Francesco Murdaca

Saved on

compared with

New Version 23

changes.mady.by.user Francesco Murdaca

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. backup existing ldap server before starting (using Openstack credentials) ADD LINK
  2. add port 636 TCP.749 TCP,464 UDP to ldap security group
  3. Run workflow run workflow to create dns reverse zone into LDAP machine to create the reverse hosted zone (if missing)

    ipa dnszone-add --name-from-ip=10.0.0.63 or using IP range (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones)

  4. If your LDAP is rocky 8 based jump to step 9., if it is centos7 continue normally.
  5. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8 )
  6. run workflow to switch IP interfaces between LDAP (see RunworkflowtoswitchIPinterfacesbetweenLDAP)
  7. Check everything is fine (see Tests)
  8. Create LDAP replica instance type to move from centos7 to rocky 8 (see see MigratefromRocky8toRocky9)


Migrate from Centos7 to Rocky 8

...

8

Creating a new LDAP to migrate to

...

Migrate from Rocky 8 to Rocky 9

...

9

Creating a new LDAP to migrate to

  1. deploy a new machine with
    1. rocky 89
    2. new ldap security group
    3. plan eo1.medium
  2. become sudo
  3. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine
  5. Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)>
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 9: Install ipa-replica-install command (dnf install ipa-server ipa-server-dns -y) (second is required because it is required for the option in the ipa-replica-install)
  7. Run the following command to install the LDAP replica
  8. Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns

    add --verbose for more logs

...

  1. ipa dnszone-mod <DNS ZONE you find with ipa dnszone-find> --name-server=<NEWLDAP complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)>

  1. on the new ldap machine specify which ldap to be master (using command: ipa-csreplica-manage set-renewal-master)

  2. DON'T DO IT, see next steps comment on why → create an A record for existing ldap domain to point to the new LDAP ipa dnsrecord-add eumetsat.sandbox.ewc. ldap --a-rec <NEW_LDAP_IP> 

  3. Modify the DNS primary in Network (cannot be done by a user, unless we give permissions to modify networks) and wait some time (1 week? ) or do manual action on each machine to make the changes: (lease time ~5.20 hours)
    1. for Ubuntu a restart of the machine or the newotk systemctl restart networking or maybe after while you will get it (TBT)
    2. for Rocky 9 network manager has priority on resolve.conf
    3. for Rocky 8 happening in sandbox but not in mcat, one option either remove /etc/resolve.conf and dhclient or ??
  4. Change the secret/ldap_hostname to point to the new ipa host

  5. sudo ipactl stop on the old LDAP machine (check if this step can be removed on another test run)

  6. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap

...