Versions Compared

Old Version 27

changes.mady.by.user Francesco Murdaca

Saved on

compared with

New Version 28

changes.mady.by.user Francesco Murdaca

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

In order to perform this migration, you need to request Openstack Application Credentials EWC - How to request Openstack Application Credentials

User procedure

  1. Backup existing ldap VM using the following documentation: EWC - How to create and restore backups from VMs
  2. add port 636 TCP.749 TCP,464 UDP to ldap security group
    Code Block
    ADD OPENSTACK COMMAND
  3. Run workflow to create dns Create DNS reverse zone into LDAP machine to create the reverse hosted zone (if missing) 
    Code Block
    ipa dnszone-add --name-from-ip=10.0.0.63 or using IP range (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones) 
  4. Backup existing ldap VM using the following documentation: EWC - How to create and restore backups from VMs
  5. If your LDAP is rocky 8 based jump to step 9., if it is centos7 continue normally.
  6. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  7. run workflow to switch IP interfaces between LDAP (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  8. Check everything is fine (see Tests);
  9. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromRocky8toRocky9)
  10. run workflow to switch IP interfaces between LDAP (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  11. Check everything is fine (see Tests);
  12. Remove old LDAPs

...

  1. deploy a new machine with
    1. rocky 8
    2. new ldap security group
    3. plan eo1.medium
  2. become sudo
  3. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine
  5. Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)>
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 8:
      1. Code Block
        sudo yum -y update
      2. Code Block
        sudo yum module reset idm:DL1
      3. Code Block
        sudo yum module enable idm:DL1
      4. Code Block
        sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
  7. Run the following command to install the LDAP replica
  8. Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    (add --verbose for more logs) NOTE:  go go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users

    --no-host-dns         Do not use DNS for hostname lookup during installation

Migrate from Rocky 8 to Rocky 9

...

  1. deploy a new machine with
    1. rocky 9
    2. new ldap security group
    3. plan eo1.medium
  2. become sudo
  3. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine
  5. Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)>
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 9: Install ipa-replica-install command (dnf install
      1. Code Block
        sudo dnf install ipa-server ipa-server-dns -y
      ) (second is required because it is required for the option in the ipa-replica-install)
  7. Run the following command to install the LDAP replica
  8.  Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended
    add --verbose for more logs
  9. ipa dnszone-mod <DNS ZONE you find with ipa dnszone-find> --name-server=<NEWLDAP complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)>
...
  1. login with DNS from ssh-proxy
  2. Run sudo ipactl status → verify the services are all up and running
  3. Deploy a new machine and enroll

Post Installation 
...
(optional)
After We've found a problem after the IPA Migration, especially from Centos7 to Rocky9, there might be still some possible errors, like the one below:
ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.

There is a FreeIPA doc site related to this: https://www.freeipa.org/page/V3/Recover_DNA_Ranges.htmlI've fixed this using ipa-replica-manage dnarange-set $ldap_server ${min}-${max}
I've found the range we used with ipa idrange-find and set 
The fix for that error is the following command:
  1. Identify min and max range of IDs 
     Code Block
     ipa idrange-find
  2. Set the lower boundary to exclude every existing account (as of ipa user-find | grep 'UID')
...
  1. Assign the DNS range using ${min}-${max} identified in the previous steps 
     Code Block
     ipa-replica-manage dnarange-set $ldap_server ${min}-${max}
  2. Check the range that is used 
...
 Code Block
ipa-replica-manage
...
 dnarange-show