...

User procedure

1. ssh to a machine and login with openstack client EWC - OpenStack Command-Line client
2. add port 636 TCP.749 TCP,464 UDP to ldap security group

   Code Block
   ADD OPENSTACK COMMAND
   openstack security group rule create ldap --protocol tcp --ingress --dst-port 636 --remote-ip 0.0.0.0/0 --ethertype IPv4 openstack security group rule create ldap --protocol tcp --ingress --dst-port 749 --remote-ip 0.0.0.0/0 --ethertype IPv4 openstack security group rule create ldap --protocol udp --ingress --dst-port 464 --remote-ip 0.0.0.0/0 --ethertype IPv4

3. SSH into the OLD LDAP machine (your current one) and create DNS reverse zone (NAME_FROM_IP = LDAP IP or using IP range ) Create DNS reverse zone into LDAP machine (if missing)  Code Blockipa dnszone-add --name-from-ip=10.0.0.63 or using IP range (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones) 
   

   Code Block
   ipa dnszone-add --name-from-ip=NAME_FROM_IP

4. Backup existing ldap VM using the following documentation: EWC - How to create and restore backups from VMs
5. If your LDAP is rocky 8 based jump to step 9., if it is centos7 continue normally.
6. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
7. run workflow to switch Switch IP interfaces between LDAP LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
8. Check everything is fine (see Tests);
   
9. Create LDAP replica instance type to move from centos7 rocky 8 to rocky 8 9 (see MigratefromRocky8toRocky9)
10. run workflow to switch Switch IP interfaces between LDAP LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
11. Check everything is fine (see Tests);
12. Remove old LDAPs machines to free resources (from Morpheus)

Migrate from Centos7 to Rocky 8

Creating a new LDAP to migrate to

1. From Morpheus, deploy a new machine with
   1. image: rocky 8
   2. new security group: ldap security group
   3. plan: eo1.medium
2. become sudo
3. 1. name: different from existing ldap machine
4. SSH to the new machine and become root
5. Stop stop and disable firewalld on the machine

   Code Block
   systemctl stop firewalld && systemctl disable firewalld

6. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine

7. Code Block
   [test234@test-podman2 ~]$ cat /etc/hosts <!-- BEGIN ANSIBLE MANAGED BLOCK --> 10.0.0.133 test-podman2.eumetsat.sandbox.ewc 10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> <!-- END ANSIBLE MANAGED BLOCK -->

8. Install dependencies
   1. for rocky 8:

      1. Code Block
         sudo yum -y update

      2. Code Block
         sudo yum module reset idm:DL1

      3. Code Block
         sudo yum module enable idm:DL1

      4. Code Block
         sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y

9. Run the following command to install the LDAP replica

10. Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    (add --verbose for more logs) NOTE: go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users

11. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

       1. Code Block
          ipa dnszone-find

    2.  Make the ldap machine primary  (SERVER IS the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)

       1. Code Block
          ipa dnszone-mod DNS_ZONE --name-server=SERVER

Migrate from Rocky 8 to Rocky 9

Creating a new LDAP to migrate to

1. From Morpheus, deploy a new machine with
   
   1. image: rocky 9
   2. new security group: ldap security group
   3. plan: eo1.medium
   4. name: different from existing ldap machine
2. become sudo
3. SSH to the new machine and become root
4. Stop stop and disable firewalld on the machine

   Code Block
   systemctl stop firewalld && systemctl disable firewalld

5. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine

6. Code Block
   [test234@test-podman2 ~]$ cat /etc/hosts <!-- BEGIN ANSIBLE MANAGED BLOCK --> 10.0.0.133 test-podman2.eumetsat.sandbox.ewc 10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> <!-- END ANSIBLE MANAGED BLOCK -->

7. Install dependencies
   1. for rocky 9:

      1. Code Block
         sudo dnf install ipa-server ipa-server-dns -y

8. Run the following command to install the LDAP replica

9. Code Block
   ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

   add --verbose for more logs

10. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

       1. Code Block
          ipa dnszone-

    mod <DNS ZONE you find with ipa dnszone-find> --name-server=<NEWLDAP

    1. 1. find

    2.  Make the ldap machine primary  (SERVER is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)

    >

1. on the new ldap machine specify which ldap to be master (using command: ipa-csreplica-manage set-renewal-master)

2. DON'T DO IT, see next steps comment on why → create an A record for existing ldap domain to point to the new LDAP ipa dnsrecord-add eumetsat.sandbox.ewc. ldap --a-rec <NEW_LDAP_IP> 
   

3. Modify the DNS primary in Network (cannot be done by a user, unless we give permissions to modify networks) and wait some time (1 week? ) or do manual action on each machine to make the changes: (lease time ~5.20 hours)
   
   1. for Ubuntu a restart of the machine or the newotk systemctl restart networking or maybe after while you will get it (TBT)
   2. for Rocky 9 network manager has priority on resolve.conf
   3. for Rocky 8 happening in sandbox but not in mcat, one option either remove /etc/resolve.conf and dhclient or ??
4. Change the secret/ldap_hostname to point to the new ipa host

5. sudo ipactl stop on the old LDAP machine (check if this step can be removed on another test run)

6. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap

Run workflow to switch IP interfaces between LDAP

1. 1. , while DNS_ZONE is the zone name from the previous command)

      1. Code Block
         ipa dnszone-mod DNS_ZONE --name-server=SERVER

Switch IP interfaces between LDAP

1. Using Openstack Application credentials (EWC - OpenStack Command-Line client), identify your OLD LDAP machine 

   Code Block
   openstack server list

2. Detach the interface from the OLD LDAP machine (SERVER_NAME is the name of the VM from previous command, IP_ADDRESS is the private IP of the OLD LDAP VM, you listed with the previous command, SAVE IT in your notes and don't lose it!)

   Code Block
   openstack server remove fixed ip SERVER_NAME IP_ADDRESS

3. SSH In the NEW LDAP machine,
4. Detach the interface from the old LDAP
5. update the ip in the /etc/hosts and remove the old LDAP record
6. Delete old LDAP DNS records 
   1. Update the IP of the NEW LDAP machine in the /etc/hosts (IP_ADDRESS ) with the IP of the OLD LDAP machine ( The one you saved before in your notes!)

      Code Block
      [murdaca@ipa ~]$ cat /etc/hosts <!-- BEGIN ANSIBLE MANAGED BLOCK --> IP_ADDRESS ipa.batchpro.ewc <!-- END ANSIBLE MANAGED BLOCK -->

   2. Delete OLD LDAP machine DNS records (SERVER is the old LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
   1. 
      

      Code Block
      ipa-replica-manage del

   ldap.eumetsat.sandbox.ewc

   1. SERVER --force

   2. Find the dns zone name 

   3. Code Block
      ipa dnszone-find

   4. Replace the
   new ldap
   1. NEW LDAP machine IP with the IP of the interface of
   the old LDAP 
   1. the OLD LDAP machine (HOSTED_ZONE is the output name from the previous command, IP_ADDRESS=The one you saved before in your notes!, HOSTNAME is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
      

      Code Block
      ipa dnsrecord-mod

   <hostedzone>

   1. HOSTED_ZONE ipa-ca --a-rec

   <OLD_LDAP_IP>

   1. IP_ADDRESS ipa dnsrecord-mod

   <DNS

   1. HOSTED_

   ZONE>

   1. ZONE

   <NEW LDAP

   1. HOSTNAME

   HOSTNAME>

   1. --a-rec

   <OLD_LDAP_IP>

   1. IP_ADDRESS

7. Switch off the new LDAP
8. Remove interface
9. NEW LDAP machine (SERVER_NAME is the name of the VM, you can find it with openstack server list )

   Code Block
   openstack server stop SERVER_NAME

10. Detach the interface from the NEW LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS is the private IP of the NEW LDAP VM )

    Code Block
    openstack server remove fixed ip SERVER_NAME IP_ADDRESS

11. Add interface to the NEW LDAP machine Add interface with the IP of the old LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS=The one you saved before in your notes!

12. Code Block
    openstack server add fixed ip SERVER_NAME IP_ADDRESS

13. Add security groups to new LDAP
14. Restart new NEW LDAP machine (SERVER_NAME is the name of the VM)

    Code Block
    openstack server restart SERVER_NAME

15. Go to Morpheus and change Change the value in Cypher: Change the Delete the secret/ldap_hostname and recreate secret/ldap_hostname it to point to the new ipa host (e.g. ldap.eumetsat.sandbox.ewc)

Tests

1. login with DNS from ssh-proxy
2. Run sudo ipactl status → verify the services are all up and running
3. Deploy a new machine and enroll

Post Installation (optional in case of similar errors)

After the IPA Migration, especially from Centos7 to Rocky9, there might be still some possible errors, like the one below:

...