Versions Compared

Old Version 30

changes.mady.by.user Francesco Murdaca

Saved on

compared with

New Version 31

changes.mady.by.user Francesco Murdaca

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. ssh to a machine and login with openstack client EWC - OpenStack Command-Line client
  2. add port 636 TCP.749 TCP,464 UDP to ldap security group
    Code Block
    openstack security group rule create ldap --protocol tcp --ingress --dst-port 636 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol tcp --ingress --dst-port 749 --remote-ip 0.0.0.0/0 --ethertype IPv4
openstack security group rule create ldap --protocol udp --ingress --dst-port 464 --remote-ip 0.0.0.0/0 --ethertype IPv4
  3. SSH into the OLD LDAP machine (your current one) and create DNS reverse zone (NAME_FROM_IP = LDAP IP or using IP range ) (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones
    Code Block
    ipa dnszone-add --name-from-ip=NAME_FROM_IP
  4. Backup existing ldap VM LDAP machine using the following documentation: EWC - How to create and restore backups from VMs
  5. If your LDAP is rocky 8 based jump to step 9., if it is centos7 continue normally.
  6. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  7. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  8. Check everything is fine (see Tests);
  9. Create LDAP replica instance type to move from rocky 8 to rocky 9 (see MigratefromRocky8toRocky9)
  10. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  11. Check everything is fine (see Tests);
  12. Remove old LDAPs machines to free resources (from Morpheus)

...

  1. From Morpheus, deploy a new machine with
    1. image: rocky 8
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  2. SSH to the new machine and become root
  3. Stop and disable firewalld on the machine
    Code Block
    systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap OLD LDAP IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
  5. Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN 
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 8:
      1. Code Block
        sudo yum -y update
      2. Code Block
        sudo yum module reset idm:DL1
      3. Code Block
        sudo yum module enable idm:DL1
      4. Code Block
        sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
  7. Run the following command to install the LDAP replica
  8. Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    (add --verbose for more logs) NOTE: go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users

  9. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

      1. Code Block
        ipa dnszone-find

    2.  Make the ldap machine primary  (SERVER IS the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)

      1. Code Block
        ipa dnszone-mod DNS_ZONE --name-server=SERVER

...

  1. From Morpheus, deploy a new machine with
    1. image: rocky 9
    2. security group: ldap security group
    3. plan: eo1.medium
    4. name: different from existing ldap machine
  2. SSH to the new machine and become root
  3. Stop and disable firewalld on the machine
    Code Block
    systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machinemachine (OLD_LDAP_IP is the private IP of your current LDAP and OLD_LDAP_DOMAIN is the domain from your current LDAP (e.g. ldap.eumetsat.sandbox.ewc) )
  5. Code Block
    [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
 10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> (this is an example, you will see the private IP of your machine and the domain from your machine here)
OLD_LDAP_IP OLD_LDAP_DOMAIN  
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 9:
      1. Code Block
        sudo dnf install ipa-server ipa-server-dns -y
  7. Run the following command to install the LDAP replica
  8. Code Block
    ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    add --verbose for more logs

  9. Make the new ldap machine primary, running the following commands

    1. Find the dns zone name 

      1. Code Block
        ipa dnszone-find

    2.  Make the ldap machine primary  (SERVER is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc), while DNS_ZONE is the zone name from the previous command)

      1. Code Block
        ipa dnszone-mod DNS_ZONE --name-server=SERVER

...