You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Procedure for existing LDAPs

pre-requisite: backup existing ldap server

LDAP reverse zone repair

  1. check if reverse zone exists and add dns reverse into deployment
  2. populate it for all existing machines in the tenancy (needs script dumping the forward zone)


Creating a new LDAP to migrate to

  1. deploy a new machine with rocky 9
    1. Security groups should be .. ??? 
    2. On the old ldap, security groups should be ????  (should include at least ldaps port 636)
  2. stop and disable firewalld on the machine
  3. add old ldap IP to /etc/hosts on this machine
  4. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server ldap.eumetsat.sandbox.ewc --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns

    add --verbose for more logs


  5. sudo ipactl stop on the old LDAP machine (check if this step can be removed on another test run)

  6. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap

  7. create an A record for existing ldap domain to point to the new LDAP ipa dnsrecord-add eumetsat.sandbox.ewc. ldap --a-rec <NEW_LDAP_IP>

  8. Modify the DNS primary in Network (cannot be done by a user, unless we give permissions to modify networks)


Missing part

/etc/resolv.conf needs to be manually updated?? 


Next steps:

  • reboot more VMs to see if they recover
  • understand why the resolv.conf didn't update
  • create a fresh VM to see if the ldap workflow works
  • destroy the new ldap and recover the old one, then try to repeat the migration without stopping IPA on the old LDAP when deleting it


Procedure for new LDAPs

Update Centos 7 LDAP blueprint to Rocky 9


LDAP machine

  • include reverse zone flag (nope, we have this and it seems not to work for private IP ranges, we have to do it manually) → create manually the reverse zone in the workflow - probably just add ipa dnszone-add --name-from-ip=192.0.2.0/24 to the ansible
  • modify the ldap security group to include ldaps port 636


enrolling workflow

  1. we modify the enroll script to include --subids and we add an extra line at the end of the default workflow for machines to run sudo rpm --restore shadow-utils

Write a script that verifies whether a machine is gone (how? no ping? for a long time?)  and destroys ldap entries relating to it.  Put this in the crontab on all ldaps.

  • No labels