Procedure for existing LDAPs

pre-requisite: backup existing ldap server

pre-requisite

ansible script:

• every Cypher of every tenancy has the following info to access Vault:
  • secret/vault_approleid
  • secret/vault_secretid
• Every tenancy needs to have app credentials to perform same actions as current user

ansible script:

• read openstack credentials

• add port 636 ldap security group

New instance type replica

Creating a new LDAP to migrate to

1. 1. deploy a new machine with
      1. rocky 9
      2. ldap security group
      3. plan??
   2. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
   3. create a local user with sudo rights
   4. become sudo
   5. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine

   6. [test234@test-podman2 ~]$ cat /etc/hosts
      <!-- BEGIN ANSIBLE MANAGED BLOCK -->
      10.0.0.133 test-podman2.eumetsat.sandbox.ewc
      10.0.0.63 ldap.eumetsat.sandbox.ewc
      <!-- END ANSIBLE MANAGED BLOCK -->

   7. Install ipa-replica-install command (dnf install ipa-server -y)
   8. Install ipa-server-dns because it is required for the option in the ipa-replica-install (dnf install ipa-server-dns -y)
   9. Run the following command to install the LDAP replica

   10. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server ldap.eumetsat.sandbox.ewc --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns 

       add --verbose for more logs

   11. on the new ldap machine specify which ldap to be master (using command: ipa-csreplica-manage set-renewal-master)

   12. DON'T DO IT, see next steps comment on why → create an A record for existing ldap domain to point to the new LDAP ipa dnsrecord-add eumetsat.sandbox.ewc. ldap --a-rec <NEW_LDAP_IP> 
       

   13. Modify the DNS primary in Network (cannot be done by a user, unless we give permissions to modify networks) and wait some time (1 week? ) or do manual action on each machine to make the changes: (lease time ~5.20 hours)
       
       1. for Ubuntu a restart of the machine or the newotk systemctl restart networking or maybe after while you will get it (TBT)
       2. for Rocky 9 network manager has priority on resolve.conf
       3. for Rocky 8 happening in sandbox but not in mcat, one option either remove /etc/resolve.conf and dhclient or ??
   14. Change the secret/ldap_hostname to point to the new ipa host

   15. sudo ipactl stop on the old LDAP machine (check if this step can be removed on another test run)

   16. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap

Automation to be run from any machine beside LDAP

alternative path from 10.

11. detach the interface from the old LDAP 

11.2 update the ip in the /etc/hosts and remove the old LDAP record

12. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap

13. replace the new ldap IP with the IP of the interface of the old LDAP → 

 ipa dnsrecord-mod eumetsat.sandbox.ewc. ipa-ca --a-rec OLD_LDAP_IP

ipa dnsrecord-mod eumetsat.sandbox.ewc. NEW_ldap_hostname --a-rec OLD_LDAP_IP

14. swtich off the new LDAP

15. remove interface 

16. add interface with the IP of the old LDAP

17 restart new LDAP machine

18 add security groups to new LDAP

Missing part

/etc/resolv.conf needs to be manually updated?? 

Next steps:

• reboot more VMs to see if they recover → not changing
• understand why the resolv.conf didn't update → for rocky it changes only on newer deployment machine from cloud-init, not on rebooted machines, Ubuntu has an internal dns server
  
  • for Ubuntu a restart of the machine or the nework systemctl restart networking or maybe after while you will get it (TBT)
  • for Rocky either remove /etc/resolve.conf and dhclient 
• create a fresh VM to see if the ldap workflow works → tested and we had to remove the ldap A record and therefore change the secret/ldap_hostname in order to work
• destroy the new ldap and recover the old one, then try to repeat the migration without stopping IPA on the old LDAP when deleting it → we have to specify which ldap to be master (using command: ipa-csreplica-manage set-renewal-master)

Procedure for new LDAPs

Update Centos 7 LDAP blueprint to Rocky 9

LDAP machine

1. check if reverse zone exists and add dns reverse into deployment
2. populate it for all existing machines in the tenancy (needs script dumping the forward zone)

• include reverse zone flag (nope, we have this and it seems not to work for private IP ranges, we have to do it manually) → create manually the reverse zone in the workflow - probably just add ipa dnszone-add --name-from-ip=192.0.2.0/24 to the ansible
• modify the ldap security group to include ldaps port 636

enrolling workflow

1. we modify the enroll script to include --subids and we add an extra line at the end of the default workflow for machines to run sudo rpm --restore shadow-utils
2. Remove /etc/NetworkManager/conf.d/99-cloud-init.conf

   
   

Write a script that verifies whether a machine is gone (how? no ping? for a long time?)  and destroys ldap entries relating to it.  Put this in the crontab on all ldaps.