User procedure

1. SSH into the OLD LDAP machine (your current one) and create DNS reverse zone (NAME_FROM_IP = LDAP IP or using IP range ) (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones) 
   

   ipa dnszone-add --name-from-ip=NAME_FROM_IP

2. ssh to the VM with Openstack Client and run the following commands (see EWC - OpenStack Command-Line client for more details):
   1. List ldap security group rule 

      openstack security group rule list ldap

   2. add port 636 TCP.749 TCP,464 UDP to ldap security group if they are missing

      openstack security group rule create ldap --protocol tcp --ingress --dst-port 636 --remote-ip 0.0.0.0/0 --ethertype IPv4
      openstack security group rule create ldap --protocol tcp --ingress --dst-port 749 --remote-ip 0.0.0.0/0 --ethertype IPv4
      openstack security group rule create ldap --protocol udp --ingress --dst-port 464 --remote-ip 0.0.0.0/0 --ethertype IPv4

   3. Backup existing LDAP machine using the following documentation: EWC - How to create and restore backups from VMs
3. If your LDAP is rocky 8 based, jump to step 7., if it is centos7 based continue the procedure normally.
4. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
5. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
6. Check everything is fine (see Tests);
   
7. Create LDAP replica instance type to move from rocky 8 to rocky 9 (see MigratefromRocky8toRocky9)
8. Switch IP interfaces between LDAPs (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
9. Check everything is fine (see Tests);
10. Remove old LDAPs machines to free resources (from Morpheus)

Migrate from Centos7 to Rocky 8

Creating a new rocky 8 LDAP replica

1. Login to Morpheus
2. Go to Provisioning → Instances and click '+ADD'
3. Select the LDAP replica Instance type
4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
   
   1. version: 8
   2. plan: eo1.medium
   3. networks: private
   4. security group: ldap

Migrate from Rocky 8 to Rocky 9

Creating a new rocky 8 LDAP replica

1. Login to Morpheus
2. Go to Provisioning → Instances and click '+ADD'
3. Select the LDAP replica Instance type
4. Select a new name for the VM (e.g. ldap-rocky8) and click 'Next'
5. Use the following inputs for the VM and then click 'Next' until the deployment starts:
   
   1. version: 9
   2. plan: eo1.medium
   3. networks: private
   4. security group: ldap

Switch IP interfaces between LDAP

1. SSH In the NEW LDAP machine (LDAP replica)
   1. Update the IP of the NEW LDAP machine in the /etc/hosts (IP_ADDRESS ) with the IP of the OLD LDAP machine and remove the line relative to the OLD LDAP ( The one you saved before in your notes!), You will end up with:

      [murdaca@ipa ~]$ cat /etc/hosts
      
      <!-- BEGIN ANSIBLE MANAGED BLOCK -->
      
      IP_ADDRESS ipa.batchpro.ewc
      
      <!-- END ANSIBLE MANAGED BLOCK -->

   2. Delete OLD LDAP machine DNS records (SERVER is the old LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
      

      ipa-replica-manage del SERVER --force

   3. Find the dns zone name, you have two alternatives:

      1.  You can find this information logging in Morpheus → Tools → Cypher and check the following secret → secret/ldap_domain

      2. Use ipa command

         ipa dnszone-find

   4. Replace the NEW LDAP machine IP with the IP of the interface of the OLD LDAP machine (HOSTED_ZONE is the output name from the previous command, IP_ADDRESS=The one you saved before in your notes!, HOSTNAME is the new LDAP machine complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)
      

      ipa dnsrecord-mod HOSTED_ZONE ipa-ca --a-rec IP_ADDRESS 
      ipa dnsrecord-mod HOSTED_ZONE HOSTNAME --a-rec  IP_ADDRESS

2. SSH to the VM with Openstack client installed and run the following commands:
   1. Show information about the OLD LDAP machine (SERVER_NAME usually is ldap in the tenancies by default):
      

      openstack server show SERVER_NAME

   2. Detach the interface from the OLD LDAP machine (SERVER_NAME is the name of the OLD LDAP VM from previous command, IP_ADDRESS is the private IP of the OLD LDAP VM, you listed with the previous command, SAVE IT in your notes!)

      openstack server remove fixed ip SERVER_NAME IP_ADDRESS 

   3. Switch off the NEW LDAP machine (SERVER_NAME is the name of the VM, you can find it with openstack server list )

      openstack server stop SERVER_NAME 

   4. Detach the interface from the NEW LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS is the private IP of the NEW LDAP VM )

      openstack server remove fixed ip SERVER_NAME IP_ADDRESS 

   5. Add interface to the NEW LDAP machine with the IP of the old LDAP machine (SERVER_NAME is the name of the VM, IP_ADDRESS=The one you saved before in your notes!

      openstack server add fixed ip SERVER_NAME IP_ADDRESS 

   6. Add LDAP security group to new LDAP machine (SERVER_NAME is the name of the NEW LDAP VM)

      openstack server add security group SERVER_NAME ldap

   7. Restart NEW LDAP machine (SERVER_NAME is the name of the new LDAP VM)

      openstack server restart SERVER_NAME 

3. Login to Morpheus and change the value of the hostname for LDAP, going to Tools → Cypher:
   1. Delete the secret/ldap_hostname
      
   2. Use the '+ADD' to create a new secret
   3.  Add KEY: secret/ldap_hostname and VALUE: new LDAP hostname (e.g. ldap.eumetsat.sandbox.ewc) 
      

Tests

1. ssh to ssh-proxy
2. ssh using DNS to the new LDAP machine
3. Run sudo ipactl status → verify the services are all up and running
4. From Morpheus go to Provisioning → Instances and deploy a new machine to test the enrolment to LDAP DNS is working correctly.

Post Installation (optional in case of similar errors)

After the IPA Migration, especially from Centos7 to Rocky9, there might be still some possible errors, like the one below:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.

There is a FreeIPA doc site related to this: https://www.freeipa.org/page/V3/Recover_DNA_Ranges.html

The fix for that error is the following command:

1. Identify min and max range of IDs 

    ipa idrange-find

2. Set the lower boundary to exclude every existing account (as of ipa user-find | grep 'UID')
3. Assign the DNS range using ${min}-${max} identified in the previous steps 

    ipa-replica-manage dnarange-set $ldap_server ${min}-${max}

4. Check the range that is used 
   

ipa-replica-manage dnarange-show