Procedure for existing LDAPs

pre-requisite: backup existing ldap server

LDAP reverse zone repair

1. check if reverse zone exists and add dns reverse into deployment
2. populate it for all existing machines in the tenancy (needs script dumping the forward zone)

Creating a new LDAP to migrate to

1. deploy a new machine with rocky 9
   1. Security groups should be .. ??? 
   2. On the old ldap, security groups should be ????  (should include at least ldaps port 636)
2. stop and disable firewalld on the machine
3. add old ldap IP to /etc/hosts on this machine

4. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server ldap.eumetsat.sandbox.ewc --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns

   add --verbose for more logs

   
   

5. sudo ipactl stop on the old LDAP machine (check if this step can be removed on another test run)

6. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap

7. DON'T DO IT, see next steps comment on why → create an A record for existing ldap domain to point to the new LDAP ipa dnsrecord-add eumetsat.sandbox.ewc. ldap --a-rec <NEW_LDAP_IP> 
   

8. Modify the DNS primary in Network (cannot be done by a user, unless we give permissions to modify networks)
9. Change the secret/ldap_hostname to point to the new ipa host

Missing part

/etc/resolv.conf needs to be manually updated?? 

Next steps:

• reboot more VMs to see if they recover → not changing
• understand why the resolv.conf didn't update → it changes only on newer deployment machine from cloud-init, not on rebooted machines..
• create a fresh VM to see if the ldap workflow works → tested and we had to remove the ldap A record and therefore change the secret/ldap_hostname in order to work
• destroy the new ldap and recover the old one, then try to repeat the migration without stopping IPA on the old LDAP when deleting it → we have to specify which ldap to be master (using command: ipa-csreplica-manage set-renewal-master)

Procedure for new LDAPs

Update Centos 7 LDAP blueprint to Rocky 9

LDAP machine

• include reverse zone flag (nope, we have this and it seems not to work for private IP ranges, we have to do it manually) → create manually the reverse zone in the workflow - probably just add ipa dnszone-add --name-from-ip=192.0.2.0/24 to the ansible
• modify the ldap security group to include ldaps port 636

enrolling workflow

1. we modify the enroll script to include --subids and we add an extra line at the end of the default workflow for machines to run sudo rpm --restore shadow-utils

Write a script that verifies whether a machine is gone (how? no ping? for a long time?)  and destroys ldap entries relating to it.  Put this in the crontab on all ldaps.