In order to perform this migration, you need to request Openstack Application Credentials EWC - How to request Openstack Application Credentials


User procedure

  1. Backup existing ldap VM using the following documentation: EWC - How to create and restore backups from VMs
  2. add port 636 TCP.749 TCP,464 UDP to ldap security group
    ADD OPENSTACK COMMAND
  3. Run workflow to create dns reverse zone into LDAP machine to create the reverse hosted zone (if missing)
    ipa dnszone-add --name-from-ip=10.0.0.63 or using IP range (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones) 


  4. If your LDAP is rocky 8 based jump to step 9., if it is centos7 continue normally.
  5. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  6. run workflow to switch IP interfaces between LDAP (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  7. Check everything is fine (see Tests);
  8. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromRocky8toRocky9)
  9. run workflow to switch IP interfaces between LDAP (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  10. Check everything is fine (see Tests);
  11. Remove old LDAPs


Migrate from Centos7 to Rocky 8

Creating a new LDAP to migrate to

  1. deploy a new machine with
    1. rocky 8
    2. new ldap security group
    3. plan eo1.medium
  2. become sudo
  3. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine
  5. [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)>
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 8:

      1. sudo yum -y update

      2. sudo yum module reset idm:DL1

      3. sudo yum module enable idm:DL1

      4. sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y

  7. Run the following command to install the LDAP replica
  8. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns

    (add --verbose for more logs) NOTE: go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users

    --no-host-dns         Do not use DNS for hostname lookup during installation


Migrate from Rocky 8 to Rocky 9

Creating a new LDAP to migrate to

  1. deploy a new machine with
    1. rocky 9
    2. new ldap security group
    3. plan eo1.medium
  2. become sudo
  3. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine
  5. [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)>
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 9: Install ipa-replica-install command (dnf install ipa-server ipa-server-dns -y) (second is required because it is required for the option in the ipa-replica-install)
  7. Run the following command to install the LDAP replica
  8. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns

    add --verbose for more logs

  9. ipa dnszone-mod <DNS ZONE you find with ipa dnszone-find> --name-server=<NEWLDAP complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)>

  1. on the new ldap machine specify which ldap to be master (using command: ipa-csreplica-manage set-renewal-master)

  2. DON'T DO IT, see next steps comment on why → create an A record for existing ldap domain to point to the new LDAP ipa dnsrecord-add eumetsat.sandbox.ewc. ldap --a-rec <NEW_LDAP_IP> 

  3. Modify the DNS primary in Network (cannot be done by a user, unless we give permissions to modify networks) and wait some time (1 week? ) or do manual action on each machine to make the changes: (lease time ~5.20 hours)
    1. for Ubuntu a restart of the machine or the newotk systemctl restart networking or maybe after while you will get it (TBT)
    2. for Rocky 9 network manager has priority on resolve.conf
    3. for Rocky 8 happening in sandbox but not in mcat, one option either remove /etc/resolve.conf and dhclient or ??
  4. Change the secret/ldap_hostname to point to the new ipa host

  5. sudo ipactl stop on the old LDAP machine (check if this step can be removed on another test run)

  6. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap


Run workflow to switch IP interfaces between LDAP

  1. Detach the interface from the old LDAP
  2. update the ip in the /etc/hosts and remove the old LDAP record
  3. Delete old LDAP DNS records 
    ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force
  4. Replace the new ldap IP with the IP of the interface of the old LDAP 
    ipa dnsrecord-mod <hostedzone> ipa-ca --a-rec <OLD_LDAP_IP>
ipa dnsrecord-mod <DNS_ZONE> <NEW LDAP HOSTNAME>--a-rec <OLD_LDAP_IP>
  5. Switch off the new LDAP
  6. Remove interface
  7. Add interface with the IP of the old LDAP
  8. Add security groups to new LDAP
  9. Restart new LDAP machine
  10. Change the value in Cypher: Change the secret/ldap_hostname to point to the new ipa host


Tests

  1. login with DNS from ssh-proxy
  2. Run sudo ipactl status → verify the services are all up and running
  3. Deploy a new machine and enroll


Post Installation

We've found a problem after the IPA Migration:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.


There is a FreeIPA doc site related to this: https://www.freeipa.org/page/V3/Recover_DNA_Ranges.html
I've fixed this using ipa-replica-manage dnarange-set $ldap_server ${min}-${max}
I've found the range we used with ipa idrange-find and set the lower boundary to exclude every existing account (as of ipa user-find | grep 'UID')

I'm not sure, why it didn't do that automatically (as I understand the documentation, that is what should have happened), but that might be because of the age of the old server or because the old server blocked every valid range...
To check the range that is used: ipa-replica-manage dnarange-show which could be used during migration.

There is a second command pair (dnanextrange-set & dnanextrange-show), where I'm not sure what it does, I didn't set it, and it still worked. Just to let you know, might be good to set during migration anyway.