In order to perform this migration, you need to request Openstack Application Credentials EWC - How to request Openstack Application Credentials

User procedure

  1. add port 636 TCP.749 TCP,464 UDP to ldap security group
    ADD OPENSTACK COMMAND
  2. Create DNS reverse zone into LDAP machine (if missing) 
    ipa dnszone-add --name-from-ip=10.0.0.63 or using IP range (https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/managing-reverse-dns-zones) 
  3. Backup existing ldap VM using the following documentation: EWC - How to create and restore backups from VMs
  4. If your LDAP is rocky 8 based jump to step 9., if it is centos7 continue normally.
  5. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromCentos7toRocky8);
  6. run workflow to switch IP interfaces between LDAP (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  7. Check everything is fine (see Tests);
  8. Create LDAP replica instance type to move from centos7 to rocky 8 (see MigratefromRocky8toRocky9)
  9. run workflow to switch IP interfaces between LDAP (see RunworkflowtoswitchIPinterfacesbetweenLDAP);
  10. Check everything is fine (see Tests);
  11. Remove old LDAPs


Migrate from Centos7 to Rocky 8

Creating a new LDAP to migrate to

  1. deploy a new machine with
    1. rocky 8
    2. new ldap security group
    3. plan eo1.medium
  2. become sudo
  3. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine
  5. [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)>
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 8:
      1. sudo yum -y update
      2. sudo yum module reset idm:DL1
      3. sudo yum module enable idm:DL1
      4. sudo dnf install freeipa-server ipa-server-dns bind-dyndb-ldap -y
  7. Run the following command to install the LDAP replica
  8. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    (add --verbose for more logs) NOTE: go ahead with the default netbios and also put yes when asked about the ipa-sidgen task installation for users


Migrate from Rocky 8 to Rocky 9

Creating a new LDAP to migrate to

  1. deploy a new machine with
    1. rocky 9
    2. new ldap security group
    3. plan eo1.medium
  2. become sudo
  3. stop and disable firewalld on the machine systemctl stop firewalld && systemctl disable firewalld
  4. add old ldap IP and domain of the machine acting as LDAP in one line to /etc/hosts on this machine
  5. [test234@test-podman2 ~]$ cat /etc/hosts
<!-- BEGIN ANSIBLE MANAGED BLOCK -->
10.0.0.133 test-podman2.eumetsat.sandbox.ewc
10.0.0.63 <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)>
<!-- END ANSIBLE MANAGED BLOCK -->
  6. Install dependencies
    1. for rocky 9:
      1. sudo dnf install ipa-server ipa-server-dns -y
  7. Run the following command to install the LDAP replica
  8. ipa-replica-install --domain "eumetsat.sandbox.ewc" --principal sandbox-ldap-admin --admin-password hunter2 --server <OLD LDAP complete domain (e.g. ldap.eumetsat.sandbox.ewc)> --setup-ca --setup-dns --force-join --forwarder=8.8.8.8 --forwarder=1.1.1.1 --no-host-dns --unattended

    add --verbose for more logs

  9. ipa dnszone-mod <DNS ZONE you find with ipa dnszone-find> --name-server=<NEWLDAP complete domain (e.g. ldap-test-rocky.eumetsat.sandbox.ewc)>

  1. on the new ldap machine specify which ldap to be master (using command: ipa-csreplica-manage set-renewal-master)

  2. DON'T DO IT, see next steps comment on why → create an A record for existing ldap domain to point to the new LDAP ipa dnsrecord-add eumetsat.sandbox.ewc. ldap --a-rec <NEW_LDAP_IP> 

  3. Modify the DNS primary in Network (cannot be done by a user, unless we give permissions to modify networks) and wait some time (1 week? ) or do manual action on each machine to make the changes: (lease time ~5.20 hours)
    1. for Ubuntu a restart of the machine or the newotk systemctl restart networking or maybe after while you will get it (TBT)
    2. for Rocky 9 network manager has priority on resolve.conf
    3. for Rocky 8 happening in sandbox but not in mcat, one option either remove /etc/resolve.conf and dhclient or ??
  4. Change the secret/ldap_hostname to point to the new ipa host

  5. sudo ipactl stop on the old LDAP machine (check if this step can be removed on another test run)

  6. ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force delete the replica ldap


Run workflow to switch IP interfaces between LDAP

  1. Detach the interface from the old LDAP
  2. update the ip in the /etc/hosts and remove the old LDAP record
  3. Delete old LDAP DNS records 
    ipa-replica-manage del ldap.eumetsat.sandbox.ewc --force
  4. Replace the new ldap IP with the IP of the interface of the old LDAP 
    ipa dnsrecord-mod <hostedzone> ipa-ca --a-rec <OLD_LDAP_IP>
ipa dnsrecord-mod <DNS_ZONE> <NEW LDAP HOSTNAME>--a-rec <OLD_LDAP_IP>
  5. Switch off the new LDAP
  6. Remove interface
  7. Add interface with the IP of the old LDAP
  8. Add security groups to new LDAP
  9. Restart new LDAP machine
  10. Change the value in Cypher: Change the secret/ldap_hostname to point to the new ipa host


Tests

  1. login with DNS from ssh-proxy
  2. Run sudo ipactl status → verify the services are all up and running
  3. Deploy a new machine and enroll


Post Installation (optional)

After the IPA Migration, especially from Centos7 to Rocky9, there might be still some possible errors, like the one below:

ipa: ERROR: Operations error: Allocation of a new value for range cn=posix ids,cn=distributed numeric assignment plugin,cn=plugins,cn=config failed! Unable to proceed.


There is a FreeIPA doc site related to this: https://www.freeipa.org/page/V3/Recover_DNA_Ranges.html

The fix for that error is the following command:

  1. Identify min and max range of IDs 
     ipa idrange-find
  2. Set the lower boundary to exclude every existing account (as of ipa user-find | grep 'UID')
  3. Assign the DNS range using ${min}-${max} identified in the previous steps 
     ipa-replica-manage dnarange-set $ldap_server ${min}-${max}
  4. Check the range that is used 
ipa-replica-manage dnarange-show