Difference between revisions of "Authentication Server Migration"
Jump to navigation
Jump to search
(Completed another step, added yet another.) |
|||
(14 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
− | + | {{Archived}} | |
− | = Summary = | + | |
+ | = Summary = | ||
We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution. | We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution. | ||
− | = Overview of Migration = | + | = Overview of Migration = |
* Establish VPN link between our existing web server and the space (complete) | * Establish VPN link between our existing web server and the space (complete) | ||
* Set up new FreeIPA server (complete) | * Set up new FreeIPA server (complete) | ||
* Get proper monitoring in place to verify that VPN link is live. (complete) | * Get proper monitoring in place to verify that VPN link is live. (complete) | ||
− | * Add POSIX information to everyone in the existing directory | + | * Remove all POSIX attributes from the directory (complete) |
− | * Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA | + | * Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3) (complete) |
− | * Disconnect clients from 389-ds | + | * Flip the read-only flag on in 389-ds (complete) |
− | * Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr) | + | * '''Get backups running on FreeIPA''' (complete) |
− | * Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki) | + | * Purge existing users out of FreeIPA (complete) |
− | * Reconfigure clients to talk to FreeIPA; test. | + | * Change the ID range in FreeIPA to start at 1215100000 (not a compatible option, skipping) |
− | * Shut down 389-ds | + | * Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA (complete) |
+ | * Disconnect clients from 389-ds (complete) | ||
+ | * Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr) (complete) | ||
+ | * Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki) - Login page edited, delaying sending out email as it's not necessary to be handled right away | ||
+ | * Reconfigure clients to talk to FreeIPA; test. (complete, success) | ||
+ | * Shut down 389-ds (complete) | ||
* Remove 389-ds software from sshc0 | * Remove 389-ds software from sshc0 | ||
− | * Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space) | + | * Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space) |
− | * Complete. | + | * Complete. |
− | = Rollback Procedure = | + | = Rollback Procedure = |
Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by: | Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by: | ||
Line 26: | Line 32: | ||
* Restoring previous configuration of clients. | * Restoring previous configuration of clients. | ||
+ | Rollback not necessary. | ||
= Prepration steps = | = Prepration steps = | ||
− | == Staging == | + | == Staging == |
* Set up a 389-ds server | * Set up a 389-ds server | ||
* Restore a backup of 389-ds | * Restore a backup of 389-ds | ||
Line 34: | Line 41: | ||
* Set up a FreeIPA server | * Set up a FreeIPA server | ||
* Test migration tools | * Test migration tools | ||
+ | |||
+ | [[Category:System Administration]] |
Latest revision as of 00:21, 27 January 2022
This article has been Archived. It may not be reliable, but is being kept for historical reasons. |
Summary
We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution.
Overview of Migration
- Establish VPN link between our existing web server and the space (complete)
- Set up new FreeIPA server (complete)
- Get proper monitoring in place to verify that VPN link is live. (complete)
- Remove all POSIX attributes from the directory (complete)
- Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3) (complete)
- Flip the read-only flag on in 389-ds (complete)
- Get backups running on FreeIPA (complete)
- Purge existing users out of FreeIPA (complete)
- Change the ID range in FreeIPA to start at 1215100000 (not a compatible option, skipping)
- Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA (complete)
- Disconnect clients from 389-ds (complete)
- Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr) (complete)
- Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki) - Login page edited, delaying sending out email as it's not necessary to be handled right away
- Reconfigure clients to talk to FreeIPA; test. (complete, success)
- Shut down 389-ds (complete)
- Remove 389-ds software from sshc0
- Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space)
- Complete.
Rollback Procedure
Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by:
- Turning 389-ds back on on sshc0
- Restoring previous configuration of clients.
Rollback not necessary.
Prepration steps
Staging
- Set up a 389-ds server
- Restore a backup of 389-ds
- Validate backup
- Set up a FreeIPA server
- Test migration tools