Difference between revisions of "Authentication Server Migration"
Jump to navigation
Jump to search
(Added another step.) |
|||
Line 12: | Line 12: | ||
* Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3) (complete) | * Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3) (complete) | ||
* Flip the read-only flag on in 389-ds | * Flip the read-only flag on in 389-ds | ||
+ | * Purge existing users out of FreeIPA | ||
+ | * Change the ID range in FreeIPA to start at 1215100000 | ||
* Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA | * Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA | ||
* Disconnect clients from 389-ds | * Disconnect clients from 389-ds |
Revision as of 16:36, 11 May 2014
Summary
We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution.
Overview of Migration
- Establish VPN link between our existing web server and the space (complete)
- Set up new FreeIPA server (complete)
- Get proper monitoring in place to verify that VPN link is live. (complete)
- Remove all POSIX attributes from the directory (complete)
- Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3) (complete)
- Flip the read-only flag on in 389-ds
- Purge existing users out of FreeIPA
- Change the ID range in FreeIPA to start at 1215100000
- Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA
- Disconnect clients from 389-ds
- Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr)
- Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki)
- Reconfigure clients to talk to FreeIPA; test.
- Shut down 389-ds
- Remove 389-ds software from sshc0
- Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space)
- Complete.
Rollback Procedure
Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by:
- Turning 389-ds back on on sshc0
- Restoring previous configuration of clients.
Prepration steps
Staging
- Set up a 389-ds server
- Restore a backup of 389-ds
- Validate backup
- Set up a FreeIPA server
- Test migration tools