ARCHIVED: This task is complete and this is being kept for historical reasons.

Summary

We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution.

Overview of Migration

• Establish VPN link between our existing web server and the space (complete)
• Set up new FreeIPA server (complete)
• Get proper monitoring in place to verify that VPN link is live. (complete)
• Remove all POSIX attributes from the directory (complete)
• Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3) (complete)
• Flip the read-only flag on in 389-ds (complete)
• Get backups running on FreeIPA (complete)
• Purge existing users out of FreeIPA (complete)
• Change the ID range in FreeIPA to start at 1215100000 (not a compatible option, skipping)
• Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA (complete)
• Disconnect clients from 389-ds (complete)
• Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr) (complete)
• Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki) - Login page edited, delaying sending out email as it's not necessary to be handled right away
• Reconfigure clients to talk to FreeIPA; test. (complete, success)
• Shut down 389-ds (complete)
• Remove 389-ds software from sshc0
• Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space)
• Complete.

Rollback Procedure

Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by:

• Turning 389-ds back on on sshc0
• Restoring previous configuration of clients.

Rollback not necessary.

Prepration steps

Staging

• Set up a 389-ds server
• Restore a backup of 389-ds
• Validate backup
• Set up a FreeIPA server
• Test migration tools