Summary

We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution.

Overview of Migration

• Establish VPN link between our existing web server and the space (complete)
• Set up new FreeIPA server (complete)
• Get proper monitoring in place to verify that VPN link is live. (complete)
• Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3)
• Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA
• Disconnect clients from 389-ds
• Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr)
• Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki)
• Reconfigure clients to talk to FreeIPA; test.
• Shut down 389-ds
• Remove 389-ds software from sshc0
• Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space)
• Complete.

Rollback Procedure

Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by:

• Turning 389-ds back on on sshc0
• Restoring previous configuration of clients.

Prepration steps

Staging

• Set up a 389-ds server
• Restore a backup of 389-ds
• Validate backup
• Set up a FreeIPA server
• Test migration tools