Revision as of 16:17, 11 May 2014

Summary

We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution.

Establish VPN link between our existing web server and the space (complete)
Set up new FreeIPA server (complete)
Get proper monitoring in place to verify that VPN link is live. (complete)
Remove all POSIX attributes from the directory (complete)
Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3)
Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA
Disconnect clients from 389-ds
Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr)
Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki)
Reconfigure clients to talk to FreeIPA; test.
Shut down 389-ds
Remove 389-ds software from sshc0
Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space)
Complete.

Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by:

@@ Line 9: / Line 9: @@
 * Set up new FreeIPA server (complete)
 * Get proper monitoring in place to verify that VPN link is live. (complete)
+* Remove all POSIX attributes from the directory (complete)
 * Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3)
-** Edit the existing members' POSIX info to line up with the UIDs that script generates.
 * Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA
 * Disconnect clients from 389-ds