Authentication Server Migration

From sshcWiki
Revision as of 12:36, 11 May 2014 by Cswingler (talk | contribs) (Completed another step, added yet another.)
Jump to navigation Jump to search


Summary

We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution.

Overview of Migration

  • Establish VPN link between our existing web server and the space (complete)
  • Set up new FreeIPA server (complete)
  • Get proper monitoring in place to verify that VPN link is live. (complete)
  • Add POSIX information to everyone in the existing directory
  • Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA
  • Disconnect clients from 389-ds
  • Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr)
  • Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki)
  • Reconfigure clients to talk to FreeIPA; test.
  • Shut down 389-ds
  • Remove 389-ds software from sshc0
  • Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space)
  • Complete.

Rollback Procedure

Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by:

  • Turning 389-ds back on on sshc0
  • Restoring previous configuration of clients.


Prepration steps

Staging

  • Set up a 389-ds server
  • Restore a backup of 389-ds
  • Validate backup
  • Set up a FreeIPA server
  • Test migration tools
Retrieved from "https://wiki.sshchicago.org/index.php?title=Authentication_Server_Migration&oldid=575"