	This article has been Archived. It may not be reliable, but is being kept for historical reasons.

Summary

We are working toward moving away from 389 Directory Server, and to FreeIPA, as an Authentication and Identity solution.

Overview of Migration

Establish VPN link between our existing web server and the space (complete)
Set up new FreeIPA server (complete)
Get proper monitoring in place to verify that VPN link is live. (complete)
Remove all POSIX attributes from the directory (complete)
Add POSIX information to everyone in the existing directory (see https://gist.github.com/cswingler/1b7c731c7a858791aff3) (complete)
Flip the read-only flag on in 389-ds (complete)
Get backups running on FreeIPA (complete)
Purge existing users out of FreeIPA (complete)
Change the ID range in FreeIPA to start at 1215100000 (not a compatible option, skipping)
Use FreeIPA migration tools to migrate data from 389-ds into FreeIPA (complete)
Disconnect clients from 389-ds (complete)
Set up FreeIPA's Migration Webpage (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/#webpage-pwd-migr) (complete)
Instruct users to visit the migration webpage to update their password (send out email, edit login page on wiki) - Login page edited, delaying sending out email as it's not necessary to be handled right away
Reconfigure clients to talk to FreeIPA; test. (complete, success)
Shut down 389-ds (complete)
Remove 389-ds software from sshc0
Set up replica of FreeIPA server in space on public server (to tolerate outages of internet or power at space)
Complete.

Up until the step "Remove 389-ds software from sshc0"; we should be able to roll back out of this process by:

Rollback not necessary.