Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master). Are there any gotchas to replacing OpenLDAP with FreeIPA? I'm using Ansible to push the client install to the VMs, with a task for uninstalling OpenLDAP prior to IPA setup.
Does this plan sound cunning enough? Or am I missing something?
On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote:
Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master). Are there any gotchas to replacing OpenLDAP with FreeIPA?
Do you mean that you are replicating your whole ldap directory on each client ?
I'm using Ansible to push the client install to the VMs, with a task for uninstalling OpenLDAP prior to IPA setup.
Does this plan sound cunning enough? Or am I missing something?
ENOINFO to comment on whether this is genius or madness :-)
Simo.
On 09/08/2017 12:10 PM, Simo Sorce wrote:
On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote:
Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master). Are there any gotchas to replacing OpenLDAP with FreeIPA?
Do you mean that you are replicating your whole ldap directory on each client ?
Unfortunately, yes in the case of the boxes we supply to our customers. Disclaimer: This was decided on LONG before I arrived and never really worked well anyway, hence the need to do it right this time.
I'm using Ansible to push the client install to the VMs, with a task for uninstalling OpenLDAP prior to IPA setup.
Does this plan sound cunning enough? Or am I missing something?
ENOINFO to comment on whether this is genius or madness :-)
Maybe I should clarify. We're moving away from a full OpenLDAP server running on customer servers (which is really small, mainly the 5 or 6 Operations accounts that need logins) and replacing it with FreeIPA client setups. The Ansible playbook would be (more or less) 3 tasks:
Uninstall openldap-servers package (these are all Centos 6 boxes) Install freeipa-client Run the unattended setup with all settings passed as variables.
I can't see any issues with this method, but I like having other eyes go over it when it's something I've never had to do before.
On Fri, 2017-09-08 at 12:36 -0400, Mark Haney wrote:
On 09/08/2017 12:10 PM, Simo Sorce wrote:
On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote:
Probably the dumbest question you'll get all day, but we've got a hundred or so VMs with OpenLDAP on them (as clients pointing to a master). Are there any gotchas to replacing OpenLDAP with FreeIPA?
Do you mean that you are replicating your whole ldap directory on each client ?
Unfortunately, yes in the case of the boxes we supply to our customers. Disclaimer: This was decided on LONG before I arrived and never really worked well anyway, hence the need to do it right this time.
eeek :)
I'm using Ansible to push the client install to the VMs, with a task for uninstalling OpenLDAP prior to IPA setup.
Does this plan sound cunning enough? Or am I missing something?
ENOINFO to comment on whether this is genius or madness :-)
Maybe I should clarify. We're moving away from a full OpenLDAP server running on customer servers (which is really small, mainly the 5 or 6 Operations accounts that need logins) and replacing it with FreeIPA client setups. The Ansible playbook would be (more or less) 3 tasks:
Uninstall openldap-servers package (these are all Centos 6 boxes) Install freeipa-client Run the unattended setup with all settings passed as variables.
I can't see any issues with this method, but I like having other eyes go over it when it's something I've never had to do before.
Sounds like a nice upgrade :-) If the data is the same I see no issue on the general approach.
Simo.
On 09/08/2017 12:44 PM, Simo Sorce wrote:
Sounds like a nice upgrade :-) If the data is the same I see no issue on the general approach.
Simo.
Eek is right. Part of why I was hired was to fix a lot of these bandaids and half-measures done for expediency's sake. The staff here have been hampered by a lack of time, and what IT staff isn't, but also by a more Systems Engineering oriented person. So, it's clean up time and Ansible/FreeIPA are the two main steps to clean a lot of this up.
Thanks for the input. I'm going to test it later today if I can. I'll keep you posted. And yes, the data is essentially the same.
freeipa-users@lists.fedorahosted.org
-
Mark Haney -
Simo Sorce