On 09/08/2017 12:10 PM, Simo Sorce wrote:
On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users wrote:
Probably the dumbest question you'll get all day, but we've got a
hundred or so VMs with OpenLDAP on them (as clients pointing to a
master).  Are there any gotchas to replacing OpenLDAP with FreeIPA?
Do you mean that you are replicating your whole ldap directory on each
client ?
Unfortunately, yes in the case of the boxes we supply to our customers. Disclaimer:  This was decided on LONG before I arrived and never really worked well anyway, hence the need to do it right this time.

using Ansible to push the client install to the VMs, with a task for
uninstalling OpenLDAP prior to IPA setup.

Does this plan sound cunning enough?  Or am I missing something?
ENOINFO to comment on whether this is genius or madness :-)

Maybe I should clarify.  We're moving away from a full OpenLDAP server running on customer servers (which is really small, mainly the 5 or 6 Operations accounts that need logins) and replacing it with FreeIPA client setups.  The Ansible playbook would be (more or less) 3 tasks:

Uninstall openldap-servers package (these are all Centos 6 boxes)
Install freeipa-client
Run the unattended setup with all settings passed as variables.

I can't see any issues with this method, but I like having other eyes go over it when it's something I've never had to do before.

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to