On Fri, 2017-09-08 at 12:36 -0400, Mark Haney wrote:
> On 09/08/2017 12:10 PM, Simo Sorce wrote:
> > On Fri, 2017-09-08 at 10:06 -0400, Mark Haney via FreeIPA-users
> > wrote:
> > > Probably the dumbest question you'll get all day, but we've got a
> > > hundred or so VMs with OpenLDAP on them (as clients pointing to a
> > > master).  Are there any gotchas to replacing OpenLDAP with
> > > FreeIPA?
> > 
> > Do you mean that you are replicating your whole ldap directory on
> > each
> > client ?
> 
> Unfortunately, yes in the case of the boxes we supply to our
> customers. 
> Disclaimer:  This was decided on LONG before I arrived and never
> really 
> worked well anyway, hence the need to do it right this time.

eeek :)

> > >    I'm
> > > using Ansible to push the client install to the VMs, with a task
> > > for
> > > uninstalling OpenLDAP prior to IPA setup.
> > > 
> > > Does this plan sound cunning enough?  Or am I missing something?
> > 
> > ENOINFO to comment on whether this is genius or madness :-)
> 
> Maybe I should clarify.  We're moving away from a full OpenLDAP
> server 
> running on customer servers (which is really small, mainly the 5 or
> 6 
> Operations accounts that need logins) and replacing it with FreeIPA 
> client setups.  The Ansible playbook would be (more or less) 3 tasks:
> 
> Uninstall openldap-servers package (these are all Centos 6 boxes)
> Install freeipa-client
> Run the unattended setup with all settings passed as variables.
> 
> I can't see any issues with this method, but I like having other eyes
> go 
> over it when it's something I've never had to do before.

Sounds like a nice upgrade :-)
If the data is the same I see no issue on the general approach.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to