Notes

https://tylersguides.com/guides/openldap-multi-master-replication/ Build the new jail bastille create auth12 13.0-RELEASE 2001:n0p3:n0p3:20::123/120 lo1 bastille template auth12 larch/puppet Copy the backup files to the new host. cp /usr/local/bastille/jails/auth11/root/var/backups/ldap{,_confg}.db ~zach/ Move the files into place. mv ~zach/ldap{,_config}.db /usr/local/bastille/jails/auth12/root/var/backups/ bastille console auth12 service slapd stop rm /usr/local/etc/openldap/slapd.conf rm -rf /usr/local/etc/openldap/slapd.d/* slapadd -F /usr/local/etc/openldap/slapd.d/ -n0 -l /var/backups/ldap_config.ldif slapadd -F /usr/local/etc/openldap/slapd.d/ -n1 -c -l /var/backups/ldap.ldif service slapd start Load the module. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov Add all of the peers. ...

Auth8 has been loosing some custom schema for some reason I haven’t been able to identify. I’m wondering if some upgrade caused some issue when I didn’t handle the upgrade properly, so perhaps loading the database from backup is the right move. First, create a new jail for auth9 on olaf. profile::jail::host::jails: auth9: ip4_addr: "%{hiera('profile::jail::host::default_interface')}|172.16.20.111/27" ip6_addr: "%{hiera('profile::jail::host::default_interface')}|2001:111:1111:20::515/120" properties: host_domainname: "l.znet" Spin up the jail and sign the cert. ...

Reuk has been having trouble, and as I move to iocage I no longer want to dance around the idea that reuk is running a set of jails configured in one way, and the rest of my prod systems are running iocage in a different way. This will will remove the old style jails and convert everything to use iocage. These two jails (auth2 and auth3) both sit on reuk currently, and are some of the last to be converted because my jail provisioning system uses ldap as the data storage mechanism. ...

I’ve been moving from an internal ldap module to one in Puppet Labs. Through this process I’ve forgotten about sasl. Installing the openldap-client package on the system and upgrading heimdal to the latest version caused the packages to come from upstream repositories that do not have the custom options necessary to glue together heimdal and openldap.

I have managed to break everything. Ensure /etc/hosts contains both IPv6 and IPv4 for the FQDN of the local server. Don’t fuck up the ACL. Ensure that you allow unknown users to at least authenticate.