Reuk has been having trouble, and as I move to iocage I no longer want to dance around the idea that reuk is running a set of jails configured in one way, and the rest of my prod systems are running iocage in a different way. This will will remove the old style jails and convert everything to use iocage. These two jails (auth2 and auth3) both sit on reuk currently, and are some of the last to be converted because my jail provisioning system uses ldap as the data storage mechanism.
Hopefully this goes smoothish.
First up, add the non-existent auth4 and auth5 as replication peers.
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: {2}rid=003 provider=ldaps://auth4.l.znet binddn="cn=config" bindmethod=simple credentials=asd searchbase="cn=config" type=refreshAndPersist retry="5 5 30 +" timeout=1
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: {3}rid=004 provider=ldaps://auth5.l.znet binddn="cn=config" bindmethod=simple credentials=asd searchbase="cn=config" type=refreshAndPersist retry="5 5 30 +" timeout=1
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 3 ldaps://auth4.l.znet
dn: cn=config
changetype: modify
add: olcServerID
olcServerID: 4 ldaps://auth5.l.znet
Now that the replication is set on the new hosts, take a backup.
/usr/local/sbin/slapcat -n1 > ldap.db
/usr/local/sbin/slapcat -n0 > ldap_config.db
This also included krb5 keys, but I don’t remember where that came from. The paths that are in the tarball are:
var/heimdal/
usr/local/etc/krb5.keytab
etc/krb5.keytab
etc/rc.conf
etc/opieaccess
etc/krb5.conf
Auth4 is on thurk, and auth5 is on meta4. Copy the backup tarbal to each host. Get the jail up and online with puppet…
Extract and restore the databases on each system:
slapadd -F /usr/local/etc/openldap/slapd.d/ -n 0 < ldap_config.db
slapadd -F /usr/local/etc/openldap/slapd.d/ -n 1 < ldap.db
Copy the slapd_* config lines from rc.conf in previos posts ensuring that the listen address is set correctly.
Start the daemons.
service slapd start
Note: /etc/hosts entries were required here because puppet on the nameserver was having trouble reaching the master.
LDAP at this point is up and online.
Next was to copy extract the heimdap key from the extracted tar.
cp m-key /var/heimdal/
service kdc restart
Updating the krb5.conf to point to the auth4 was enough to get a ticket.
Created new keytabs:
host/auth4.l.znet
ldap/auth4.l.znet
And extracted them:
ext_keytab -k /etc/krb5.keytab host/auth4.l.znet
ext_keytab -k /etc/krb5.keytab ldap/auth4.l.znet
Now update the configs to point to the new servers, then shutdown the old nodes and remove them from the replication pool.