DNS entries to aid auto discovery for clients:

_kerberos-master._tcp.magevent.net. 86400 IN SRV 0 100 88 freeipa.magevent.net.
_kerberos-master._udp.magevent.net. 86400 IN SRV 0 100 88 freeipa.magevent.net.
_kerberos._tcp.magevent.net. 86400 IN SRV 0 100 88 freeipa.magevent.net.
_kerberos._udp.magevent.net. 86400 IN SRV 0 100 88 freeipa.magevent.net.
_kerberos.magevent.net. 86400 IN TXT "MAGEVENT.NET"
_kpasswd._tcp.magevent.net. 86400 IN SRV 0 100 464 freeipa.magevent.net.
_kpasswd._udp.magevent.net. 86400 IN SRV 0 100 464 freeipa.magevent.net.
_ldap._tcp.magevent.net. 86400 IN SRV 0 100 389 freeipa.magevent.net.
ipa-ca.magevent.net. 86400 IN A 10.101.22.11

Useful LDAP Commands

#Finds all users with display name (so not admin/system users) and prints them each on one line. nice for AWK stuff
ldapsearch -x -W "(displayname=*)" displayname  |  sed -e '/c/N;y/\\n/ /'|sed -e '/c/N;y/\\n/ /'| grep <domain> | awk '{print $2" "$9" "$10}' | sed 's/,//' | grep -v displayname

Docker IPA Installation and Upgrade Guide

IPA Stuff

Installing:

Currently done via a bash script calling docker run. See /srv/freeipa on docker box or later in document for example scripts

Caveats: Host box should have a second IP to forward IPA server traffic from. While not needed, this will allow the IPA container to manage logins for the host box. Without a secondary IP the box will get confused if it has to authenticate to the docker inside of itself.

Replicating:

Same as installing, but mildly different script

Backups and upgrading:

The volume/folder for the data needs to be copied carefully. I have found that cp -rap is sufficient to prevent issues. Normal cp -r or mv does seem to break something in the data, probably a symbolic link or permissions on some of the files for service accounts used by a sub component of IPA.

Steps to upgrade:

data for IPA docker volume is /ipadata

  1. Stop IPA docker container 2.Back up IPA data cp -rap /ipadata /ipadata_orig
  2. Pull new docker image (tagged centos-8)
  3. Tag previous image as backup docker tag <image-id> <repository>:<tag>
  4. Run docker command note: can delete old container and use the same name or do a new one! Should be fine either way. New container name might be easier
  5. If the upgrade finishes without issues, good!
  6. If the upgrade fails, roll back a. shift centos-8 tag to the backup image b. move backup folder contents back to original volume location (using cp -rap!) c. run docker again, should start back up fine

IPA Migration and Replication Research

Caveat: I wrote this for work when I was looking into options to migrate their existing freeIPA solutions to new containerized ones. The main good info is the first page, but included the old analysis I did for migration of an existing freeIPA to a new one in case it’s useful either later on or for your use personally or professionally

Option 1- Replicate to same domain

Components- Two Docker IPA containers running Centos 8 and freeIPA 4.8.4 in replica mode living in 2 different VMs. Also DNS using bind on both VMs