Jump to content

FeministWiki:Server setup: Difference between revisions

no edit summary
No edit summary
Line 32: Line 32:


Copy over {{C|~/.ssh/id_rsa}} and {{C|~/.ssh/id_rsa.pub}} from the old server onto the new one.  Make sure to set the permissions for the private key correctly: {{C|chmod 600 ~/.ssh/id_rsa}}
Copy over {{C|~/.ssh/id_rsa}} and {{C|~/.ssh/id_rsa.pub}} from the old server onto the new one.  Make sure to set the permissions for the private key correctly: {{C|chmod 600 ~/.ssh/id_rsa}}
=== Set up SSH access from the old server ===
Some of the commands further below need SSH access from the old server to the new server, using the {{C|feministwiki.dev}} domain name.  Since we've just copied over the public key of the old server, we can enable access from the old server with this simple command:
# Run on new server
cat .ssh/id_rsa.pub >> .ssh/authorized_keys
Further, to make our life easier, we can edit the SSH configuration on the old server so we don't have to manually specify the custom SSH port number every time.  Add a block like the following into {{C|~/.ssh/config}} on the old server, replacing {{C|<SSH_PORT>}} with the actual port number:
Host feministwiki.dev
    Port <SSH_PORT>


=== Set up firewall ===
=== Set up firewall ===
Line 188: Line 200:
  a2ensite fw-account fw-blogs fw-chat fw-files fw-forum fw-mail fw-wiki fw-xmpp
  a2ensite fw-account fw-blogs fw-chat fw-files fw-forum fw-mail fw-wiki fw-xmpp


== Copying over live data ==
=== OpenLDAP configuration database ===
 
We want to make a first run of this copy process purely for testing purposes.  Note that although some of the steps described in this section take a long time to finish, they can be done in parallel.
 
Some of the commands here assume that you've set up ssh access from the old server into the new server.  For this to work, copy the contents of {{C|/root/.ssh/id_rsa.pub}} on the old server, and '''append them as an additional line''' onto {{C|/root/.ssh/authorized_keys}} on the new server.
 
=== LDAP databases ===


Stop the LDAP server and delete the existing configuration and data '''on the new server (careful!)''':
Stop the LDAP server and delete the configuration database '''on the new server (careful!)''':


  # Commands to run on the NEW (fresh) server:
  # Commands to run on the NEW (fresh) server:
  systemctl stop slapd
  systemctl stop slapd
  rm -r /etc/ldap/slapd.d/*
  rm -r /etc/ldap/slapd.d/*
rm /var/lib/ldap/data.mdb


Then copy over the config and data by running these commands from the old server:
Then copy over the configuration database, by running the following commands from the old server:


  slapcat -n 0 | ssh feministwiki.dev -p ${SSH_PORT} 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
  slapcat -n 0 | ssh feministwiki.dev -p ${SSH_PORT} 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'
slapcat -n 1 | ssh feministwiki.dev -p ${SSH_PORT} 'sudo -u openldap slapadd -n 1'


==== Breaking changes in OpenLDAP ====
==== Breaking changes in OpenLDAP ====


There might be incompatible changes between OpenLDAP (aka {{C|slapd}}) versions which require manual editing of the {{C|slapcat}} output before it's read in on the new server with {{C|slapadd}}.
There might be incompatible changes between OpenLDAP (aka {{C|slapd}}) versions which require manual editing of the {{C|slapcat}} output before it's read in on the new server with {{C|slapadd}}.  Following are two examples of this.
 
These particular issues won't apply anymore when you're reading this guide, since they are one-time issues related to migrating to a newer OpenLDAP version, but they serve as good examples.  (Also, no such clear explanation of the first problem seems to be found anywhere on the web, so maybe someone who searches the related error message below will come upon this guide and be happy!)
 
===== OpenLDAP Migration: Example Problem 1 =====
 
This problem occurs when migrating from OpenLDAP 2.4.42 or earlier, to 2.4.43 or later.


Here's one example that occurs when updating from OpenLDAP 2.4.42 or earlier to 2.4.43 or later: the ppolicy overlay has a new attribute in the newer version, so if you simply run the commands above, the first one (the one that copies the config database) will produce the following error message:
The ppolicy overlay gained a new attribute in OpenLDAP version 2.4.43, so if you simply run the command above which copies over the configuration database onto the new server, it will produce the following error message:


  User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined
  User Schema load failed for attribute "pwdMaxRecordedFailure". Error code 17: attribute type undefined
Line 218: Line 228:
The solution is as follows:
The solution is as follows:


# On the new server, open {{C|/etc/ldap/schema/ppolicy.ldif}} and search for {{C|pwdMaxRecordedFailure}}.  You will note that there is a {{C|olcAttributeTypes: ...}} entry that defines it, and also it's listed in the {{C|MAY}} attributes block of the {{C|olcObjectClasses: ...}} entry that defines the {{C|pwdPolicy}} object class.
# On the new server, open {{C|/etc/ldap/schema/ppolicy.ldif}} and search for {{C|pwdMaxRecordedFailure}}.  You will see an {{C|olcAttributeTypes: ...}} entry that defines it.  Also, it's listed in the {{C|MAY}} attributes block of the {{C|olcObjectClasses: ...}} entry that defines the {{C|pwdPolicy}} object class.
# On the old server, save the output of {{C|slapcat -n 0}} to a file, open the file, and search for the block where the {{C|ppolicy}} schema is defined.  It should start with the line {{C|<nowiki>dn: cn={4}ppolicy,cn=schema,cn=config</nowiki>}} (the {{C|<nowiki>{4}</nowiki>}} part might contain a different integer, that's OK).  There, note that the {{C|olcAttributeTypes: ...}} entry for {{C|pwdMaxRecordedFailure}} is missing, and also it's not listed in the {{C|MAY}} list of the {{C|pwdPolicy}} object class definition.  Copy over the attribute type definition from the {{C|ppolicy.ldif}} file on the new server, and amend the {{C|MAY}} list to include it.
# On the old server, save the output of {{C|slapcat -n 0}} to a file, open it in a text editor, and search for the block where the {{C|ppolicy}} schema is defined.  It should start with the line {{C|<nowiki>dn: cn={4}ppolicy,cn=schema,cn=config</nowiki>}} (the {{C|<nowiki>{4}</nowiki>}} part might contain a different integer, that's OK).  There, note that the {{C|olcAttributeTypes: ...}} entry for {{C|pwdMaxRecordedFailure}} is missing, and also it's not listed in the {{C|MAY}} list of the {{C|pwdPolicy}} object class definition.  Copy over the attribute type definition from the {{C|ppolicy.ldif}} file on the new server, and amend the {{C|MAY}} list to include it.
 
===== OpenLDAP Migration: Example Problem 2 =====
 
This problem occurs when migrating to OpenLDAP 2.5, and although the change is bigger, the fix is easier.  The issue is actually documented in the OpenLDAP 2.5 Administrator's Guide, Appendix B.2:
 
https://www.openldap.org/doc/admin25/appendix-upgrading.html
 
The second paragraph tells us what to do:
 
<blockquote>In OpenLDAP 2.4 the slapo-ppolicy(5) overlay relied on a separate schema file to be included for it to function. This schema is now implemented internally in the slapo-ppolicy module. When upgrading slapd.conf(5) deployments the include statement for the schema must be removed. For slapd-config(5) deployments, the config database must be exported via slapcat and the old ppolicy schema removed from the export. The resulting config database can then be imported.</blockquote>
 
In simpler terms:
 
# Save the output of {{C|slapcat -n 0}} from the old server in a file:
#: <pre>slapcat -n 0 > slapcat.n0.out</pre>
# Open the file in a text editor and delete the block starting with the line {{C|<nowiki>dn: cn={4}ppolicy,cn=schema,cn=config</nowiki>}}, up to the next empty line (before the next block starting with a {{C|dn: ...}} line), and save the file.
# Feed the file to {{C|slapadd -n 1}} on the new server:
#: <pre>cat slapcat.n0.out | ssh feministwiki.dev -p ${SSH_PORT} 'sudo -u openldap slapadd -n 0 -F /etc/ldap/slapd.d'</pre>
 
== Copying over live data ==
 
We want to make a first run of this copy process purely for testing purposes.  Note that although some of the steps described in this section take a long time to finish, they can be done in parallel.
 
=== LDAP database ===
 
Delete the existing database '''on the new server (careful!)''':
 
rm /var/lib/ldap/data.mdb
 
Then copy over the database by running the following command from the old server:


The above is explained only for instructive purposes, since this particular fix will already have been applied by the time someone reads this guide. It's meant to give you an idea as to how backwards incompatible changes in OpenLDAP schema files can be amended when migrating to a newer version.  (Also, no such clear explanation of the fix seems to be found anywhere on the web, so maybe someone who searches the error message above will come upon this guide and be happy!)
slapcat -n 1 | ssh feministwiki.dev -p ${SSH_PORT} 'sudo -u openldap slapadd -n 1'


=== Contents of /var/www ===
=== Contents of /var/www ===