Migrate 389-DS from RHEL6 to RHEL7

Latest response

We have two LDAP servers running on RHEL6 with 389-DS with master-master replications. Now we are trying to migrate them to new servers on RHEL7.

Could someone please provide me steps how to achieve this


Assuming the servers are fully redundant (either one is sufficient to carry the full load), simply shut down replication & remove one of the servers. Deploy one of the new servers, install 389-DS on it, and configure replication between the old and new server. Once replication is complete, remove the second old server and replace it with the second new server.

There are a number of factors that can make the overall process more or less complicated; for example, doing this in a virtual machine environment is much easier & faster than with physical machines. If the servers are behind a load-balancer, the change will be less visible to clients and won't require matching hostnames (or IP addresses, in the case the somewhat inflexible DNS environment that I have to work with). Much depends on your environment.

I was able to upgrade an 8-server environment (2 masters, 6 read-only replicas) in about 5 hours using a VM template, some Puppet configuration, and a set of bash scripts to automate re-configuring DS & replication (each server took about 40 minutes, including time for VM cloning and a full replication of a ~500k entry directory).

Thank you James for your response with valuable inputs.

We are running them as a virtual machines in a VMware environment and one should be able to carry the load I guess, otherwise we can plan it during a less operations period.

I've got a couple of queries (Sorry in advance :( , might be silly) before getting into details on how we can achieve this:

-- Will replication works across different platforms (RHEL6 & RHEL7) -- Do we need to backup and restore the Directory server from old server to new server before removing old and adding new -- How to get the Certificates and Keys (NSS database) copied across to new server

Thanks, Arumugavel P

  • replication from RH DS 9.x (RHEL 6.x) to RH DS 10.x (RHEL 7.x) is supported
  • you should always have a backup. You should not need it for this upgrade, but definitely do a full LDIF export/backup, and consider taking a "cold" backup (with the application shut down) of all files with your standard system-level backup software.
  • I believe we simply copied the cert & key db files from our old servers to the new ones (but I could be wrong, it's been a while since we did it). Our host names did not change, so we did not need to acquire and deploy a new SSL certificate.

I have tried configuring Single Master replication by configuring the current (RHEL6) server as Supplier and the new server (RHEL7) as Consumer. And created a replication agreement.

As soon a s I initialise the consumer, all datas copied from supplier to consumer. Now as per my understanding the data on teh consumer is read-only replica and on Supplier is read-write replica. So when the data gets changed on the supplier server, it will update the read-only replica on consumer server.

But I am still able to update (example, user entries) the data on the consumer server and that gets update on the supplier server. Could anyone please help on this ? I have checked the replication agreement and that looks correct.