Prepare for LDAP server upgrades

Created by Julio Polo
Last updated: Mar 03, 2021
2 min read

Our LDAP servers will be upgraded throughout March and April 2021.  The following will change:

  • Migrate from RHEL 6 to RHEL 7 servers
  • Require TLSv1.2
  • Underlying network changes may affect the IP address we see for your application. This could prevent your application from getting some data back.  Please test as described at the end of this page.

Upgrade calendar:

DateTEST ENVIRONMENTPRODUCTION ENVIRONMENTWHAT YOU SHOULD DO
March 2, 2021ldap-test.its.hawaii.edu

Ensure that your connections to ldap-test.its.hawaii.edu are using TLSv1.2 or higher.

After the upgrade, verify that your application can still connect and bind to ldap-test.its.hawaii.edu.

After the upgrade, verify that your connection to ldap-test.its.hawaii.edu can read all the attributes it needs. This is important.**

If your test environment breaks on March 2, you can temporarily point to the original servers by using ldap-test2.its.hawaii.edu as the ldap host name.  You won't have this backup option in production, so be sure to update your application to use TLSv1.2 before April 4!

April 4, 2021

ldap.hawaii.edu

(plus other production LDAP servers designated for special use such as ldap1.its.hawaii.edu and a few others)

Ensure that your connections to ldap.hawaii.edu are using TLSv1.2 or higher prior to April 4.

After the upgrade, verify that your application can still connect and bind to ldap.hawaii.edu.

After the upgrade, verify that your connection to ldap.hawaii.edu can read all the attributes it needs . This is important.**

If you are using any of the other production LDAP servers, be sure to perform all of the above for those other servers too.

**The new network for the servers may change the IP address we see for your application, and this can quietly affect your permissions to read certain attributes.  If you suspect this problem after an upgrade, please contact its-iam-help@lists.hawaii.edu and provide the name of the LDAP server, the date, time and special DN that you used for the connection. To prevent this issue from becoming a big problem when production LDAP is upgraded, you should perform the following before 4/4/2021:

  • Please test against ldap-prod2.its.hawaii.edu.  This is a temporary hostname to access the new production LDAP servers.
  • The temporary ldap-prod2 host is kept in sync with production ldap.hawaii.edu and therefore has real, live data.  Use your production passwords when testing against ldap-prod2.
  • You should test by connecting to ldap-prod2 from the same servers that run your application.  Perform a search, retrieve attributes and verify that you are not missing any data you expect.
  • If possible, you should test ldap-prod2 from an equivalent instance of your application (as opposed to using the unix ldapsearch command, for example).
  • If you do not follow these test procedures, you may not be fully testing for the potential TLS and IP address issues coming with this upgrade.