I seem to have hit a Snug with my migration of NS7 to NS8, with the biggest hurdle being the external AD
As reported and requested here: NS8 migration - accounts provider? - Support - NethServer Community
For reasons i do not know yet, I seem notable to connect my NS8 Node(clusteradmin) to the NS7 AD provider.
I opted for the Simpelr Options, which truns out abit harder than i had in mind.
Expose the AD provider to the Internet on the firewall.
Allow connections from the Remote NS8 Node
Connect to the AD provider on ns7, so basically adding a new AD external provider on my NS8 node.
then begin the migration of the Apps on the other node, in the hope that they would be able to conenct to the AD.
2 Options
Since this is not currently possible, and even if i figure out the problem, its not and should not be a long term vaible option.
I have 2 Options to do.
- Implement a Wireguard Module In NS8, connect to the NS7 AD instance, that way they are talking on the same network. and Connect to AD.
- Create a new Server with NS8 in the localtion of the AD server, that way they have the same LAN conenction. Migrate the AD provider from NS7 to NS8, connect the destination node to the new NS8 AD provider, since they would be on the same cluster, and should talk to each other as local.
the problem with Option 2,
- Have to build a VPN module(probably doable from my end)
- HAve to ALso build and implement an SSO Module for NS8 that intergates wit the internal AD.
the problem with Option 1,
A VPN module for NS8 is required, not presently available
This is actually the easiest of the options
This is because, a significant number of solutions and apps being used, make use of SAML and OIDC to communicate.
the SSO mdoule (LLNG) is deployed on the same server with AD. and all other AD based connections are only through VPN, in this case IPsec
@davidep is it not possible, for the same Wireguard VPN that handles Migration, to be useful for standard connections between NS7 and NS8?
if not feasible then a standard vpn module for ns8 is required, and would make things easier, for the moment, till all is migrated to NS8.
IF a normal module for ns8 is create, that has wireguard, or somethign like wireguard easy wg-easy/wg-easy: The easiest way to run WireGuard VPN + Web-based Admin UI. (github.com)
Will connections to the module from NS7 wireguard module be automatically localhost?
Optionally, since the other conenctiosn are Ipsec based, and NS7 has Ipsec vpn, would implmenint gor installing this
hwdsl2/docker-ipsec-vpn-server: Docker image to run an IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2 (github.com)
Automatically allow for Ns7 and ns8 conenctions, or are there special perissions required for vpn to work on NS8
Also, seems ipsec using the docker method requires username and password during authentication, where the ns7 instance does not have one.