From 1c221468471ae8d6eb9da33be43fb5c73d185590 Mon Sep 17 00:00:00 2001
From: 24apricots <michaelzls@berkeley.edu>
Date: Sun, 10 May 2026 00:25:17 -0700
Subject: [PATCH 1/3] ldap/kdc: switch to eel with firestorm as a backup

eel is our new ldap and kdc server. during migration, firestorm (old
server) will be the secondary ldap/kdc in case things break.
---
 modules/ocf/files/auth/krb5.conf                        | 3 ++-
 modules/ocf/files/auth/ldap/ldap.conf                   | 2 +-
 modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/modules/ocf/files/auth/krb5.conf b/modules/ocf/files/auth/krb5.conf
index 8d9c962dc..d66a491bc 100644
--- a/modules/ocf/files/auth/krb5.conf
+++ b/modules/ocf/files/auth/krb5.conf
@@ -26,8 +26,9 @@
 
 [realms]
 	OCF.BERKELEY.EDU = {
+		kdc = kdc.ocf.berkeley.edu
 		kdc = kerberos.ocf.berkeley.edu
-		admin_server = kerberos.ocf.berkeley.edu
+		admin_server = kdc.ocf.berkeley.edu
 	}
 
 [domain_realm]
diff --git a/modules/ocf/files/auth/ldap/ldap.conf b/modules/ocf/files/auth/ldap/ldap.conf
index 2287097e9..c49c43d5e 100644
--- a/modules/ocf/files/auth/ldap/ldap.conf
+++ b/modules/ocf/files/auth/ldap/ldap.conf
@@ -1,5 +1,5 @@
 # LDAP server and SSL options
-uri ldaps://ldap.ocf.berkeley.edu
+uri ldaps://ldap0.ocf.berkeley.edu ldaps://ldap.ocf.berkeley.edu
 tls_reqcert hard
 tls_cacert /etc/ssl/certs/ca-certificates.crt
 
diff --git a/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf b/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf
index b6126d758..0ecca8019 100644
--- a/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf
+++ b/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf
@@ -2,7 +2,7 @@
 # http://www.postfix.org/ldap_table.5.html
 # http://postfix.1071664.n5.nabble.com/Postfix-ldap-table-authenticate-to-LDAP-using-GSSAPI-or-EXTERNAL-td54278.html
 
-server_host = ldaps://ldap.ocf.berkeley.edu/
+server_host = ldaps://ldap0.ocf.berkeley.edu/
 start_tls = no
 tls_require_cert = no
 tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt

From c1cde0cbdefae8662c99d5144dae04c9c691c8d6 Mon Sep 17 00:00:00 2001
From: jaysa <gh@jaysa.net>
Date: Sun, 10 May 2026 06:26:50 -0700
Subject: [PATCH 2/3] disable ldap-git-backup cronjob for firestorm

---
 modules/ocf_ldap/manifests/init.pp | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/modules/ocf_ldap/manifests/init.pp b/modules/ocf_ldap/manifests/init.pp
index eacf5c0ec..ed8976371 100644
--- a/modules/ocf_ldap/manifests/init.pp
+++ b/modules/ocf_ldap/manifests/init.pp
@@ -82,17 +82,17 @@
   # Daily local git backup
   package { 'ldap-git-backup':; }
 
-  cron { 'ldap-git-backup':
-    # Back up all of LDAP, including configuration options
-    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721155
-    #
-    # Make sure this occurs before the rsync backup for rsnapshot, since this
-    # ensures we have a more recent daily backup stored on our backup server
-    command => '/usr/sbin/ldap-git-backup',
-    minute  => 0,
-    hour    => 1,
-    require => Package['ldap-git-backup'];
-  }
+  # cron { 'ldap-git-backup':
+  #   # Back up all of LDAP, including configuration options
+  #   # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721155
+  #   #
+  #   # Make sure this occurs before the rsync backup for rsnapshot, since this
+  #   # ensures we have a more recent daily backup stored on our backup server
+  #   command => '/usr/sbin/ldap-git-backup',
+  #   minute  => 0,
+  #   hour    => 1,
+  #   require => Package['ldap-git-backup'];
+  # }
 
   file {
     # Use the puppet cron task instead of the packaged cron script for more

From 99fcd2ec53d2d4de4ac7e8e24351e454da699603 Mon Sep 17 00:00:00 2001
From: jaysa <gh@jaysa.net>
Date: Sun, 10 May 2026 10:20:00 -0700
Subject: [PATCH 3/3] revert changes for now. thank you michael. almost t here.

---
 modules/ocf/files/auth/krb5.conf              |  3 +--
 modules/ocf/files/auth/ldap/ldap.conf         |  2 +-
 modules/ocf_ldap/manifests/init.pp            | 22 +++++++++----------
 .../files/site_ocf/postfix/ldap-aliases.cf    |  2 +-
 4 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/modules/ocf/files/auth/krb5.conf b/modules/ocf/files/auth/krb5.conf
index d66a491bc..8d9c962dc 100644
--- a/modules/ocf/files/auth/krb5.conf
+++ b/modules/ocf/files/auth/krb5.conf
@@ -26,9 +26,8 @@
 
 [realms]
 	OCF.BERKELEY.EDU = {
-		kdc = kdc.ocf.berkeley.edu
 		kdc = kerberos.ocf.berkeley.edu
-		admin_server = kdc.ocf.berkeley.edu
+		admin_server = kerberos.ocf.berkeley.edu
 	}
 
 [domain_realm]
diff --git a/modules/ocf/files/auth/ldap/ldap.conf b/modules/ocf/files/auth/ldap/ldap.conf
index c49c43d5e..2287097e9 100644
--- a/modules/ocf/files/auth/ldap/ldap.conf
+++ b/modules/ocf/files/auth/ldap/ldap.conf
@@ -1,5 +1,5 @@
 # LDAP server and SSL options
-uri ldaps://ldap0.ocf.berkeley.edu ldaps://ldap.ocf.berkeley.edu
+uri ldaps://ldap.ocf.berkeley.edu
 tls_reqcert hard
 tls_cacert /etc/ssl/certs/ca-certificates.crt
 
diff --git a/modules/ocf_ldap/manifests/init.pp b/modules/ocf_ldap/manifests/init.pp
index ed8976371..eacf5c0ec 100644
--- a/modules/ocf_ldap/manifests/init.pp
+++ b/modules/ocf_ldap/manifests/init.pp
@@ -82,17 +82,17 @@
   # Daily local git backup
   package { 'ldap-git-backup':; }
 
-  # cron { 'ldap-git-backup':
-  #   # Back up all of LDAP, including configuration options
-  #   # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721155
-  #   #
-  #   # Make sure this occurs before the rsync backup for rsnapshot, since this
-  #   # ensures we have a more recent daily backup stored on our backup server
-  #   command => '/usr/sbin/ldap-git-backup',
-  #   minute  => 0,
-  #   hour    => 1,
-  #   require => Package['ldap-git-backup'];
-  # }
+  cron { 'ldap-git-backup':
+    # Back up all of LDAP, including configuration options
+    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721155
+    #
+    # Make sure this occurs before the rsync backup for rsnapshot, since this
+    # ensures we have a more recent daily backup stored on our backup server
+    command => '/usr/sbin/ldap-git-backup',
+    minute  => 0,
+    hour    => 1,
+    require => Package['ldap-git-backup'];
+  }
 
   file {
     # Use the puppet cron task instead of the packaged cron script for more
diff --git a/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf b/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf
index 0ecca8019..b6126d758 100644
--- a/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf
+++ b/modules/ocf_mail/files/site_ocf/postfix/ldap-aliases.cf
@@ -2,7 +2,7 @@
 # http://www.postfix.org/ldap_table.5.html
 # http://postfix.1071664.n5.nabble.com/Postfix-ldap-table-authenticate-to-LDAP-using-GSSAPI-or-EXTERNAL-td54278.html
 
-server_host = ldaps://ldap0.ocf.berkeley.edu/
+server_host = ldaps://ldap.ocf.berkeley.edu/
 start_tls = no
 tls_require_cert = no
 tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt