[11:31:43] we're planning to migrate the LDAP servers to trixie this quarter and since we also need to move from BDB to MDB we'll create entirely separate new clusters and import the data [11:32:37] that would be an opportunity to address https://phabricator.wikimedia.org/T317183 and/or https://phabricator.wikimedia.org/T317184 as well, unless there are any restrictions on the WMCS side which would prevent that? [11:33:23] as far as prod is concerned the only remaining two writing endpoints to LDAP are Bitu and the ldap-maint* servers [11:34:14] in terms of writes from cloud I can think of Striker and Horizon, is there more? [11:42:52] moritzm: sgtm. there are indeed no writes from the cloud vps network. there might be some tools reading data but still using the (rw) ldap-labs service names, but I think at this point the only way to find those is to break those connections [11:48:40] moritzm: semi-relatedly, I'd like to see T397149 happen at some point, so unless you get that done as a part of that other LDAP work I might give it a go [11:48:41] T397149: Make ldap-ro service available over IPv6 - https://phabricator.wikimedia.org/T397149 [11:50:07] let's first move to the new servers and then extend to ipv6 on the new hosts [11:50:28] sounds good [11:51:05] are the any constraints for access from cloud to the LDAP replicas, having them on private IPs would also be fine? [11:59:49] all access goes via the LVS service with a public ip, so having the hosts themselves on private IPs is fone [12:09:30] ack [17:40:51] Keystone writes to the LDAP servers too. That's similar to the Horizon writing, but slightly different at least in origin hosts. [18:01:27] Remind me when Horizon writes to ldap directly? As opposed to via a keystone hook? [18:02:22] (I ask because I aspire to move Keystone to the misc k8s cluster, which I think would involve believing that it only ever accesses public endpoints) [18:04:09] andrewbogott: the sudo screens write direct I think? [18:04:37] I bet you're right. [18:05:03] I guess that's not something that keystone has any business with at all; we'd have to write an api server for that.