Chapter 4. Setting up IdM Replicas

Replicas are essentially clones of existin Identity Management servers, and they share identical core configuration. The replica installation process, then, has two major parts: copying the existing, required server configuration and then installing the replica based on that information.

4.1. Planning the Server/Replica Topologies

In the IdM domain, there are three types of machines:
  • Servers, which manage all of the services used by domain members
  • Replicas, which are essentially copies of servers (and, once copied, are identical to servers)
  • Clients, which belong to the Kerberos domains, receive certificates and tickets issued by the servers, and use other centralized services for authentication and authorization
A replica is a clone of a specific IdM server. The server and replica share the same internal information about users, machines, certificates, and configured policies. These data are copied from the server to the replica in a process called replication. The two Directory Server instances used by an IdM server — the Directory Server instance used by the IdM server as a data store and the Directory Server instance used by the Dogtag Certificate System to store certificate information — are replicated over to corresponding consumer Directory Server instances used by the IdM replica. The different Directory Server instances recognize each other through replication agreements. An initial replication agreement is created between a master server and replica when the replica is created; additional agreements can be added to other servers or replicas using the ipa-replica-manage command.
Server and Replica Agreements

Figure 4.1. Server and Replica Agreements

Once they are installed, replicas are functionally identical to servers.
There are some guidelines with multi-master replication which place restrictions on the overall server/replica topology.
  • No more than four replication agreements can be configured on a single server/replica.
  • No more than 20 servers and replicas should be involved in a single Identity Management domain.
  • Every server/replica should have a minimum of two replication agreements to ensure that there are no orphan servers or replicas cut out of the IdM domain if another server fails.
One of the most resilient topologies is to create a cell configuration for the servers/replicas, where there are a small number of servers in a cell which all have replication agreements with each other (a tight cell), and then each server has one replication agreement with another server outside the cell, loosely coupling that cell to every other cell in the overall domain.
Example Topology

Figure 4.2. Example Topology

There are some recommendations on how to accomplish this easily:
  • Have at least one IdM server in each main office, data center, or locality. Preferably, have two IdM servers.
  • Do not have more than four servers per data center.
  • Rather than using a server or replica, small offices can use SSSD to cache credentials and use an off-site IdM server as its data backend.