Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 6. Managing Replication Topology
This chapter describes how to manage replication between servers in an Identity Management (IdM) domain.
Note
This chapter describes simplified topology management introduced in Red Hat Enterprise Linux 7.3. The procedures require domain level 1 (see Chapter 7, Displaying and Raising the Domain Level).
For documentation on managing topology at domain level 0, see Section D.3, “Managing Replicas and Replication Agreements”.
For details on installing an initial replica and basic information on replication, see Chapter 4, Installing and Uninstalling Identity Management Replicas.
6.1. Explaining Replication Agreements, Topology Suffixes, and Topology Segments
Replication Agreements
Data stored on an IdM server is replicated based on replication agreements: when two servers have a replication agreement configured, they share their data.
Replication agreements are always bilateral: the data is replicated from the first replica to the other one as well as from the other replica to the first one.
Note
For additional details, see Section 4.1, “Explaining IdM Replicas”.
Topology Suffixes
Topology suffixes store the data that is replicated. IdM supports two types of topology suffixes:
domain and ca. Each suffix represents a separate back end, a separate replication topology.
When a replication agreement is configured, it joins two topology suffixes of the same type on two different servers.
- The
domainsuffix: dc=example,dc=com - The
domainsuffix contains all domain-related data.When two replicas have a replication agreement between theirdomainsuffixes, they share directory data, such as users, groups, and policies. - The
casuffix: o=ipaca - The
casuffix contains data for the Certificate System component. It is only present on servers with a certificate authority (CA) installed.When two replicas have a replication agreement between theircasuffixes, they share certificate data.
Figure 6.1. Topology Suffixes
An initial topology segment is set up between two servers by the
ipa-replica-install script when installing a new replica.
Example 6.1. Viewing Topology Suffixes
The ipa topologysuffix-find command displays a list of topology suffixes:
$ ipa topologysuffix-find --------------------------- 2 topology suffixes matched --------------------------- Suffix name: ca Managed LDAP suffix DN: o=ipaca Suffix name: domain Managed LDAP suffix DN: dc=example,dc=com ---------------------------- Number of entries returned 2 ----------------------------
Topology Segments
When two replicas have a replication agreement between their suffixes, the suffixes form a topology segment. Each topology segment consists of a left node and a right node. The nodes represent the servers joined in the replication agreement.
Topology segments in IdM are always bidirectional. Each segment represents two replication agreements: from server A to server B, and from server B to server A. The data is therefore replicated in both directions.
Figure 6.2. Topology Segments
Example 6.2. Viewing Topology Segments
The ipa topologysegment-find command shows the current topology segments configured for the domain or CA suffixes. For example, for the domain suffix:
$ ipa topologysegment-find Suffix name: domain ----------------- 1 segment matched ----------------- Segment name: server1.example.com-to-server2.example.com Left node: server1.example.com Right node: server2.example.com Connectivity: both ---------------------------- Number of entries returned 1 ----------------------------
In this example, domain-related data is only replicated between two servers:
server1.example.com and server1.example.com.
To display details for a particular segment only, use the ipa topologysegment-show command:
$ ipa topologysegment-show Suffix name: domain Segment name: server1.example.com-to-server2.example.com Segment name: server1.example.com-to-server2.example.com Left node: server1.example.com Right node: server2.example.com Connectivity: both
