Chapter 8. The Basics of Managing the IdM Server and Services

All of the access to Identity Management, both through the web UI and through the command line, is done by a user authenticating to the IdM domain. This chapter covers the basics of setting up browsers to handle Kerberos authentication, logging into Identity Management, and troubleshooting some common connection issues.

8.1. Starting and Stopping the IdM Domain

When an IdM server is installed, there are a number of different services which can be installed and configured with it in any combination, including (but not limited to) a Directory Server, a certificate authority, a web server, DNS, NTP, certmonger, and Kerberos.
All of these serveris work together in concert. Because there are dependencies between the services, the order in which services are started and stopped is critical.
When changes are made to a single service (such as the LDAP directory or the web server), then that individual service can be started and stopped using the service command. However, when multiple domain services need to be restarted (or the entire IdM server), then use the ipactl command, which always starts and stops services in the appropriate order.
Which services are configured for a specific IdM server are defined in the 389 Directory Server configuration, based on the hostname of the IdM server.[1] The 389 Directory Server service is always the first service started and the last service stopped. The rest of the run order depends on the configured services.
The ipactl command can start, stop, and restart services.
ipactl start | stop | restart
The chkconfig command sets what services to start automatically when the system restarts. The ipactl command can be used to start the domain services in the proper order, without having to configure each one individually in the chkconfig run order.
[root@server ~]# chkconfig ipactl on

[1] The hostname used in the directory lookup can be controlled in the /etc/ipa/default.conf configuration file.