Chapter 17. Installing an IdM replica

The following sections describe how to install an Identity Management (IdM) replica based on an existing server. The replica installation process copies the configuration of the existing server, and installs the replica based on that configuration.

Note

Install one IdM replica at a time. The installation of multiple replicas at the same time is not supported.

Before installing a replica, the target system must be authorized for enrollment in the IdM domain. See:

For the replica installation procedures, see:

To troubleshoot the replica installation procedure, see:

After the installation, see:

17.1. Prerequisites for installing a replica on an IdM client

When installing a replica on an existing client, choose one of the following authorization methods.

A privileged user’s credentials

Choose this method to authorize the replica installation by providing a privileged user’s credentials:

  • Log in as the privileged user before running the ipa-replica-install utility. The default privileged user is admin:

    $ kinit admin
  • Let Identity Management (IdM) prompt you for the credentials interactively. This is the default behavior.
The ipaservers host group

Choose this method to authorize the replica installation by adding the client to the ipaservers host group. Membership in ipaservers grants the machine elevated privileges analogous to the administrator’s credentials.

To add the client as a member of ipaservers:

$ kinit admin
$ ipa hostgroup-add-member ipaservers --hosts replica.example.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: server.idm.example.com, client.example.com
-------------------------
Number of members added 1
-------------------------

17.2. Prerequisites for installing a replica on a system outside the IdM domain

When you run the ipa-replica-install utility on a system that has not yet been enrolled in the Identity Management (IdM) domain, ipa-replica-install first enrolls the system as a client and then installs the replica components.

When installing a replica on a system outside the IdM domain, choose one of the following authorization methods.

A privileged user’s credentials

Using this method, the replica installation is authorized by providing a privileged user’s credentials. The default privileged user is admin.

To use this method, add the principal name and password options (--principal admin --admin-password password) to ipa-replica-install directly during the installation.

A random password generated on an IdM server

Using this method, the replica installation is authorized by providing a random password for one-time enrollment.

To generate the random password for the future replica and add the future replica system to the ipaservers host group, use these commands on any server in the domain:

  1. Log in as the administrator.

    $ kinit admin
  2. Add the new machine as an IdM host. Use the --random option with the ipa host-add command to generate a random one-time password to be used for the replica installation.

    $ ipa host-add replica.example2.com --random
    --------------------------------------------------
    Added host "replica.example2.com"
    --------------------------------------------------
      Host name: replica.example2.com
      Random password: W5YpARl=7M.n
      Password: True
      Keytab: False
      Managed by: server.example.com

    The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.

  3. Add the machine to the ipaservers host group.

    $ ipa hostgroup-add-member ipaservers --hosts replica.example2.com
      Host-group: ipaservers
      Description: IPA server hosts
      Member hosts: server.example.com, replica.example2.com
    -------------------------
    Number of members added 1
    -------------------------

    Membership in ipaservers grants the machine elevated privileges required to set up the necessary server services.

17.3. Installing an IdM replica with integrated DNS

This procedure describes installing a replica:

  • With integrated DNS
  • Without a certificate authority (CA) in an Identity Management (IdM) environment in which a CA is already installed. The replica will forward all certificate operations to the IdM server with a CA installed.

Procedure

  1. Run ipa-replica-install with these options:

    • --setup-dns to configure the replica as the DNS server
    • --forwarder to specify a forwarder, or --no-forwarder if you do not want to use any forwarders. To specify multiple forwarders for failover reasons, use --forwarder multiple times.

    For example, to set up a replica with an integrated DNS server that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1:

    # ipa-replica-install --setup-dns --forwarder 192.0.2.1
    Note

    The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.

  2. After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is ipa.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after you installed an IdM DNS server.

17.4. Installing an IdM replica with a CA

This procedure describes installing a replica:

  • Without integrated DNS
  • With a certificate authority (CA)
Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the master server.

For example, if the server includes an integrated Identity Management (IdM) CA as the root CA, the replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

The inclusion of the --setup-ca option in the ipa-replica-install command takes care of copying the CA configuration of the initial server.

Procedure

  1. Run ipa-replica-install with the --setup-ca option.

    # ipa-replica-install --setup-ca
  2. Add the newly created IdM DNS service records to your DNS server:

    1. Export the IdM DNS service records into a file in the nsupdate format:

      $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
    2. Submit a DNS update request to your DNS server using the nsupdate utility and the dns_records_file.nsupdate file. For more information, see Updating External DNS Records Using nsupdate in RHEL 7 documentation. Alternatively, refer to your DNS server documentation for adding DNS records.

17.5. Installing an IdM replica without a CA

This procedure describes installing a replica:

  • Without integrated DNS
  • Without a certificate authority (CA) by providing the required certificates manually. The assumption here is that the master server was also installed without a CA.
Important

You cannot install a server or replica using self-signed third-party server certificates because the imported certificate files must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.

Procedure

  • Run ipa-replica-install, and provide the required certificate files by adding these options:

    • --dirsrv-cert-file
    • --dirsrv-pin
    • --http-cert-file
    • --http-pin

    For details about the files that are provided using these options, see Section 4.1, “Certificates required to install an IdM server without a CA”.

    For example:

    # ipa-replica-install \
        --dirsrv-cert-file /tmp/server.crt \
        --dirsrv-cert-file /tmp/server.key \
        --dirsrv-pin secret \
        --http-cert-file /tmp/server.crt \
        --http-cert-file /tmp/server.key \
        --http-pin secret
    Note

    Do not add the --ca-cert-file option. The ipa-replica-install utility takes this part of the certificate information automatically from the master server.

17.6. Installing an IdM hidden replica

A hidden (unadvertised) replica is an IdM server that has all services running and available. However, it has no SRV records in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect these hidden replicas.

For further details about hidden replicas, see The hidden replica mode.

Procedure

  • To install a hidden replica, use the following command:

    ipa-replica-install --hidden-replica

Note that the command installs a replica without DNS SRV records and with disabled LDAP server roles.

You can also change the mode of existing replica to hidden. For details, see Demotion and promotion of hidden replicas.

17.7. Testing an IdM replica

After creating a replica, check if the replica replicates data as expected. You can use the following procedure.

Procedure

  1. Create a user on the new replica:

    [admin@new_replica ~]$ ipa user-add test_user
  2. Make sure the user is visible on another replica:

    [admin@another_replica ~]$ ipa user-show test_user

17.8. Connections performed during an IdM replica installation

Table 17.1, “Requests performed during an IdM replica installation” lists the operations performed by ipa-replica-install, the Identity Management (IdM) replica installation tool.

Table 17.1. Requests performed during an IdM replica installation

OperationProtocol usedPurpose

DNS resolution against the DNS resolvers configured on the client system

DNS

To discover the IP addresses of IdM masters

Requests to ports 88 (TCP/TCP6 and UDP/UDP6) on the discovered IdM masters

Kerberos

To obtain a Kerberos ticket

JSON-RPC calls to the IdM Apache-based web-service on the discovered or configured IdM masters

HTTPS

IdM client enrollment; replica keys retrieval and certificate issuance if required

Requests over TCP/TCP6 to port 389 on the IdM server, using SASL GSSAPI authentication, plain LDAP, or both

LDAP

IdM client enrollment; CA certificate chain retrieval; LDAP data replication

Requests over TCP/TCP6 to port 22 on IdM server

SSH

To check if the connection is working

(optionally) Access over port 8443 (TCP/TCP6) on the IdM master

HTTPS

To administer the Certificate Authority on the IdM master (only during IdM master and replica installation)