Chapter 18. Installing an IdM replica
The following sections describe how to install an Identity Management (IdM) replica based on an existing server. The replica installation process copies the configuration of the existing server, and installs the replica based on that configuration.
Install one IdM replica at a time. The installation of multiple replicas at the same time is not supported.
Before installing a replica, the target system must be authorized for enrollment in the IdM domain. See:
For the replica installation procedures, see:
To troubleshoot the replica installation procedure, see:
After the installation, see:
18.1. Prerequisites for installing a replica on an IdM client
When installing a replica on an existing client, choose one of the following authorization methods.
- A privileged user’s credentials
Choose this method to authorize the replica installation by providing a privileged user’s credentials:
Log in as the privileged user before running the
ipa-replica-install
utility. The default privileged user isadmin
:$ kinit admin
- Let Identity Management (IdM) prompt you for the credentials interactively. This is the default behavior.
- The
ipaservers
host group Choose this method to authorize the replica installation by adding the client to the
ipaservers
host group. Membership inipaservers
grants the machine elevated privileges analogous to the administrator’s credentials.To add the client as a member of
ipaservers
:$ kinit admin
$ ipa hostgroup-add-member ipaservers --hosts replica.idm.example.com Host-group: ipaservers Description: IPA server hosts Member hosts: server.idm.example.com, client.idm.example.com ------------------------- Number of members added 1 -------------------------
18.2. Prerequisites for installing a replica on a system outside the IdM domain
When you run the ipa-replica-install
utility on a system that has not yet been enrolled in the Identity Management (IdM) domain, ipa-replica-install
first enrolls the system as a client and then installs the replica components.
When installing a replica on a system outside the IdM domain, choose one of the following authorization methods.
- A privileged user’s credentials
Using this method, the replica installation is authorized by providing a privileged user’s credentials. The default privileged user is
admin
.To use this method, add the principal name and password options (
--principal admin --admin-password password
) toipa-replica-install
directly during the installation.
- A random password generated on an IdM server
Using this method, the replica installation is authorized by providing a random password for one-time enrollment.
To generate the random password for the future replica and add the future replica system to the
ipaservers
host group, use these commands on any server in the domain:Log in as the administrator.
$ kinit admin
Add the new machine as an IdM host. Use the
--random
option with theipa host-add
command to generate a random one-time password to be used for the replica installation.$ ipa host-add replica.example2.com --random -------------------------------------------------- Added host "replica.example2.com" -------------------------------------------------- Host name: replica.example2.com Random password: W5YpARl=7M.n Password: True Keytab: False Managed by: server.example.com
The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
Add the machine to the
ipaservers
host group.$ ipa hostgroup-add-member ipaservers --hosts replica.example2.com Host-group: ipaservers Description: IPA server hosts Member hosts: server.example.com, replica.example2.com ------------------------- Number of members added 1 -------------------------
Membership in
ipaservers
grants the machine elevated privileges required to set up the necessary server services.
18.3. Installing an IdM replica with integrated DNS
This procedure describes installing a replica:
- With integrated DNS
- Without a certificate authority (CA) in an Identity Management (IdM) environment in which a CA is already installed. The replica will forward all certificate operations to the IdM server with a CA installed.
Procedure
Run
ipa-replica-install
with these options:-
--setup-dns
to configure the replica as the DNS server -
--forwarder
to specify a forwarder, or--no-forwarder
if you do not want to use any forwarders. To specify multiple forwarders for failover reasons, use--forwarder
multiple times.
For example, to set up a replica with an integrated DNS server that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1:
# ipa-replica-install --setup-dns --forwarder 192.0.2.1
NoteThe
ipa-replica-install
utility accepts a number of other options related to DNS settings, such as--no-reverse
or--no-host-dns
. For more information about them, see the ipa-replica-install(1) man page.-
After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is
ipa.example.com
, add a name server (NS) record to theexample.com
parent domain.ImportantRepeat this step each time after you installed an IdM DNS server.
18.4. Installing an IdM replica with a CA
This procedure describes installing a replica:
- Without integrated DNS
- With a certificate authority (CA)
When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.
For example, if the server includes an integrated Identity Management (IdM) CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.
The inclusion of the --setup-ca
option in the ipa-replica-install
command takes care of copying the CA configuration of the initial server.
Procedure
Run
ipa-replica-install
with the--setup-ca
option.# ipa-replica-install --setup-ca
Add the newly created IdM DNS service records to your DNS server:
Export the IdM DNS service records into a file in the
nsupdate
format:$ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
-
Submit a DNS update request to your DNS server using the
nsupdate
utility and the dns_records_file.nsupdate file. For more information, see Updating External DNS Records Using nsupdate in RHEL 7 documentation. Alternatively, refer to your DNS server documentation for adding DNS records.
18.5. Installing an IdM replica without a CA
This procedure describes installing a replica:
- Without integrated DNS
- Without a certificate authority (CA) by providing the required certificates manually. The assumption here is that the first server was installed without a CA.
You cannot install a server or replica using self-signed third-party server certificates because the imported certificate files must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.
Procedure
Run
ipa-replica-install
, and provide the required certificate files by adding these options:-
--dirsrv-cert-file
-
--dirsrv-pin
-
--http-cert-file
-
--http-pin
For details about the files that are provided using these options, see Section 4.1, “Certificates required to install an IdM server without a CA”.
For example:
# ipa-replica-install \ --dirsrv-cert-file /tmp/server.crt \ --dirsrv-cert-file /tmp/server.key \ --dirsrv-pin secret \ --http-cert-file /tmp/server.crt \ --http-cert-file /tmp/server.key \ --http-pin secret
NoteDo not add the
--ca-cert-file
option. Theipa-replica-install
utility takes this part of the certificate information automatically from the first server you installed.-
18.7. Testing an IdM replica
After creating a replica, check if the replica replicates data as expected. You can use the following procedure.
Procedure
Create a user on the new replica:
[admin@new_replica ~]$ ipa user-add test_user
Make sure the user is visible on another replica:
[admin@another_replica ~]$ ipa user-show test_user
18.8. Connections performed during an IdM replica installation
Table 18.1, “Requests performed during an IdM replica installation” lists the operations performed by ipa-replica-install
, the Identity Management (IdM) replica installation tool.
Table 18.1. Requests performed during an IdM replica installation
Operation | Protocol used | Purpose |
---|---|---|
DNS resolution against the DNS resolvers configured on the client system | DNS | To discover the IP addresses of IdM servers |
Requests to ports 88 (TCP/TCP6 and UDP/UDP6) on the discovered IdM servers | Kerberos | To obtain a Kerberos ticket |
JSON-RPC calls to the IdM Apache-based web-service on the discovered or configured IdM servers | HTTPS | IdM client enrollment; replica keys retrieval and certificate issuance if required |
Requests over TCP/TCP6 to port 389 on the IdM server, using SASL GSSAPI authentication, plain LDAP, or both | LDAP | IdM client enrollment; CA certificate chain retrieval; LDAP data replication |
Requests over TCP/TCP6 to port 22 on IdM server | SSH | To check if the connection is working |
(optionally) Access over port 8443 (TCP/TCP6) on the IdM servers | HTTPS | To administer the Certificate Authority on the IdM server (only during IdM server and replica installation) |