IPA - Frequently Asked Questions

Solution Unverified - Updated -

Environment

  • Red Hat Identity Management (IdM, formerly known as Red Hat IPA)

Issue

  • IPA Frequently Asked Questions

Resolution

1 What services are to be considered to make replicas fullfill the master role?

Say for example, IPA1 was on a physical system and for what ever reason became unrecoverable, (raid array failure/server blows up/fs corruption etc), what services run on this server that are not also running on the other multi-master nodes?

It depends. If you install with a self-sign CA (not recommended) then it is a single point of failure. You'll need to be sure to back up the CA and have some idea of the last serial number issued (can probably be deteremined by looking at the issued certs in a pinch).

If you install with a dogtag CA, replicas aren't set up as CAs by default so you still potentially have a single point of failure.

DNS isn't configured by default on replicas either.

2 Is there a list of services which can only run on a single node instead of on all other nodes?

Is there a list of services which can only run on a single node instead of on all other nodes? Similar to the schema master in Active Directory.

Typically a winsync agreement only connects to one of the IPA servers (and Passsync). This is easy to recover from though.

3 What is the recovery/migration procedure of any single running roles to other nodes?

Is there an online migration plan to use if I was to decommission a server as well as a forceful plan to use in the event of an ipa server failure?

Because of #1 and #2 if you don't have to do much. To prepare for replacement you just need to configure another replica. Because of MMR the servers are all equivalent (with the exception of selfsign as noted above).

If a server is lost you will need to remove its replicaion agreements with:

ipa-replica-manage del --force <server-that-is-gone>

--force tells the local IPA server to delete the agreement even if it can't contact the other side.

4 How can i manage multiple sites within IPA, is it possible?

e.g. lets say I have 500 clients and 10 IPA servers in site A and the same in site B, however I only have a 10 mb LES circuit that connects them together (for example).. Can I set up IPA servers to replicate over the link to maintain replication but prevent the clients in site A from using an IPA server in site B for authentication and dns? This goal is to minimise cross-site communications. Similar to Sites and Services in Active Directory.

Configure the Clients in B to look only for IPA servers on B, (ie; instead of using the default srv records, manually list the IPA servers for site B.

or use iptables to allow access only to the IPA servers. In this case probably just dogtag and 389-ds ports 7389, 636 and 389 once the replicas are set up. They'd probably want to test this thoroughly.

5 How do I decommission an already active IPA server?

The documentation states ipa-server-install --uninstall however this doesn't seem to remove it from the active domain/realm in the same process. it leaves stail entries in the domain.

ipa-replica-manage del <server>

If you do this in advance of --uninstall then you don't need --force. The "removed" server cannot be reconnected to the IPA realm without a re-install.

6 Using dogtag with ca replication resolves the issue of the non recommended local CA installation?

Whats the process for setting up dogtag with an ipa domain?

As you know IPA by default uses dogtag CA to issue certificates, the only thing you need to do (in case the master becomes un-recoverable) is to configure the replicas to install dogtag CA instance and replicate the Certificate details from the master server.

For example, here is the normal steps you need to do to achieve the above.

//initial setup.
ipa-server-install --setup-dns 

//prepare replica file to configure a new replica
ipa-replica-prepare <options>

//copy the the output file from the above to replica and configure replica using..

ipa-replica-install --setup-dns <replica_file>

Now you have the IPA replica setup, as you requested, in case if the master fails (un-recoverable) we do not have CA information replicated to replica, this steps has to be done manually.

//setup IPA replica to install pki-ca and replicate the certificate details

ipa-ca-install <replica_file>

Note that the file should be same as the one used to configure this as replica (during ipa-replica-install).

Refer here for details.

7 What is the difference between (or even the advantage) the internal dogtag versus an external CA?

When we use dogtag certificate system (default), it creates a self signed certificate and uses the same as CA certificate. During client-install process, this certificate is copied to clients so the clients will trust all other service certificates issued by dogtag (eg: certificate issued to apache by IPA). In this scenario the root CA is IPA itself.

In case you have an existing CA (Corporate CA , eg: Microsoft CA or some other CA) and you do not want a new Certificate Authority, then you can use IPA as a subordinate CA. In order to make IPA a subordinate CA, IPA has to create a certificate request (with necessary extensions), submit the CSR to exiting Corporate CA, get it signed and use that certificate as the IPA CA certificate.

Once IPA gets it's Certificate Singed by the Corp CA, then IPA uses that certificate to sign the certificate for all clients (ie; still the certificates are issued by dogtag only), the clients would be using Corp CA certificate with chain (ie; include the details of IPA sub CA).

8 How can I configure IPA to work with different port?

If a standard Apache instance is already running on port 80, then the IPA server can be configured to run on a secondary port, such as port 8089. Refer to: Setting an IPA Server as an Apache Virtual Host

9 Should I deploy IdM from Latest RHEL6 rather than from Older RHEL6?

Using IdM from latest minor release of RHEL6 is strongly recommended.

Later upgrading to IdM from RHEL6.4 will require these steps: Upgrade Notes for IPA 3.0

10 Is there an API for the IPA server ?

There is currently no supported API.

11 Can I modify the IdM database directly?

The customer must not modify the database directly, IdM specific commands have to be used, like ipa user-add and so on. IdM sits ontop of the components, modifying the underlying components directly without IdM leads to issues.

12 For RHEL5 and IdM, do you advise to use SSSD or to work with nscd/nslcd?

On RHEL5 as well as RHEL6 our generic advise is to use sssd. nscd/nslcd can be used as a fallback, if some functionality is required which sssd does not yet provide, i.e. some more exotic maps are to be fetched.

13 How can I add a DNS A and PTR record to the IdM domain?

I am implementing a kerberized service, how can I add a DNS A and PTR record to the IdM domain? The following commands show how to aquire a kerberos ticket, add the A and the PTR records. After that the delivery of the DNS entries is verified. For more help with the ipa DNS commands refer to the output of ipa dns.

kinit admin
ipa dnsrecord-add mydomain.example.org virthostname --a-rec=10.0.0.42
ipa dnsrecord-add 0.0.10.in-addr.arpa. 42 --ptr-rec virthostname.mydomain.example.org.
dig virthostname.mydomain.example.org
dig -x 10.0.0.42

14 When I use the user from Active Directory and try to login into Linux client machine in IPA(trusted) domain, does the client requires direct connection to Active Directory servers or just connects to IPA server?

The client does not require direct connection to AD if the user is already authenticated, in case if the users want to use password based authentication (provides a username/password to login to ipa client) then it it should be able to contact AD. (otherwise password authentication will fail.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments