Table of Contents
Introduction
IDM replica is the same copy of the existing master IDM server. The use of a replica is to have multiple copies of master and it can be used in different geographical location. RHEL 8 replicas only work with IDM masters running on RHEL 7.4 and later, Moreover, the master server should be installed on RHEL 8 and installed with IDM 4.x packages. The steps to follow for previous versions are similar to the below guide but little different from the current one.
IDM Related Articles
- Setup and Identity Management server in Linux using IPA
- Creating our 1st DNS zones and DNS record in IPA Server
- Integrating IDM with AD (Active directory) using indirect cross-forest trust
- Setup a Linux server as IDM client to authenticate with Active Directory
- Setup a FreeIPA or IDM Replica
Setting up as Client
Before setting up IDM replica first we need to join the node as a client with IDM server by running ipa-client-install
. To install the required packages use yum to install client packages.
# yum install ipa-client -y
Run the install command it will auto-discover the IPA server information.
# ipa-client-install
Output for reference
[root@idm2 ~]# ipa-client-install This program will set up IPA client. Version 4.8.0 Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: idm2.lincls.linuxsysadmins.local Realm: LINCLS.LINUXSYSADMINS.LOCAL DNS Domain: lincls.linuxsysadmins.local IPA Server: idm1.lincls.linuxsysadmins.local BaseDN: dc=lincls,dc=linuxsysadmins,dc=local Continue to configure the system with these values? [no]: yes Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. User authorized to enroll computers: admin Password for admin@LINCLS.LINUXSYSADMINS.LOCAL: Successfully retrieved CA cert Subject: CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL Issuer: CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL Valid From: 2020-02-26 20:45:04 Valid Until: 2040-02-26 20:45:04 Enrolled in IPA realm LINCLS.LINUXSYSADMINS.LOCAL Created /etc/ipa/default.conf Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm LINCLS.LINUXSYSADMINS.LOCAL Systemwide CA database updated. Hostname (idm2.lincls.linuxsysadmins.local) does not have A/AAAA record. Missing reverse record(s) for address(es): 192.168.0.21, 2001:8f8:172d:8f0b:e194:b02e:b942:14ee. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub WARNING: The configuration pre-client installation is not managed by authselect and cannot be backed up. Uninstallation may not be able to revert to the original state. SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring lincls.linuxsysadmins.local as NIS domain. Client configuration complete. The ipa-client-install command was successful [root@idm2 ~]#
Ports Requirement and Firewall
Add the firewall as a service, else use the port number as shown in trailing steps.
# firewall-cmd --add-service={freeipa-4,freeipa-ldap,freeipa-ldaps,freeipa-replication,freeipa-trust} --permanent # firewall-cmd --reload # firewall-cmd --list-all
[root@idm2 ~]# firewall-cmd --add-service={freeipa-4,freeipa-ldap,freeipa-ldaps,freeipa-replication,freeipa-trust} --permanent success [root@idm2 ~]# [root@idm2 ~]# firewall-cmd --reload success [root@idm2 ~]# [root@idm2 ~]# [root@idm2 ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens18 sources: services: cockpit dhcpv6-client freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@idm2 ~]#
Or add using the port number which required for IDM replica.
# firewall-cmd --runtime-to-permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp}
Installing the Server Packages
In my setup, I’m about to use certificate authority and DNS in my IDM replica. However, Kerberos also should reside on multiple servers as per recommendation from the official guide.
RHEL 7 / CentOS 7 servers
# yum install ipa-server ipa-server-dns bind bind-dyndb-ldap ipa-server-trust-ad -y
RHEL 7 / CentOS 8 server
# yum module enable idm:DL1 -y # yum module install idm:DL1/{dns,adtrust} -y
Check the Connectivity
Check the connectivity to IDM master server from the new IDM replica.
# ipa-replica-conncheck --master idm1.lincls.linuxsysadmins.local
[root@idm2 ~]# ipa-replica-conncheck --master idm1.lincls.linuxsysadmins.local Check connection from replica to remote master 'idm1.lincls.linuxsysadmins.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Listeners are started. Use CTRL+C to terminate the listening part after the test. Please run the following command on remote master: /usr/sbin/ipa-replica-conncheck --replica idm2.lincls.linuxsysadmins.local [root@idm2 ~]#
Same time back to IDM server run the check by copying the command from the above output.
# /usr/sbin/ipa-replica-conncheck --replica idm2.lincls.linuxsysadmins.local
[root@idm1 ~]# /usr/sbin/ipa-replica-conncheck --replica idm2.lincls.linuxsysadmins.local Check connection from master to remote replica 'idm2.lincls.linuxsysadmins.local': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos KDC: UDP (88): OK Kerberos Kpasswd: TCP (464): OK Kerberos Kpasswd: UDP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK Connection from master to replica is OK. [root@idm1 ~]#
Once we get the above output we are good with the required ports to reach the IDM replica from our master.
Setup the Replica
While setting up the IDM replica we do not require to use --ca-cert-file
option. By running the ipa-replica-install
utility it will pull the certificate information automatically from the IDM master server.
# ipa-replica-install --principal admin --admin-password Redhat@123 --no-host-dns --setup-ca --setup-dns --no-forwarders --force-join
Output for reference
[root@idm2 ~]# ipa-replica-install --principal admin --admin-password Redhat@123 --no-host-dns --setup-ca --setup-dns --no-forwarders --force-join Configuring client side components This program will set up IPA client. Version 4.8.0 Discovery was successful! Client hostname: idm2.lincls.linuxsysadmins.local Realm: LINCLS.LINUXSYSADMINS.LOCAL DNS Domain: lincls.linuxsysadmins.local IPA Server: idm1.lincls.linuxsysadmins.local BaseDN: dc=lincls,dc=linuxsysadmins,dc=local Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Time synchronization was successful. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL Issuer: CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL Valid From: 2020-02-26 20:45:04 Valid Until: 2040-02-26 20:45:04 Enrolled in IPA realm LINCLS.LINUXSYSADMINS.LOCAL Created /etc/ipa/default.conf Configured sudoers in /etc/authselect/user-nsswitch.conf Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm LINCLS.LINUXSYSADMINS.LOCAL Systemwide CA database updated. Hostname (idm2.lincls.linuxsysadmins.local) does not have A/AAAA record. Missing reverse record(s) for address(es): 192.168.0.21, 2001:8f8:172d:8f0b:e194:b02e:b942:14ee. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled Configured /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Configuring lincls.linuxsysadmins.local as NIS domain. Client configuration complete. The ipa-client-install command was successful Warning: skipping DNS resolution of host idm2.lincls.linuxsysadmins.local Warning: skipping DNS resolution of host idm1.lincls.linuxsysadmins.local Lookup failed: Preferred host idm2.lincls.linuxsysadmins.local does not provide DNS. Run connection check to master Connection check OK Disabled p11-kit-proxy Configuring directory server (dirsrv). Estimated time: 30 seconds [1/41]: creating directory server instance Starting installation… Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@LINCLS-LINUXSYSADMINS-LOCAL.service → /usr/lib/systemd/system/dirsrv@.service. Opening SELinux policy "//etc/selinux/targeted/policy/policy.31" Successfully opened SELinux policy "//etc/selinux/targeted/policy/policy.31" Allocate local instance with ldapi://%2fvar%2frun%2fslapd-LINCLS-LINUXSYSADMINS-LOCAL.socket [2/41]: configure autobind for root [3/41]: stopping directory server [4/41]: updating configuration in dse.ldif [5/41]: starting directory server [11/11]: starting directory server Done. [7/7]: configuring ipa-dnskeysyncd to start on boot Done configuring DNS key synchronization service (ipa-dnskeysyncd). Restarting ipa-dnskeysyncd Restarting named Updating DNS system records Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files The ipa-replica-install command was successful [root@idm2 ~]#
That’s it, Now we should get two DNS, CA servers list in the master side.
Network Services –> DNS –> DNS Servers
Verify the Service status
Once completed with the installation verify he service status on replica node.
[root@idm2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful [root@idm2 ~]#
Replica Verification
To list and verify the replica jump to the master server or this can be fetched from replica as well.
[root@idm1 ~]# ipa-replica-manage list idm1.lincls.linuxsysadmins.local: master idm2.lincls.linuxsysadmins.local: master [root@idm1 ~]#
To confirm the replication working fine, Add a user in master and verify from the replica.
If you need to create the same from command line use below command with options.
# ipa user-add --first=Babin --last=Lonston --password babintest1
[root@idm1 ~]# ipa user-add --first=Babin --last=Lonston --password babintest1 Password: Enter Password again to verify: Added user "babintest1" User login: babintest1 First name: Babin Last name: Lonston Full name: Babin Lonston Display name: Babin Lonston Initials: BL Home directory: /home/babintest1 GECOS: Babin Lonston Login shell: /bin/sh Principal name: babintest2@LINCLS.LINUXSYSADMINS.LOCAL Principal alias: babintest2@LINCLS.LINUXSYSADMINS.LOCAL User password expiration: 20200228124006Z Email address: babintest1@lincls.linuxsysadmins.local UID: 2002 GID: 2002 Password: True Member of groups: ipausers Kerberos keys available: True [root@idm1 ~]#
Back to replica server and verify the newly added user.
[root@idm2 ~]# id babintest1 uid=2002(babintest1) gid=2002(babintest1) groups=2002(babintest1) [root@idm2 ~]# [root@idm2 ~]# getent passwd babintest1 babintest1:*:2002:2002:Babin Lonston:/home/babintest1:/bin/bash [root@idm2 ~]#
Topology Graph of Replica setup
Few more information about the setup.
Tunning replication configuration can be done from Authentication –> Certificate Identity Mapping Rules –> Topology Suffixes –> domain.
Removing a Replica from master
In case, if we require to remove a replica from your setup it’s simple to remove by running a few commands.
[root@idm1 ~]# kinit admin Password for admin@LINCLS.LINUXSYSADMINS.LOCAL:
[root@idm1 ~]# klist Ticket cache: KCM:0 Default principal: admin@LINCLS.LINUXSYSADMINS.LOCAL Valid starting Expires Service principal 02/28/20 13:31:14 02/29/20 13:31:12 krbtgt/LINCLS.LINUXSYSADMINS.LOCAL@LINCLS.LINUXSYSADMINS.LOCAL [root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage list idm1.lincls.linuxsysadmins.local: master idm2.lincls.linuxsysadmins.local: master [root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage del idm2.lincls.linuxsysadmins.local Updating DNS system records ipa: WARNING: Failed to cleanup idm2.lincls.linuxsysadmins.local DNS entries: no matching entry found ipa: WARNING: You may need to manually remove them from the tree Deleted IPA server "idm2.lincls.linuxsysadmins.local" [root@idm1 ~]#
Finally, Uninstall the who set up.
# ipa-server-install --uninstall
That’s it we have completed with setting up a replica and removing a replica.
Conclusion
This guide walks through setting up a FreeIPA or IDM replica by following the above steps. Let’s come up with more articles related to FreeIPA and IDM server. Subscribe to our newsletter and stay tuned for more Linux how-to guides.