Setup a FreeIPA or IDM Replica

Setup a FreeIPA or IDM Replica Setup a FreeIPA or IDM Replica

Introduction

IDM replica is the same copy of the existing master IDM server. The use of a replica is to have multiple copies of master and it can be used in different geographical location. RHEL 8 replicas only work with IDM masters running on RHEL 7.4 and later, Moreover, the master server should be installed on RHEL 8 and installed with IDM 4.x packages. The steps to follow for previous versions are similar to the below guide but little different from the current one.

IDM Related Articles

Setting up as Client

Before setting up IDM replica first we need to join the node as a client with IDM server by running ipa-client-install. To install the required packages use yum to install client packages.

# yum install ipa-client -y

Run the install command it will auto-discover the IPA server information.

# ipa-client-install

Output for reference

[root@idm2 ~]# ipa-client-install 
 This program will set up IPA client.
 Version 4.8.0
 Discovery was successful!
 Do you want to configure chrony with NTP server or pool address? [no]: 
 Client hostname: idm2.lincls.linuxsysadmins.local
 Realm: LINCLS.LINUXSYSADMINS.LOCAL
 DNS Domain: lincls.linuxsysadmins.local
 IPA Server: idm1.lincls.linuxsysadmins.local
 BaseDN: dc=lincls,dc=linuxsysadmins,dc=local
 Continue to configure the system with these values? [no]: yes
 Synchronizing time
 No SRV records of NTP servers found and no NTP server or pool address was provided.
 Using default chrony configuration.
 Attempting to sync time with chronyc.
 Time synchronization was successful.
 User authorized to enroll computers: admin
 Password for admin@LINCLS.LINUXSYSADMINS.LOCAL: 
 Successfully retrieved CA cert
     Subject:     CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL
     Issuer:      CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL
     Valid From:  2020-02-26 20:45:04
     Valid Until: 2040-02-26 20:45:04
 Enrolled in IPA realm LINCLS.LINUXSYSADMINS.LOCAL
 Created /etc/ipa/default.conf
 Configured sudoers in /etc/authselect/user-nsswitch.conf
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm LINCLS.LINUXSYSADMINS.LOCAL
 Systemwide CA database updated.
 Hostname (idm2.lincls.linuxsysadmins.local) does not have A/AAAA record.
 Missing reverse record(s) for address(es): 192.168.0.21, 2001:8f8:172d:8f0b:e194:b02e:b942:14ee.
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 WARNING: The configuration pre-client installation is not managed by authselect and cannot be backed up. Uninstallation may not be able to revert to the original state.
 SSSD enabled
 Configured /etc/openldap/ldap.conf
 Configured /etc/ssh/ssh_config
 Configured /etc/ssh/sshd_config
 Configuring lincls.linuxsysadmins.local as NIS domain.
 Client configuration complete.
 The ipa-client-install command was successful
[root@idm2 ~]# 

Ports Requirement and Firewall

Add the firewall as a service, else use the port number as shown in trailing steps.

# firewall-cmd --add-service={freeipa-4,freeipa-ldap,freeipa-ldaps,freeipa-replication,freeipa-trust} --permanent
# firewall-cmd --reload
# firewall-cmd --list-all
[root@idm2 ~]# firewall-cmd --add-service={freeipa-4,freeipa-ldap,freeipa-ldaps,freeipa-replication,freeipa-trust} --permanent
 success
[root@idm2 ~]# 
[root@idm2 ~]# firewall-cmd --reload
 success
[root@idm2 ~]# 
[root@idm2 ~]# 
[root@idm2 ~]# firewall-cmd --list-all
 public (active)
   target: default
   icmp-block-inversion: no
   interfaces: ens18
   sources: 
   services: cockpit dhcpv6-client freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ssh
   ports: 
   protocols: 
   masquerade: no
   forward-ports: 
   source-ports: 
   icmp-blocks: 
   rich rules: 
[root@idm2 ~]#

Or add using the port number which required for IDM replica.

# firewall-cmd --runtime-to-permanent --add-port={80/tcp,443/tcp,389/tcp,636/tcp,88/tcp,88/udp,464/tcp,464/udp,53/tcp,53/udp,123/udp}

Installing the Server Packages

In my setup, I’m about to use certificate authority and DNS in my IDM replica. However, Kerberos also should reside on multiple servers as per recommendation from the official guide.

RHEL 7 / CentOS 7 servers

# yum install ipa-server ipa-server-dns bind bind-dyndb-ldap ipa-server-trust-ad -y

RHEL 7 / CentOS 8 server

# yum module enable idm:DL1 -y 
# yum module install idm:DL1/{dns,adtrust} -y

Check the Connectivity

Check the connectivity to IDM master server from the new IDM replica.

# ipa-replica-conncheck --master idm1.lincls.linuxsysadmins.local
[root@idm2 ~]# ipa-replica-conncheck --master idm1.lincls.linuxsysadmins.local
 Check connection from replica to remote master 'idm1.lincls.linuxsysadmins.local':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK
 The following list of ports use UDP protocol and would need to be
 checked manually:
    Kerberos KDC: UDP (88): SKIPPED
    Kerberos Kpasswd: UDP (464): SKIPPED
 Connection from replica to master is OK.
 Start listening on required ports for remote master check
 Listeners are started. Use CTRL+C to terminate the listening part after the test.
 Please run the following command on remote master:
 /usr/sbin/ipa-replica-conncheck --replica idm2.lincls.linuxsysadmins.local
[root@idm2 ~]#

Same time back to IDM server run the check by copying the command from the above output.

# /usr/sbin/ipa-replica-conncheck --replica idm2.lincls.linuxsysadmins.local
[root@idm1 ~]# /usr/sbin/ipa-replica-conncheck --replica idm2.lincls.linuxsysadmins.local
 Check connection from master to remote replica 'idm2.lincls.linuxsysadmins.local':
    Directory Service: Unsecure port (389): OK
    Directory Service: Secure port (636): OK
    Kerberos KDC: TCP (88): OK
    Kerberos KDC: UDP (88): OK
    Kerberos Kpasswd: TCP (464): OK
    Kerberos Kpasswd: UDP (464): OK
    HTTP Server: Unsecure port (80): OK
    HTTP Server: Secure port (443): OK
    Connection from master to replica is OK.
[root@idm1 ~]# 

Once we get the above output we are good with the required ports to reach the IDM replica from our master.

Setup the Replica

While setting up the IDM replica we do not require to use --ca-cert-file option. By running the ipa-replica-install utility it will pull the certificate information automatically from the IDM master server.

# ipa-replica-install --principal admin --admin-password Redhat@123 --no-host-dns --setup-ca --setup-dns --no-forwarders --force-join

Output for reference

[root@idm2 ~]# ipa-replica-install --principal admin --admin-password Redhat@123 --no-host-dns --setup-ca --setup-dns --no-forwarders --force-join
 Configuring client side components
 This program will set up IPA client.
 Version 4.8.0
 Discovery was successful!
 Client hostname: idm2.lincls.linuxsysadmins.local
 Realm: LINCLS.LINUXSYSADMINS.LOCAL
 DNS Domain: lincls.linuxsysadmins.local
 IPA Server: idm1.lincls.linuxsysadmins.local
 BaseDN: dc=lincls,dc=linuxsysadmins,dc=local
 Synchronizing time
 No SRV records of NTP servers found and no NTP server or pool address was provided.
 Using default chrony configuration.
 Attempting to sync time with chronyc.
 Time synchronization was successful.
 Successfully retrieved CA cert
     Subject:     CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL
     Issuer:      CN=Certificate Authority,O=LINCLS.LINUXSYSADMINS.LOCAL
     Valid From:  2020-02-26 20:45:04
     Valid Until: 2040-02-26 20:45:04
 Enrolled in IPA realm LINCLS.LINUXSYSADMINS.LOCAL
 Created /etc/ipa/default.conf
 Configured sudoers in /etc/authselect/user-nsswitch.conf
 Configured /etc/sssd/sssd.conf
 Configured /etc/krb5.conf for IPA realm LINCLS.LINUXSYSADMINS.LOCAL
 Systemwide CA database updated.
 Hostname (idm2.lincls.linuxsysadmins.local) does not have A/AAAA record.
 Missing reverse record(s) for address(es): 192.168.0.21, 2001:8f8:172d:8f0b:e194:b02e:b942:14ee.
 Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub
 Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub
 SSSD enabled
 Configured /etc/openldap/ldap.conf
 Configured /etc/ssh/ssh_config
 Configured /etc/ssh/sshd_config
 Configuring lincls.linuxsysadmins.local as NIS domain.
 Client configuration complete.
 The ipa-client-install command was successful
 Warning: skipping DNS resolution of host idm2.lincls.linuxsysadmins.local
 Warning: skipping DNS resolution of host idm1.lincls.linuxsysadmins.local
 Lookup failed: Preferred host idm2.lincls.linuxsysadmins.local does not provide DNS.
 Run connection check to master
 Connection check OK
 Disabled p11-kit-proxy
 Configuring directory server (dirsrv). Estimated time: 30 seconds
   [1/41]: creating directory server instance
 Starting installation…
 Created symlink /etc/systemd/system/multi-user.target.wants/dirsrv@LINCLS-LINUXSYSADMINS-LOCAL.service → /usr/lib/systemd/system/dirsrv@.service.
 Opening SELinux policy "//etc/selinux/targeted/policy/policy.31"
 Successfully opened SELinux policy "//etc/selinux/targeted/policy/policy.31"
 Allocate local instance  with ldapi://%2fvar%2frun%2fslapd-LINCLS-LINUXSYSADMINS-LOCAL.socket
   [2/41]: configure autobind for root
   [3/41]: stopping directory server
   [4/41]: updating configuration in dse.ldif
   [5/41]: starting directory server
   [11/11]: starting directory server
 Done.
   [7/7]: configuring ipa-dnskeysyncd to start on boot
 Done configuring DNS key synchronization service (ipa-dnskeysyncd).
 Restarting ipa-dnskeysyncd
 Restarting named
 Updating DNS system records
 Global DNS configuration in LDAP server is empty
 You can use 'dnsconfig-mod' command to set global DNS options that
 would override settings in local named.conf files
 The ipa-replica-install command was successful
[root@idm2 ~]#

That’s it, Now we should get two DNS, CA servers list in the master side.

Network Services –> DNS –> DNS Servers

Verify the Service status

Once completed with the installation verify he service status on replica node.

[root@idm2 ~]# ipactl status
 Directory Service: RUNNING
 krb5kdc Service: RUNNING
 kadmin Service: RUNNING
 named Service: RUNNING
 httpd Service: RUNNING
 ipa-custodia Service: RUNNING
 pki-tomcatd Service: RUNNING
 ipa-otpd Service: RUNNING
 ipa-dnskeysyncd Service: RUNNING
 ipa: INFO: The ipactl command was successful
[root@idm2 ~]#

Replica Verification

To list and verify the replica jump to the master server or this can be fetched from replica as well.

[root@idm1 ~]# ipa-replica-manage list
 idm1.lincls.linuxsysadmins.local: master
 idm2.lincls.linuxsysadmins.local: master
[root@idm1 ~]#

To confirm the replication working fine, Add a user in master and verify from the replica.

If you need to create the same from command line use below command with options.

# ipa user-add --first=Babin --last=Lonston --password babintest1
[root@idm1 ~]# ipa user-add --first=Babin --last=Lonston --password babintest1
 Password: 
 Enter Password again to verify: 
 Added user "babintest1"
 User login: babintest1
   First name: Babin
   Last name: Lonston
   Full name: Babin Lonston
   Display name: Babin Lonston
   Initials: BL
   Home directory: /home/babintest1
   GECOS: Babin Lonston
   Login shell: /bin/sh
   Principal name: babintest2@LINCLS.LINUXSYSADMINS.LOCAL
   Principal alias: babintest2@LINCLS.LINUXSYSADMINS.LOCAL
   User password expiration: 20200228124006Z
   Email address: babintest1@lincls.linuxsysadmins.local
   UID: 2002
   GID: 2002
   Password: True
   Member of groups: ipausers
   Kerberos keys available: True
[root@idm1 ~]# 

Back to replica server and verify the newly added user.

[root@idm2 ~]# id babintest1
 uid=2002(babintest1) gid=2002(babintest1) groups=2002(babintest1)
[root@idm2 ~]#

[root@idm2 ~]# getent passwd babintest1
 babintest1:*:2002:2002:Babin Lonston:/home/babintest1:/bin/bash
[root@idm2 ~]#

Topology Graph of Replica setup

Few more information about the setup.

Tunning replication configuration can be done from Authentication –> Certificate Identity Mapping Rules –> Topology Suffixes –> domain.

Removing a Replica from master

In case, if we require to remove a replica from your setup it’s simple to remove by running a few commands.

[root@idm1 ~]# kinit admin
Password for admin@LINCLS.LINUXSYSADMINS.LOCAL:
[root@idm1 ~]# klist 
 Ticket cache: KCM:0
 Default principal: admin@LINCLS.LINUXSYSADMINS.LOCAL
 Valid starting     Expires            Service principal
 02/28/20 13:31:14  02/29/20 13:31:12  krbtgt/LINCLS.LINUXSYSADMINS.LOCAL@LINCLS.LINUXSYSADMINS.LOCAL
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage list
 idm1.lincls.linuxsysadmins.local: master
 idm2.lincls.linuxsysadmins.local: master
[root@idm1 ~]#
[root@idm1 ~]# ipa-replica-manage del idm2.lincls.linuxsysadmins.local
 Updating DNS system records
 ipa: WARNING: Failed to cleanup idm2.lincls.linuxsysadmins.local DNS entries: no matching entry found
 ipa: WARNING: You may need to manually remove them from the tree
 Deleted IPA server "idm2.lincls.linuxsysadmins.local"
[root@idm1 ~]# 

Finally, Uninstall the who set up.

# ipa-server-install --uninstall

That’s it we have completed with setting up a replica and removing a replica.

Conclusion

This guide walks through setting up a FreeIPA or IDM replica by following the above steps. Let’s come up with more articles related to FreeIPA and IDM server. Subscribe to our newsletter and stay tuned for more Linux how-to guides.