CentOS 7
Sponsored Link

FreeIPA Replication
2015/03/21
 
Configure FreeIPA Replication.
[1] Install FreeIPA server's tools on the Replica Host and change DNS settings.
[[email protected] ~]#
yum -y install ipa-server ipa-server-dns bind bind-dyndb-ldap
# change DNS to FreeIPA server

[[email protected] ~]#
nmcli c modify eno16777736 ipv4.dns 10.0.0.30

[[email protected] ~]#
nmcli c down eno16777736; nmcli c up eno16777736

[2] Add DNS entry for Replica Host on FreeIPA server.
# ipa dnsrecord-add [domain name] [record name] [record type] [record]

[[email protected] ~]#
ipa dnsrecord-add srv.world repl01 --a-rec 10.0.0.61

  Record name: repl01
  A record: 10.0.0.61

[[email protected] ~]#
ipa-replica-prepare repl01.srv.world --ip-address 10.0.0.61

Directory Manager (existing master) password:    
# Directory Manager password

Preparing replica for repl01.srv.world from dlp.srv.world
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-repl01.srv.world.gpg
Adding DNS records for repl01.srv.world
Using reverse zone 0.0.10.in-addr.arpa.

# transfer generated key to Replica Host

[[email protected] ~]#
scp /var/lib/ipa/replica-info-repl01.srv.world.gpg [email protected]rv.world:/var/lib/ipa/

[email protected]'s password:
replica-info-repl01.srv.world.gpg 100% 35KB 34.6KB/s 00:00
[3] On FreeIPA server, If Firewalld is running, allow FreeIPA replication service.
[[email protected] ~]#
firewall-cmd --add-service=freeipa-replication --permanent

success
[[email protected] ~]#
firewall-cmd --reload

success
[4] On FreeIPA replication Host, If Firewalld is running, allow FreeIPA services.
[[email protected] ~]#
firewall-cmd --add-service={ssh,dns,freeipa-ldap,freeipa-ldaps,freeipa-replication} --permanent

success
[[email protected] ~]#
firewall-cmd --reload

success
[5] Setup as a Replica Server on FreeIPA Replica.
The following example set "--no-forwarders" for DNS, but if you set it, specify like "--forwarder=x.x.x.x".
[[email protected] ~]#
ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-repl01.srv.world.gpg

Directory Manager (existing master) password:    
# Directory Manager password

Run connection check to master
Check connection from replica to remote master 'dlp.srv.world':
   Directory Service: Unsecure port (389): OK
   Directory Service: Secure port (636): OK
   Kerberos KDC: TCP (88): OK
   Kerberos Kpasswd: TCP (464): OK
   HTTP Server: Unsecure port (80): OK
   HTTP Server: Secure port (443): OK
   PKI-CA: Directory Service port (7389): OK

The following list of ports use UDP protocol and would need to be
checked manually:
   Kerberos KDC: UDP (88): SKIPPED
   Kerberos Kpasswd: UDP (464): SKIPPED

Connection from replica to master is OK.
Start listening on required ports for remote master check
Get credentials to log in to remote master
[email protected] password:    
# admin password

Execute check on remote master
.....
.....
Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

Restarting the web server
[6] Get Kerberos tickets on Replica Host and make sure it's possible to get datas on FreeIPA Directory. If possible, it's OK to setup replication settings.
For FreeIPA Clients, it's not necessarry to set additinal settings, Clients can continue to authenticate even if a Server is down.
[[email protected] ~]#
kinit admin

Password for [email protected]:    
# admin password

[[email protected] ~]#
klist

Ticket cache: KEYRING:persistent:0:0
Default principal: [email protected]

Valid starting       Expires              Service principal
03/21/2015 15:13:38  03/24/2015 15:13:35  krbtgt/[email protected]

[[email protected] ~]#
ipa user-find

---------------
4 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  UID: 1219600000
  GID: 1219600000
  Account disabled: False
  Password: True
  Kerberos keys available: True

  User login: cent
  First name: CentOS
  Last name: Linux
  Home directory: /home/cent
  Login shell: /bin/bash
  Email address: [email protected]
  UID: 1219600001
  GID: 1219600001
  Account disabled: False
  Password: True
  Kerberos keys available: True
.....
.....