FreeIPA Replication
2015/06/01 |
Configure FreeIPA Replication.
|
|
[1] | Install FreeIPA server's tools on the Replica Host and change DNS settings. |
[root@repl01 ~]#
[root@repl01 ~]# dnf -y install freeipa-server bind bind-dyndb-ldap nmcli c modify eno16777736 ipv4.dns 10.0.0.30 [root@repl01 ~]# nmcli c down eno16777736; nmcli c up eno16777736 |
[2] | Add DNS entry for Replica Host on FreeIPA server. |
# ipa dnsrecord-add [domain name] [record name] [record type] [record] [root@dlp ~]# ipa dnsrecord-add srv.world repl01 --a-rec 10.0.0.51 Record name: repl01 A record: 10.0.0.51[root@dlp ~]# ipa-replica-prepare repl01.srv.world --ip-address 10.0.0.51 Directory Manager (existing master) password: # Directory Manager password Preparing replica for repl01.srv.world from dlp.srv.world Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-repl01.srv.world.gpg Adding DNS records for repl01.srv.world The ipa-replica-prepare command was successful # transfer generated key to Replica Host [root@dlp ~]# scp /var/lib/ipa/replica-info-repl01.srv.world.gpg root@repl01.srv.world:/var/lib/ipa/ root@repl01.srv.world's password: replica-info-repl01.srv.world.gpg 100% 35KB 34.6KB/s 00:00 |
[3] | Setup as a Replica Server on FreeIPA Replica. The following example set "--no-forwarders" for DNS, but if you set it, specify like "--forwarder=x.x.x.x". |
[root@repl01 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders /var/lib/ipa/replica-info-repl01.srv.world.gpg Directory Manager (existing master) password: # Directory Manager password Run connection check to master Check connection from replica to remote master 'dlp.srv.world': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK The following list of ports use UDP protocol and would need to be checked manually: Kerberos KDC: UDP (88): SKIPPED Kerberos Kpasswd: UDP (464): SKIPPED Connection from replica to master is OK. Start listening on required ports for remote master check Get credentials to log in to remote masteradmin@SRV.WORLD password: # admin password Execute check on remote master ..... ..... Global DNS configuration in LDAP server is empty You can use 'dnsconfig-mod' command to set global DNS options that would override settings in local named.conf files Restarting the web server |
[4] | Get Kerberos tickets on Replica Host and make sure it's possible to get datas on FreeIPA Directory. If possible, it's OK to setup replication settings. For FreeIPA Clients, it's not necessarry to set additinal settings, Clients can continue to authenticate even if a Server is down. |
[root@repl01 ~]# kinit admin Password for admin@SRV.WORLD: # admin password [root@repl01 ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: admin@SRV.WORLD Valid starting Expires Service principal 06/01/2015 23:10:16 06/02/2015 23:10:13 krbtgt/SRV.WORLD@SRV.WORLD[root@repl01 ~]# ipa user-find --------------- 4 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash UID: 544000000 GID: 544000000 Account disabled: False Password: True Kerberos keys available: True User login: fedora First name: fedora Last name: fedora Home directory: /home/fedora Login shell: /bin/bash Email address: fedora@srv.world UID: 544000001 GID: 544000001 Account disabled: False Password: True Kerberos keys available: True ..... ..... |