Setting up Multi-Master replication of FreeIPA Directory servers

Step 3. Prepare your current FreeIPA server for a replication agreement
Once you have your host stored in DNS, you are now ready to create a replication GPG key for your new server to use to commence the replication install.

To prepare FreeIPA for replication, run the following command.

[root@ds01 ~]# ipa-replica-prepare ds02.example.com
Directory Manager (existing master) password:

Preparing replica for ds02.example.com from ds01.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-ds02.example.com.gpg
[root@ds01 ~]#

Now we need to copy this gpg file to our new replica-to-be

[root@ds01 ~]# scp /var/lib/ipa/replica-info-ds02.example.com.gpg root@ds02.example.com:/var/lib/ipa/
The authenticity of host 'ds02.example.com (10.0.1.12)' can't be established.
RSA key fingerprint is 36:b0:7e:de:29:7f:96:1a:f8:43:00:9a:22:24:75:15.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ds02.example.com,10.0.1.12' (RSA) to the list of known hosts.
root@ds02.example.com's password:
replica-info-ds02.example.com.gpg                                                                                                                                                100%   28KB  28.4KB/s   00:00
[root@ds01 ~]#

 

Step 4. Open firewall port on both hosts to allow replication
Your existing FreeIPA server will already have several ports that are open.
Note: If you don’t use your local firewall in your environment, which I highly recommend against, you can jump to step 5 if you wish.

Just as a reminder, they are below

TCP: 80, 443, 389, 636, 88, 464, 53
UDP: 88, 464, 53, 123

We need to open one more port on both hosts, as this port will be needed to allow the communication of replication data.

TCP: 7389

To open this port, you can run the following

[root@ds01 ~]# iptables -I INPUT -p tcp --dport 7389 -j ACCEPT
[root@ds01 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@ds01 ~]#

You will need to open all of the above ports on your new system in order to proceed. As my IPA servers only ever exist for the purpose of IPA, I cheat here and I copy the /etc/sysconfig/iptables file to my replicas.

From your new system, copy the existing iptables config file and restart the iptables service

[root@ds02 ~]# scp root@ds01.example.com:/etc/sysconfig/iptables /etc/sysconfig/
The authenticity of host 'ds01.example.com (10.0.1.11)' can't be established.
RSA key fingerprint is b2:ea:40:2c:1d:55:50:b6:c6:df:d8:19:09:4d:2a:6a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ds01.example.com,10.0.1.11' (RSA) to the list of known hosts.
root@ds01.example.com's password:
iptables                                                                                                                                                                       100% 1023     1.0KB/s   00:00
[root@ds02 ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@ds02 ~]#

Or alternatively you can run the following if you want to do it the manual way.

[root@ds02 ~]# for x in 80 443 389 636 88 464 53 7389; do iptables -I INPUT -p tcp --dport $x -j ACCEPT ; done
[root@ds02 ~]# for x in 88 464 53 123 ; do iptables -I INPUT -p udp --dport $x -j ACCEPT ; done
[root@ds02 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@ds02 ~]#

One comment on “Setting up Multi-Master replication of FreeIPA Directory servers

  1. ed May 26, 2016 15:42

    Great tutorial. Thanks

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>