Last night I published an article on how to set up a FreeIPA Identity Management server. You can find the article here
Today, lets take things one step further by adding redundancy into the equation. If you are familiar with Microsoft Active Directory and how Windows Domain Controllers replicate between each other, this article will show you how to set up FreeIPA to achieve the same goal.
For this article, you will obviously need an existing FreeIPA server that is up and running, as well as a new system you wish to make as a secondary master.
In this article, I will be using the below details.
Existing FreeIPA server: ds01.example.com (10.0.1.11) New FreeIPA server: ds02.example.com (10.0.1.12) FreeIPA Admin user: admin FreeIPA Admin password: redhat123 FreeIPA Directory Manager user: admin FreeIPA Directory Manager password: redhat123 DNS Forwarder: 10.0.0.254 (Same as forwarder configured on ds01.example.com) Operating System of both hosts: Red Hat Enterprise Linux 6.3 x86_64
Step 1. Install FreeIPA packages on new system
Although possible, you *could* set up replication with different versions of FreeIPA on different servers, I highly recommend sticking with the same version as your existing host.
Install the same packages as you did on your first host. Note: if you are using external DNS, you do not need to install the bind packages.
[root@ds02 ~]# yum install -y ipa-server bind bind-utils bind-dyndb-ldap
Step 2. Add new host to DNS
We need to set up IPA so that it knows to allow replication with the new host when we install it. This has a prerequisite on DNS however, so we will need to add the DNS entries for our new server before we can prepare IPA.
Note: if you are using external DNS, this does not apply to you.
To add your new host to DNS, run the following commands on your existing FreeIPA server.
[root@ds01 ~]# kinit admin Password for admin@EXAMPLE.COM: [root@ds01 ~]# ipa dnsrecord-add example.com ds02 --a-rec 10.0.1.12 Record name: ds02 A record: 10.0.1.12 [root@ds01 ~]# ipa dnsrecord-add 1.0.10.in-addr.arpa. 12 --ptr-rec ds02.example.com. Record name: 12 PTR record: ds02.example.com. [root@ds01 ~]#