Managing FreeIPA replication agreements

Over the last few days I’ve done a couple of articles specific for setting up FreeIPA for a centralized Identify Management solution.

You can find articles on setting up FreeIPA from scratch here, and setting up multi-master replication here.

One thing that FreeIPA does differently to Microsoft Active Directory domain controllers, is by default, a new domain replica will not automatically replicate with every other directory server within the domain.
Tonight’s article is all about setting up your FreeIPA directory servers to replicate with the server or servers of your choosing.

Let me explain what I am talking about with a quick example scenario. I will compare it to Microsoft Active Directory for those of you who are coming from that type of background.

Microsoft Active Directory scenario:

I have 3 x Active Directory Domain Controllers and I have done nothing more than run “dcpromo” on each server to connect them to each other. I have not customized Active Directory Sites and Services at all.

By default,
Domain Controller #1 will replication to Domain Controller #2 and Domain Controller #3
Domain Controller #2 will replicate to Domain Controller #1 and Domain Controller #3
and Domain Controller #3 will replicate back to Domain Controller #2 and Domain Controller #3.

Basically, the easiest way to summarize the above is “Active Directory Domain Controllers will replicate with EVERY other Domain Controller in the domain by default.

Make sense?

Now, for the FreeIPA scenario

I have 3x FreeIPA Directory Servers. From Directory Server #1, I created a replication agreement with Directory Server #2. (Remember creating the gpg file? That is whats used).
But also, as part of this same process, Directory Server #2 will also replicate back to Directory Server #1.

But now I am going to set up replication of another multi-master Directory Server, but this time I am going to create the replication agreement from Directory Server #2 (This is where I will create the gpg file).
So now,
Directory Server #1 will replicate to Directory Server #2
Directory Server #2 will replicate to Directory Server #1 AND Directory Server #3
Directory Server #3 will ONLY replicate with the server in which the replication agreement was set up with. In this case, Directory Server #2.

Do you see where we are going here? If all three of these Directory Servers are in the same location, it makes sense to have them replicating between all three of themselves.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>