This guide will walk you through manually setting up a new replication agreement on an existing FreeIPA server that is already replicating to a host.
For this guide, I will be using the below details
Directory Server #1 : ds01.example.com (10.0.1.11) Directory Server #2 : ds02.example.com (10.0.1.12) Directory Server #2 : ds03.example.com (10.0.1.13)
I will be following the FreeIPA scenario above as if it were a real world situation. with the server’s stated.
Prerequisites:
I will assume that if you are following my previous guides, that you already have the freeipa packages installed on ds03.example.com as well as have the correct ports open via iptables.
Step 1. Prepare FreeIPA domain for new replica server on host ds02.example.com
Lets prepare FreeIPA so it knows to expect ds03.example.com to jump in and become a replica.
Note: You should already know what this looks like from my previous articles.
[root@ds02 ~]# ipa-replica-prepare ds03.example.com Directory Manager (existing master) password: Preparing replica for ds03.example.com from ds02.example.com Creating SSL certificate for the Directory Server Creating SSL certificate for the dogtag Directory Server Creating SSL certificate for the Web Server Exporting RA certificate Copying additional files Finalizing configuration Packaging replica information into /var/lib/ipa/replica-info-ds03.example.com.gpg [root@ds02 ~]#
Copy your new gpg file to ds03.example.com
Step 2. Start replica install
From ds03.example.com, start the replica installation.
[root@ds03 ~]# ipa-replica-install --setup-dns --setup-ca --forwarder=10.0.0.254 /var/lib/ipa/replica-info-ds03.example.com.gpg Directory Manager (existing master) password: Run connection check to master Check connection from replica to remote master 'ds02.example.com': Directory Service: Unsecure port (389): OK Directory Service: Secure port (636): OK Kerberos KDC: TCP (88): OK Kerberos Kpasswd: TCP (464): OK HTTP Server: Unsecure port (80): OK HTTP Server: Secure port (443): OK PKI-CA: Directory Service port (7389): OK ... ... ...