Managing FreeIPA replication agreements

This guide will walk you through manually setting up a new replication agreement on an existing FreeIPA server that is already replicating to a host.

For this guide, I will be using the below details

Directory Server #1 : ds01.example.com (10.0.1.11)
Directory Server #2 : ds02.example.com (10.0.1.12)
Directory Server #2 : ds03.example.com (10.0.1.13)

I will be following the FreeIPA scenario above as if it were a real world situation. with the server’s stated.

Prerequisites:

I will assume that if you are following my previous guides, that you already have the freeipa packages installed on ds03.example.com as well as have the correct ports open via iptables.

 

Step 1. Prepare FreeIPA domain for new replica server on host ds02.example.com

Lets prepare FreeIPA so it knows to expect ds03.example.com to jump in and become a replica.
Note: You should already know what this looks like from my previous articles.

[root@ds02 ~]# ipa-replica-prepare ds03.example.com
Directory Manager (existing master) password:

Preparing replica for ds03.example.com from ds02.example.com
Creating SSL certificate for the Directory Server
Creating SSL certificate for the dogtag Directory Server
Creating SSL certificate for the Web Server
Exporting RA certificate
Copying additional files
Finalizing configuration
Packaging replica information into /var/lib/ipa/replica-info-ds03.example.com.gpg
[root@ds02 ~]#

 

Copy your new gpg file to ds03.example.com

 

Step 2. Start replica install

From ds03.example.com, start the replica installation.

[root@ds03 ~]# ipa-replica-install --setup-dns --setup-ca --forwarder=10.0.0.254 /var/lib/ipa/replica-info-ds03.example.com.gpg
Directory Manager (existing master) password:

Run connection check to master
Check connection from replica to remote master 'ds02.example.com':
Directory Service: Unsecure port (389): OK
Directory Service: Secure port (636): OK
Kerberos KDC: TCP (88): OK
Kerberos Kpasswd: TCP (464): OK
HTTP Server: Unsecure port (80): OK
HTTP Server: Secure port (443): OK
PKI-CA: Directory Service port (7389): OK
...
...
...

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>