FreeIPA : Replication Setting2025/01/28 |
|
Configure FreeIPA Replication. +----------------------+ | +----------------------+ | [ FreeIPA Master ] |10.0.0.40 | 10.0.0.61| [ FreeIPA Replica ] | | dlp.ipa.srv.world +----------+----------+ node01.ipa.srv.world | | | | | +----------------------+ +----------------------+ |
| [1] | |
| [2] | On FreeIPA Master Host, Add a replication Host to [ipaservers] group. Furthermore, it needs to resolve Address Resolution on Master Host and Replica Host. If you are using FreeIPA integrated DNS but not set reverse zone, Configure like follows. |
|
[root@dlp ~]# ipa hostgroup-add-member ipaservers --hosts node01.ipa.srv.world Host-group: ipaservers Description: IPA server hosts Member hosts: dlp.ipa.srv.world, node01.ipa.srv.world ------------------------- Number of members added 1 ------------------------- # if not set reverse zone yet on integrated DNS, set it # example below is for [10.0.0.0/24] network [root@dlp ~]# ipa dnszone-add 0.0.10.in-addr.arpa
# add PTR record in reverse zone [root@dlp ~]# ipa dnsrecord-add 0.0.10.in-addr.arpa 40 --ptr-rec dlp.ipa.srv.world. [root@dlp ~]# ipa dnsrecord-add 0.0.10.in-addr.arpa 61 --ptr-rec node01.ipa.srv.world.
# if firewalld is running, allow services [root@dlp ~]# firewall-cmd --add-service=freeipa-replication success [root@dlp ~]# firewall-cmd --runtime-to-permanent success |
| [3] | Configure on Replication Server Host. |
|
# if firewalld is running, allow services [root@node01 ~]# firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,freeipa-replication} success [root@node01 ~]# firewall-cmd --runtime-to-permanent success
[root@node01 ~]#
dnf -y install freeipa-server freeipa-server-dns # setup replication # if set DNS forwarder, specify [--forwarder=xxx.xxx.xxx.xxx] [root@node01 ~]# ipa-replica-install --setup-ca --setup-dns --no-forwarders
Password for admin@IPA.SRV.WORLD: # answer with admin password
Lookup failed: Preferred host node01.ipa.srv.world does not provide DNS.
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/39]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
.....
.....
[5/7]: activating sidgen task
[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account
[7/7]: adding fallback group
Fallback group already set, nothing to do
Done.
The ipa-replica-install command was successful
|
| [4] | After finishing to setup replication normally, it's possible to find existing user accounts or add new accounts on Replication Host. |
|
[root@node01 ~]# kinit admin Password for admin@IPA.SRV.WORLD: [root@node01 ~]# ipa user-find --------------- 4 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: admin@IPA.SRV.WORLD, root@IPA.SRV.WORLD UID: 1801800000 GID: 1801800000 Account disabled: False User login: cent First name: cent Last name: cent Home directory: /home/cent Login shell: /bin/bash Principal name: cent@IPA.SRV.WORLD Principal alias: cent@IPA.SRV.WORLD Email address: cent@ipa.srv.world UID: 1801800003 GID: 1801800003 Account disabled: False ..... ..... |
| Sponsored Link |
|
|