How to configure FreeIPA Replication on Rocky Linux/Alma Linux/Centos 8

In this guide we will learn how to configure FreeIPA replication on Rocky Linux 8. This guide will also work for RHEL 8 derivatives like Alma Linux or Centos 8 or Oracle Linux 8.

A replica is a clone of a specific FreeIPA server. The server and replica share the same internal information about users, machines, certificates, and configured policies. These data are copied from the server to the replica in a process called replication. The two Directory Server instances used by an FreeIPA server — the Directory Server instance used by the FreeIPA server as a data store and the Directory Server instance used by the Dogtag Certificate System to store certificate information — are replicated over to corresponding consumer Directory Server instances used by the FreeIPA replica.

FreeIPA replication eliminates single point of failure. When you have FreeIPA replica setup, FreeIPA Clients can continue to authenticate even if a Server is down.

You should have FreeIPA Server already installed and fully functioning, with test accounts. For installation of FreeIPA Server, checkout this guide: How to Install and Configure FreeIPA on Rocky Linux/Centos 8

Once you have FreeIPA server installed and configured, you can start FreeIPA Replication.

Prerequisites

To follow along, ensure that you have:

A FreeIPA server to replicate. Checkout the guide on how to set up here.
An Updated Rocky Linux/Alma Linux/Centos 8 server
Sudo access in the server

My Setup

I have a Primary FreeIPA server with hostname ipa.citizix.com and IP 10.2.40.149 and the replica will be configured on ipa-replica.citizix.com with IP 10.2.40.72.

IPA Master:

Hostname: ipa.citizix.com
IP: <span style="font-size: calc(11px + 0.2em);">10.2.40.149</span>

IPA Replica

Hostname: ipa-<span style="font-size: calc(11px + 0.2em);">replica.citizix.com</span>
IP: <span style="font-size: calc(11px + 0.2em);">10.2.40.72</span>

Table of Content

Update the system
Configure DNS local hosts file
Set Replica Hostname
Set up Correct Replica Server timezone
Disable SELinux
Install and Configure FreeIPA Client
Configure FreeIPA Server
Configure on Replication Server Host

1. Update the system

Use this command to ensure that the host packages are up to date:

sudo dnf -y update

2. Configure DNS local hosts file

On both servers, ensure you have hostnames for each server configured. This is important if you don’t have active DNS service in your Infrastructure.

Open the hosts file with your text editor, I am using vim:

sudo vim /etc/hosts

Add the IP and hostnames for both FreeIPA servers and the FreeIPA replica servers. Update to reflect your hostnames:

10.2.40.149 ipa.citizix.com ipa
<span style="font-size: calc(11px + 0.2em);">10.2.40.72</span> ipa-<span style="font-size: calc(11px + 0.2em);">replica.citizix.com</span> ipa-<span style="font-size: calc(11px + 0.2em);">replica</span>

3. Set Replica Hostname

If you haven’t configured the hostname on your replica, use this command:

sudo hostnamectl set-hostname <span style="font-size: calc(11px + 0.2em);">ipa-replica.citizix.com</span>

Confirm with this:

$ hostnamectl
   Static hostname: ipa-replica.citizix.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: ee3563997878469ebfcc3f721aec3c66
           Boot ID: 09df51e3153943698ccd5b902b5aa89e
    Virtualization: kvm
  Operating System: Rocky Linux 8.4 (Green Obsidian)
       CPE OS Name: cpe:/o:rocky:rocky:8.4:GA
            Kernel: Linux 4.18.0-305.3.1.el8_4.x86_64
      Architecture: x86-64

4. Set up Correct Replica Server timezone

You

also need to have correct timezone. The FreeIPA server will also run NTP service and correct timezone will ensure you have correct time on the server.

Use this command to set the timezone. Update to your timezone:

sudo timedatectl set-timezone Africa/Nairobi

Confirm that it is configured well:

$ timedatectl
               Local time: Fri 2021-11-12 20:24:33 EAT
           Universal time: Fri 2021-11-12 17:24:33 UTC
                 RTC time: Fri 2021-11-12 17:24:31
                Time zone: Africa/Nairobi (EAT, +0300)
System clock synchronized: yes
              NTP service: active
          RTC in local TZ: no

5. Disable SELinux

If you do not want to set up SELinux, we can put it in permissive mode.

Open the SELinux configuration file using your favourite text editor

sudo vim /etc/selinux/config

Locate the following line:

SELINUX=enforcing

Change the value to permisive:

SELINUX=permisive

Also run the following command to set permissive mode without restart:

sudo setenforce 0

6. Install and Configure FreeIPA Client

Install FreeIPA Client packages using this command.

sudo dnf module -y install idm:DL1/client

setup client with specifying FreeIPA server and domain name

sudo ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com

For more information on how to configure the client checkout this guide here.

7. Configure FreeIPA Server

On FreeIPA Master Host, Add a replication Host to group: ipaservers. The paster host needs to resolve Address Resolution to the Replica Host.

Confirm reachability

$ ping ipa-replica.citizix.com
PING ipa-replica.citizix.com (10.2.40.72) 56(84) bytes of data.
64 bytes from ipa-replica.citizix.com (10.2.40.72): icmp_seq=1 ttl=64 time=1.42 ms
64 bytes from ipa-replica.citizix.com (10.2.40.72): icmp_seq=2 ttl=64 time=0.279 ms
^C
--- ipa-replica.citizix.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.279/0.849/1.419/0.570 ms

This operation requires admin access. First, obtain a Kerberos ticket.

kinit admin

Then you can now add the host to the ipaservers host group:

ipa hostgroup-add-member ipaservers --hosts ipa-replica.citizix.com

This is the output on my server

$ ipa hostgroup-add-member ipaservers --hosts ipa-replica.citizix.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: ipa.citizix.com, ipa-replica.citizix.com
-------------------------
Number of members added 1
-------------------------

You can confirm that the replica has been added in the FreeIPA Web UI.

Citizix - ipaservers host group — Citizix – ipaservers host group

If you have firewall installed and enabled, add the replication service:

firewall-cmd --add-service=freeipa-replication
firewall-cmd --runtime-to-permanent

8. Configure on Replication Server Host

With everything set up, we can not configure replication. First install the FreeIPA Server package.

sudo dnf module install -y idm:DL1/server

If you have firewalld Installed and firewalld is running, allow the services:

firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,freeipa-replication}
firewall-cmd --runtime-to-permanent

Now set up replication using this command:

sudo ipa-replica-install

This is the output on my server

$ sudo ipa-replica-install
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/38]: creating directory server instance
  [2/38]: tune ldbm plugin
  [3/38]: adding default schema
  [4/38]: enabling memberof plugin
  [5/38]: enabling winsync plugin
  [6/38]: configure password logging
  [7/38]: configuring replication version plugin
  [8/38]: enabling IPA enrollment plugin
  [9/38]: configuring uniqueness plugin
  [10/38]: configuring uuid plugin
  [11/38]: configuring modrdn plugin
  [12/38]: configuring DNS plugin
  [13/38]: enabling entryUSN plugin
  [14/38]: configuring lockout plugin
  [15/38]: configuring topology plugin
  [16/38]: creating indices
  [17/38]: enabling referential integrity plugin
  [18/38]: configuring certmap.conf
  [19/38]: configure new location for managed entries
  [20/38]: configure dirsrv ccache and keytab
  [21/38]: enabling SASL mapping fallback
  [22/38]: restarting directory server
  [23/38]: creating DS keytab
  [24/38]: ignore time skew for initial replication
  [25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded

  [26/38]: prevent time skew after initial replication
  [27/38]: adding sasl mappings to the directory
  [28/38]: updating schema
  [29/38]: setting Auto Member configuration
  [30/38]: enabling S4U2Proxy delegation
  [31/38]: initializing group membership
  [32/38]: adding master entry
  [33/38]: initializing domain level
  [34/38]: configuring Posix uid/gid generation
  [35/38]: adding replication acis
  [36/38]: activating sidgen plugin
  [37/38]: activating extdom plugin
  [38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
  [1/5]: configuring KDC
  [2/5]: adding the password extension to the directory
  [3/5]: creating anonymous principal
  [4/5]: starting the KDC
  [5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
  [1/2]: starting kadmin
  [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
  [1/3]: configuring TLS for DS instance
  [2/3]: importing CA certificates from LDAP
  [3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
  [1/21]: stopping httpd
  [2/21]: backing up ssl.conf
  [3/21]: disabling nss.conf
  [4/21]: configuring mod_ssl certificate paths
  [5/21]: setting mod_ssl protocol list
  [6/21]: configuring mod_ssl log directory
  [7/21]: disabling mod_ssl OCSP
  [8/21]: adding URL rewriting rules
  [9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
  [10/21]: setting up httpd keytab
  [11/21]: configuring Gssproxy
  [12/21]: setting up ssl
  [13/21]: configure certmonger for renewals
  [14/21]: publish CA cert
  [15/21]: clean up any existing httpd ccaches
  [16/21]: configuring SELinux for httpd
  [17/21]: create KDC proxy config
  [18/21]: enable KDC proxy
  [19/21]: starting httpd
  [20/21]: configuring httpd to start on boot
  [21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
  [1/2]: starting ipa-otpd
  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'ipa.citizix.com' as master peer.
Configuring ipa-custodia
  [1/4]: Generating ipa-custodia config file
  [2/4]: Generating ipa-custodia keys
  [3/4]: starting ipa-custodia
  [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
  [1/2]: configure certmonger for renewals
  [2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
  [1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
  [1/10]: stopping directory server
  [2/10]: saving configuration
  [3/10]: disabling listeners
  [4/10]: enabling DS global lock
  [5/10]: disabling Schema Compat
  [6/10]: starting directory server
  [7/10]: upgrading server
  [8/10]: stopping directory server
  [9/10]: restoring configuration
  [10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC

WARNING: The CA service is only installed on one server (ipa.citizix.com).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.

The ipa-replica-install command was successful

After finishing to setup replication normally, it’s possbile to find existing user accounts or add new accounts on Replication Host.

First, obtain the kerberos ticket:

$ kinit admin
Password for admin@IPA.CITIZIX.COM:

Then find users:

$ ipa user-find
---------------
3 users matched
---------------
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@IPA.CITIZIX.COM, root@IPA.CITIZIX.COM
  UID: 1063800000
  GID: 1063800000
  Account disabled: False

  User login: etowett
  First name: Eutychus
  Last name: Towett
  Home directory: /home/etowett
  Login shell: /bin/bash
  Principal name: etowett@IPA.CITIZIX.COM
  Principal alias: etowett@IPA.CITIZIX.COM
  Email address: etowett@citizix.com
  UID: 1063800001
  GID: 1063800001
  Account disabled: False

  User login: kip
  First name: Kipkoech
  Last name: Towett
  Home directory: /home/kip
  Login shell: /bin/bash
  Principal name: kip@IPA.CITIZIX.COM
  Principal alias: kip@IPA.CITIZIX.COM
  Email address: kip@citizix.com
  UID: 1063800003
  GID: 1063800003
  Account disabled: False
----------------------------
Number of entries returned 3
----------------------------

9. Removing FreeIPA replica

To remove FreeIPA, first, uninstall it on the on the server using:

# ipa-server-install --uninstall

Then delete the server from the ipaservers group:

# ipa-replica-manage del ipa-replica.citizix.com --force
# ipa hostgroup-remove-member ipaservers --hosts ipa-replica.citizix.com

We have successfully managed a FreeIPA replica in this guide.