In this guide we will learn how to configure FreeIPA replication on Rocky Linux 8. This guide will also work for RHEL 8 derivatives like Alma Linux or Centos 8 or Oracle Linux 8.
A replica is a clone of a specific FreeIPA server. The server and replica share the same internal information about users, machines, certificates, and configured policies. These data are copied from the server to the replica in a process called replication. The two Directory Server instances used by an FreeIPA server — the Directory Server instance used by the FreeIPA server as a data store and the Directory Server instance used by the Dogtag Certificate System to store certificate information — are replicated over to corresponding consumer Directory Server instances used by the FreeIPA replica.
FreeIPA replication eliminates single point of failure. When you have FreeIPA replica setup, FreeIPA Clients can continue to authenticate even if a Server is down.
You should have FreeIPA Server already installed and fully functioning, with test accounts. For installation of FreeIPA Server, checkout this guide: How to Install and Configure FreeIPA on Rocky Linux/Centos 8
Once you have FreeIPA server installed and configured, you can start FreeIPA Replication.
Related Content
- How to manage users and groups in FreeIPA Server
- How To Install FreeIPA Client on Fedora 35
- How To Install FreeIPA Client on Rocky Linux/Alma Linux/CentOS 8
- How to Install and Configure FreeIPA on Rocky Linux/Centos
- How To Install and Configure FreeIPA Client on Ubuntu 20.04
Prerequisites
To follow along, ensure that you have:
- A FreeIPA server to replicate. Checkout the guide on how to set up here.
- An Updated Rocky Linux/Alma Linux/Centos 8 server
- Sudo access in the server
My Setup
I have a Primary FreeIPA server with hostname ipa.citizix.com
and IP 10.2.40.149
and the replica will be configured on ipa-replica.citizix.com
with IP 10.2.40.72
.
IPA Master:
Hostname: ipa.citizix.com
IP: <span style="font-size: calc(11px + 0.2em);">10.2.40.149</span>
IPA Replica
Hostname: ipa-<span style="font-size: calc(11px + 0.2em);">replica.citizix.com</span>
IP: <span style="font-size: calc(11px + 0.2em);">10.2.40.72</span>
Table of Content
- Update the system
- Configure DNS local hosts file
- Set Replica Hostname
- Set up Correct Replica Server timezone
- Disable SELinux
- Install and Configure FreeIPA Client
- Configure FreeIPA Server
- Configure on Replication Server Host
1. Update the system
Use this command to ensure that the host packages are up to date:
sudo dnf -y update
2. Configure DNS local hosts file
On both servers, ensure you have hostnames for each server configured. This is important if you don’t have active DNS service in your Infrastructure.
Open the hosts file with your text editor, I am using vim:
sudo vim /etc/hosts
Add the IP and hostnames for both FreeIPA servers and the FreeIPA replica servers. Update to reflect your hostnames:
10.2.40.149 ipa.citizix.com ipa
<span style="font-size: calc(11px + 0.2em);">10.2.40.72</span> ipa-<span style="font-size: calc(11px + 0.2em);">replica.citizix.com</span> ipa-<span style="font-size: calc(11px + 0.2em);">replica</span>
3. Set Replica Hostname
If you haven’t configured the hostname on your replica, use this command:
sudo hostnamectl set-hostname <span style="font-size: calc(11px + 0.2em);">ipa-replica.citizix.com</span>
Confirm with this:
$ hostnamectl
Static hostname: ipa-replica.citizix.com
Icon name: computer-vm
Chassis: vm
Machine ID: ee3563997878469ebfcc3f721aec3c66
Boot ID: 09df51e3153943698ccd5b902b5aa89e
Virtualization: kvm
Operating System: Rocky Linux 8.4 (Green Obsidian)
CPE OS Name: cpe:/o:rocky:rocky:8.4:GA
Kernel: Linux 4.18.0-305.3.1.el8_4.x86_64
Architecture: x86-64
4. Set up Correct Replica Server timezone
You
also need to have correct timezone. The FreeIPA server will also run NTP service and correct timezone will ensure you have correct time on the server.Use this command to set the timezone. Update to your timezone:
sudo timedatectl set-timezone Africa/Nairobi
Confirm that it is configured well:
$ timedatectl
Local time: Fri 2021-11-12 20:24:33 EAT
Universal time: Fri 2021-11-12 17:24:33 UTC
RTC time: Fri 2021-11-12 17:24:31
Time zone: Africa/Nairobi (EAT, +0300)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no
5. Disable SELinux
If you do not want to set up SELinux, we can put it in permissive mode.
Open the SELinux configuration file using your favourite text editor
sudo vim /etc/selinux/config
Locate the following line:
SELINUX=enforcing
Change the value to permisive
:
SELINUX=permisive
Also run the following command to set permissive mode without restart:
sudo setenforce 0
6. Install and Configure FreeIPA Client
Install FreeIPA Client packages using this command.
sudo dnf module -y install idm:DL1/client
setup client with specifying FreeIPA server and domain name
sudo ipa-client-install --server=ipa.citizix.com --domain ipa.citizix.com
For more information on how to configure the client checkout this guide here.
7. Configure FreeIPA Server
On FreeIPA Master Host, Add a replication Host to group: ipaservers
. The paster host needs to resolve Address Resolution to the Replica Host.
Confirm reachability
$ ping ipa-replica.citizix.com
PING ipa-replica.citizix.com (10.2.40.72) 56(84) bytes of data.
64 bytes from ipa-replica.citizix.com (10.2.40.72): icmp_seq=1 ttl=64 time=1.42 ms
64 bytes from ipa-replica.citizix.com (10.2.40.72): icmp_seq=2 ttl=64 time=0.279 ms
^C
--- ipa-replica.citizix.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.279/0.849/1.419/0.570 ms
This operation requires admin access. First, obtain a Kerberos ticket.
kinit admin
Then you can now add the host to the ipaservers
host group:
ipa hostgroup-add-member ipaservers --hosts ipa-replica.citizix.com
This is the output on my server
$ ipa hostgroup-add-member ipaservers --hosts ipa-replica.citizix.com
Host-group: ipaservers
Description: IPA server hosts
Member hosts: ipa.citizix.com, ipa-replica.citizix.com
-------------------------
Number of members added 1
-------------------------
You can confirm that the replica has been added in the FreeIPA Web UI.
If you have firewall installed and enabled, add the replication service:
firewall-cmd --add-service=freeipa-replication
firewall-cmd --runtime-to-permanent
8. Configure on Replication Server Host
With everything set up, we can not configure replication. First install the FreeIPA Server package.
sudo dnf module install -y idm:DL1/server
If you have firewalld Installed and firewalld is running, allow the services:
firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,freeipa-replication}
firewall-cmd --runtime-to-permanent
Now set up replication using this command:
sudo ipa-replica-install
This is the output on my server
$ sudo ipa-replica-install
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
[1/38]: creating directory server instance
[2/38]: tune ldbm plugin
[3/38]: adding default schema
[4/38]: enabling memberof plugin
[5/38]: enabling winsync plugin
[6/38]: configure password logging
[7/38]: configuring replication version plugin
[8/38]: enabling IPA enrollment plugin
[9/38]: configuring uniqueness plugin
[10/38]: configuring uuid plugin
[11/38]: configuring modrdn plugin
[12/38]: configuring DNS plugin
[13/38]: enabling entryUSN plugin
[14/38]: configuring lockout plugin
[15/38]: configuring topology plugin
[16/38]: creating indices
[17/38]: enabling referential integrity plugin
[18/38]: configuring certmap.conf
[19/38]: configure new location for managed entries
[20/38]: configure dirsrv ccache and keytab
[21/38]: enabling SASL mapping fallback
[22/38]: restarting directory server
[23/38]: creating DS keytab
[24/38]: ignore time skew for initial replication
[25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 3 seconds elapsed
Update succeeded
[26/38]: prevent time skew after initial replication
[27/38]: adding sasl mappings to the directory
[28/38]: updating schema
[29/38]: setting Auto Member configuration
[30/38]: enabling S4U2Proxy delegation
[31/38]: initializing group membership
[32/38]: adding master entry
[33/38]: initializing domain level
[34/38]: configuring Posix uid/gid generation
[35/38]: adding replication acis
[36/38]: activating sidgen plugin
[37/38]: activating extdom plugin
[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring Kerberos KDC (krb5kdc)
[1/5]: configuring KDC
[2/5]: adding the password extension to the directory
[3/5]: creating anonymous principal
[4/5]: starting the KDC
[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin
[1/2]: starting kadmin
[2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)
[1/3]: configuring TLS for DS instance
[2/3]: importing CA certificates from LDAP
[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)
[1/21]: stopping httpd
[2/21]: backing up ssl.conf
[3/21]: disabling nss.conf
[4/21]: configuring mod_ssl certificate paths
[5/21]: setting mod_ssl protocol list
[6/21]: configuring mod_ssl log directory
[7/21]: disabling mod_ssl OCSP
[8/21]: adding URL rewriting rules
[9/21]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf
[10/21]: setting up httpd keytab
[11/21]: configuring Gssproxy
[12/21]: setting up ssl
[13/21]: configure certmonger for renewals
[14/21]: publish CA cert
[15/21]: clean up any existing httpd ccaches
[16/21]: configuring SELinux for httpd
[17/21]: create KDC proxy config
[18/21]: enable KDC proxy
[19/21]: starting httpd
[20/21]: configuring httpd to start on boot
[21/21]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd
[1/2]: starting ipa-otpd
[2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'ipa.citizix.com' as master peer.
Configuring ipa-custodia
[1/4]: Generating ipa-custodia config file
[2/4]: Generating ipa-custodia keys
[3/4]: starting ipa-custodia
[4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)
[1/2]: configure certmonger for renewals
[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)
[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/10]: stopping directory server
[2/10]: saving configuration
[3/10]: disabling listeners
[4/10]: enabling DS global lock
[5/10]: disabling Schema Compat
[6/10]: starting directory server
[7/10]: upgrading server
[8/10]: stopping directory server
[9/10]: restoring configuration
[10/10]: starting directory server
Done.
Finalize replication settings
Restarting the KDC
WARNING: The CA service is only installed on one server (ipa.citizix.com).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.
The ipa-replica-install command was successful
After finishing to setup replication normally, it’s possbile to find existing user accounts or add new accounts on Replication Host.
First, obtain the kerberos ticket:
$ kinit admin
Password for admin@IPA.CITIZIX.COM:
Then find users:
$ ipa user-find
---------------
3 users matched
---------------
User login: admin
Last name: Administrator
Home directory: /home/admin
Login shell: /bin/bash
Principal alias: admin@IPA.CITIZIX.COM, root@IPA.CITIZIX.COM
UID: 1063800000
GID: 1063800000
Account disabled: False
User login: etowett
First name: Eutychus
Last name: Towett
Home directory: /home/etowett
Login shell: /bin/bash
Principal name: etowett@IPA.CITIZIX.COM
Principal alias: etowett@IPA.CITIZIX.COM
Email address: etowett@citizix.com
UID: 1063800001
GID: 1063800001
Account disabled: False
User login: kip
First name: Kipkoech
Last name: Towett
Home directory: /home/kip
Login shell: /bin/bash
Principal name: kip@IPA.CITIZIX.COM
Principal alias: kip@IPA.CITIZIX.COM
Email address: kip@citizix.com
UID: 1063800003
GID: 1063800003
Account disabled: False
----------------------------
Number of entries returned 3
----------------------------
9. Removing FreeIPA replica
To remove FreeIPA, first, uninstall it on the on the server using:
# ipa-server-install --uninstall
Then delete the server from the ipaservers group:
# ipa-replica-manage del ipa-replica.citizix.com --force
# ipa hostgroup-remove-member ipaservers --hosts ipa-replica.citizix.com
We have successfully managed a FreeIPA replica in this guide.