CentOS Stream 8
Sponsored Link

FreeIPA : Replication Setting2021/03/11

Configure FreeIPA Replication.
This example is based on the environment like follows.
+----------------------+          |          +----------------------+
| [  FreeIPA Master ]  | || [  FreeIPA Replica ] |
|  dlp.ipa.srv.world   +----------+----------+ node01.ipa.srv.world |
|                      |                     |                      |
+----------------------+                     +----------------------+

[2] On FreeIPA Master Host, Add a replication Host to [ipaservers] group.
Furthermore, it needs to resolve Address Resolution on Master Host and Replica Host.
If you are using FreeIPA integrated DNS but not set reverse zone, Configure like follows.
[root@dlp ~]#
ipa hostgroup-add-member ipaservers --hosts node01.ipa.srv.world

  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: dlp.ipa.srv.world, node01.ipa.srv.world
Number of members added 1

# if not set reverse zone yet on integrated DNS, set it

# example below is for [] network

[root@dlp ~]#
ipa dnszone-add 0.0.10.in-addr.arpa
# add PTR record in reverse zone

[root@dlp ~]#
ipa dnsrecord-add 0.0.10.in-addr.arpa 30 --ptr-rec dlp.ipa.srv.world.

[root@dlp ~]#
ipa dnsrecord-add 0.0.10.in-addr.arpa 51 --ptr-rec node01.ipa.srv.world.
# if firewalld is running, allow services

[root@dlp ~]#
firewall-cmd --add-service=freeipa-replication --permanent

[root@dlp ~]#
firewall-cmd --reload

[3] Configure on Replication Server Host.
# if firewalld is running, allow services

[root@node01 ~]#
firewall-cmd --add-service={freeipa-ldap,freeipa-ldaps,dns,ntp,freeipa-replication} --permanent

[root@node01 ~]#
firewall-cmd --reload

[root@node01 ~]#
dnf module -y install idm:DL1/dns
# setup replication

# if set DNS forwarder, specify [--forwarder=xxx.xxx.xxx.xxx]

[root@node01 ~]#
ipa-replica-install --setup-ca --setup-dns --no-forwarders

Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/38]: creating directory server instance
  [2/38]: tune ldbm plugin
  [3/38]: adding default schema

  [6/7]: creating replica keys
  [7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records

Global DNS configuration in LDAP server is empty
You can use 'dnsconfig-mod' command to set global DNS options that
would override settings in local named.conf files

The ipa-replica-install command was successful
[4] After finishing to setup replication normally, it's possible to find existing user accounts or add new accounts on Replication Host.
[root@node01 ~]#
kinit admin

Password for admin@IPA.SRV.WORLD:
[root@node01 ~]#
ipa user-find

5 users matched
  User login: admin
  Last name: Administrator
  Home directory: /home/admin
  Login shell: /bin/bash
  Principal alias: admin@IPA.SRV.WORLD, root@IPA.SRV.WORLD
  UID: 1611800000
  GID: 1611800000
  Account disabled: False

  User login: cent
  First name: CentOS
  Last name: Linux
  Home directory: /home/cent
  Login shell: /bin/sh
  Principal name: cent@IPA.SRV.WORLD
  Principal alias: cent@IPA.SRV.WORLD
  Email address: cent@ipa.srv.world
  UID: 1611800001
  GID: 1611800001
  Account disabled: False
Matched Content