Red Hat Summit Red Hat SummitSupportKonsoleEntwicklerDemo startenKontakt

Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 21. Installing an IdM replica

Deploy Identity Management (IdM) replicas to ensure high availability and distribute authentication services. Install replicas interactively by using the command line to copy existing server configurations.

Note

See Installing an Identity Management server using an Ansible playbook. Use Ansible roles to consistently install and customize multiple replicas.

Interactive and non-interactive methods that do not use Ansible are useful in topologies where, for example, the replica preparation is delegated to a user or a third party. You can also use these methods in geographically distributed topologies where you do not have access from the Ansible controller node.

21.1. Prerequisites
Link kopieren

  • You are installing one IdM replica at a time. The installation of multiple replicas at the same time is not supported.

  • Ensure your system is prepared for IdM replica installation.

    Important

    If this preparation is not performed, installing an IdM replica will fail.

21.2. Installing an IdM replica with integrated DNS and a CA
Link kopieren

Install Identity Management (IdM) replicas with integrated DNS and a certificate authority (CA) to provide service redundancy and improve infrastructure resilience.

Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

For example, if the server includes an integrated IdM CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Procedure

  1. Enter ipa-replica-install with these options:

    • --setup-dns to configure the replica as a DNS server

    • --forwarder to specify a per-server forwarder, or --no-forwarder if you do not want to use any per-server forwarders. To specify multiple per-server forwarders for failover reasons, use --forwarder multiple times.

      Note

      The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.

    • --setup-ca to include a CA on the replica

    For example, to set up a replica with an integrated DNS server and a CA that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1: 

    # ipa-replica-install --setup-dns --forwarder 192.0.2.1 --setup-ca
    Copy to Clipboard Toggle word wrap

  2. After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after you install an IdM DNS server.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.3. Installing an IdM replica with integrated DNS and no CA
Link kopieren

Install Identity Management (IdM) replicas with integrated DNS but without a certificate authority (CA) component. You can provide local DNS services while you centralize certificate management on other existing IdM servers in the realm.

Note

In contrast, when installing a replica with integrated DNS and without a CA in a CA-less IdM environment, you must specify certificate files using additional options, specifically:

  • --dirsrv-cert-file
  • --dirsrv-pin
  • --http-cert-file
  • --http-pin

You must also specify one of the following options:

  • --no-pkinit
  • --pkinit-cert-file and --pkinit-pin

For example: 

ipa-replica-install --setup-dns --forwarder 192.0.2.1 --dirsrv-cert-file /tmp/server.crt --dirsrv-cert-file /tmp/server.key --dirsrv-pin secret --http-cert-file /tmp/server.crt --http-cert-file /tmp/server.key --http-pin secret --no-pkinit
Copy to Clipboard Toggle word wrap

For details about the files, see Certificates required to install an IdM server without a CA.

Prerequisites

Procedure

  1. Enter ipa-replica-install with these options:

    • --setup-dns to configure the replica as a DNS server
    • --forwarder to specify a per-server forwarder, or --no-forwarder if you do not want to use any per-server forwarders. To specify multiple per-server forwarders for failover reasons, use --forwarder multiple times.

    For example, to set up a replica with an integrated DNS server that forwards all DNS requests not managed by the IdM servers to the DNS server running on IP 192.0.2.1: 

    # ipa-replica-install --setup-dns --forwarder 192.0.2.1
    Copy to Clipboard Toggle word wrap
    Note

    The ipa-replica-install utility accepts a number of other options related to DNS settings, such as --no-reverse or --no-host-dns. For more information about them, see the ipa-replica-install(1) man page.

  2. After the installation completes, add a DNS delegation from the parent domain to the IdM DNS domain. For example, if the IdM DNS domain is idm.example.com, add a name server (NS) record to the example.com parent domain.

    Important

    Repeat this step each time after you install an IdM DNS server.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.4. Installing an IdM replica without integrated DNS and with a CA
Link kopieren

Install Identity Management (IdM) replicas with a certificate authority (CA) but without integrated DNS to provide certificate services while using an external DNS infrastructure.

Important

When configuring a replica with a CA, the CA configuration of the replica must mirror the CA configuration of the other server.

For example, if the server includes an integrated IdM CA as the root CA, the new replica must also be installed with an integrated CA as the root CA. No other CA configuration is available in this case.

Including the --setup-ca option in the ipa-replica-install command copies the CA configuration of the initial server.

Prerequisites

Procedure

  1. Enter ipa-replica-install with the --setup-ca option. 

    # ipa-replica-install --setup-ca
    Copy to Clipboard Toggle word wrap

  2. Add the newly created IdM DNS service records to your DNS server:

    1. Export the IdM DNS service records into a file in the nsupdate format: 

      $ ipa dns-update-system-records --dry-run --out dns_records_file.nsupdate
      Copy to Clipboard Toggle word wrap
    2. Submit a DNS update request to your DNS server using the nsupdate utility and the dns_records_file.nsupdate file. For more information, see Updating External DNS Records Using nsupdate in RHEL 7 documentation. Alternatively, refer to your DNS server documentation for adding DNS records.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.5. Installing an IdM replica without integrated DNS and without a CA
Link kopieren

Install Identity Management (IdM) replicas without integrated DNS or a certificate authority (CA) component by providing the required certificates manually. You can extend a CA-less deployment and maintain architectural consistency with other IdM servers that rely on external certificate providers.

Important

You cannot install a server or replica using self-signed third-party server certificates because the imported certificate files must contain the full CA certificate chain of the CA that issued the LDAP and Apache server certificates.

Prerequisites

Procedure

  • Enter ipa-replica-install, and provide the required certificate files by adding these options:

    • --dirsrv-cert-file
    • --dirsrv-pin
    • --http-cert-file
    • --http-pin

    Additionally, you must specify either --no-pkinit or both --pkinit-cert-file and --pkinit-pin.

    For details about the files that are provided using these options, see Certificates required to install an IdM server without a CA.

    For example: 

    # ipa-replica-install \
    --dirsrv-cert-file /tmp/server.crt \
    --dirsrv-cert-file /tmp/server.key \
    --dirsrv-pin secret \
    --http-cert-file /tmp/server.crt \
    --http-cert-file /tmp/server.key \
    --http-pin secret \
    --no-pkinit
    Copy to Clipboard Toggle word wrap
    Note

    Do not add the --ca-cert-file option. The ipa-replica-install utility takes this part of the certificate information automatically from the first server you installed.

Next steps

  • In large deployments, you might want to tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.

21.6. Installing an IdM hidden replica
Link kopieren

Install an Identity Management (IdM) hidden replica to provide a dedicated resource for administrative tasks or backups without impacting client traffic. You can enhance service stability and protect performance by isolating heavy workloads on a replica that remains invisible to automated client discovery.

A hidden (unadvertised) replica is an IdM server that has all services running and available. However, it has no SRV records in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect these hidden replicas.

For further details about hidden replicas, see The hidden replica mode.

Prerequisites

Procedure

  • To install a hidden replica, use the following command: 

    ipa-replica-install --hidden-replica
    Copy to Clipboard Toggle word wrap

    Note that the command installs a replica without DNS SRV records and with disabled LDAP server roles.

    You can also change the mode of existing replica to hidden. For details, see Demoting or promoting hidden replicas

21.7. Testing an IdM replica
Link kopieren

Verify Identity Management (IdM) replica functionality by testing data replication across the topology to ensure proper deployment.

Procedure

  1. Create a user on the new replica: 

    [admin@new_replica ~]$ ipa user-add test_user
    Copy to Clipboard Toggle word wrap

  2. Make sure the user is visible on another replica: 

    [admin@another_replica ~]$ ipa user-show test_user
    Copy to Clipboard Toggle word wrap

21.8. Connections performed during an IdM replica installation
Link kopieren

Understand network operations and protocols used during Identity Management (IdM) replica installation to ensure proper network configuration and troubleshoot connectivity issues.

Expand
Table 21.1. Requests performed during an IdM replica installation
OperationProtocol usedPurpose

DNS resolution against the DNS resolvers configured on the client system

DNS

To discover the IP addresses of IdM servers

Requests to ports 88 (TCP/TCP6 and UDP/UDP6) on the discovered IdM servers

Kerberos

To obtain a Kerberos ticket

JSON-RPC calls to the IdM Apache-based web-service on the discovered or configured IdM servers

HTTPS

IdM client enrollment; replica keys retrieval and certificate issuance if required

Requests over TCP/TCP6 to port 389 on the IdM server, using SASL GSSAPI authentication, plain LDAP, or both

LDAP

IdM client enrollment; CA certificate chain retrieval; LDAP data replication

Requests over TCP/TCP6 to port 22 on IdM server

SSH

To check if the connection is working

(optionally) Access over port 8443 (TCP/TCP6) on the IdM servers

HTTPS

To administer the Certificate Authority on the IdM server (only during IdM server and replica installation)

Red Hat logoGithubredditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können. Entdecken Sie unsere neuesten Updates.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

Theme

© 2026 Red HatNach oben