4.5. Alternate Options for Creating a Replica
Much of the core configuration of the replica is identical to that of the server from which it was created, such as the realm name and directory settings. However, while the settings need to match, it is not required that a replica manage the same services as the server. This is true for major services (DNS and CAs) and for minor services (NTP and OpenSSH).
The difference settings can be defined in the
ipa-replica-prepare
command or in the ipa-replica-install
command.
4.5.1. Different DNS Settings
For DNS, the
ipa-replica-prepare
command can be used to configure DNS settings specific to the replica, meaning its IP address and reverse zone. For example:
[root@server ~]# ipa-replica-prepare ipareplica.example.com --ip-address=192.68.0.0 --no-reverse
If the server does not host any DNS services, then the replica can be set up to host DNS services for the Identity Management domain. As with installing a server, this is done with the
--setup-dns
option, and then settings for forward and reverse zones. For example, to configure DNS services for the replica with no forwarders and using an existing reverse zone:
[root@server ~]# ipa-replica-install ipareplica.example.com --setup-dns --no-forwarders --no-reverse --no-host-dns ...
The DNS options are described in the
ipa-replica-prepare
and ipa-replica-install
manpages.
4.5.2. Different CA Settings
The CA configuration of the replica must echo the CA configuration of the server. If the server is configured with an integrated Dogtag Certificate System instance (regardless of whether it is a root CA or whether it is subordinate to an external CA), then the replica can either create its own integrated CA which is subordinate to the server CA or it can forgo having a CA at all, and forward all requests to the server's CA.
If the replica will have its own CA, then it uses the
--setup-ca
option. The rest of the configuration is taken from the server's configuration.
[root@ipareplica ~]# ipa-replica-install ipareplica.example.com --setup-ca ...
However, if the server was installed without any CA at all, then is nowhere to forward certificate opterations — including the ability to request certificates for the new replica instance. All of the certificates for the replica, as with the server, must be requested and retrieved before installing the replica and then submitted with the installation command. The only exception is the root CA certificate; this is retrieved from the server as part of the replica setup.
[root@ipareplica ~]# ipa-replica-install ipareplica.example.com --dirsrv_pkcs12=/tmp/dirsrv-cert.p12 --dirsrv_pin=secret1 --http_pkcs12=/tmp/http-cert.p12 --http_pin=secret2 ...
4.5.3. Different Services
There are three support services that are installed on both servers and replicas by default: NTP, OpenSS client, and OpenSSH server. Any or all of this can be disabled on a replica. For example:
[root@server ~]# ipa-replica-install ... --no-ntp --no-ssh --no-sshd ...