Red Hat SummitChapter 20. Preparing the system for an IdM replica installation
The following links list the requirements to install an RHEL Identity Management (IdM) replica. Before the installation, make sure your system meets these requirements.
Authorize the target system for enrollment into the IdM domain. For more information, see one of the following sections that best fits your needs:
Additional resources
20.1. Replica version requirements
IdM replicas must be running the same major version of RHEL and the same or later version of IdM as other IdM servers. This ensures that configuration can be properly copied from the server to the replica.
20.2. Methods for displaying IdM software version
You can display the IdM version number with:
- The IdM WebUI
-
ipacommands -
rpmcommands
- Displaying version through the WebUI
In the IdM WebUI, the software version can be displayed by choosing
Aboutfrom the username menu at the upper-right.
- Displaying version with
ipacommands From the command line, use the
ipa --versioncommand.ipa --version
[root@server ~]# ipa --version VERSION: 4.8.0, API_VERSION: 2.233Copy to Clipboard Copied! - Displaying version with
rpmcommands If IdM services are not operating properly, you can use the
rpmutility to determine the version number of theipa-serverpackage that is currently installed.rpm -q ipa-server
[root@server ~]# rpm -q ipa-server ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64Copy to Clipboard Copied!
20.3. Authorizing the installation of a replica on an IdM client
When installing a replica on an existing RHEL Identity Management (IdM) client by running the ipa-replica-install utility, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:
- You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
- You want to automate your replica installation.
- Method 1: the
ipaservershost group Log in to any IdM host as IdM admin:
kinit admin
$ kinit adminCopy to Clipboard Copied! Add the client machine to the
ipaservershost group:ipa hostgroup-add-member ipaservers --hosts client.example.com
$ ipa hostgroup-add-member ipaservers --hosts client.example.com Host-group: ipaservers Description: IPA server hosts Member hosts: server.example.com, client.example.com ------------------------- Number of members added 1 -------------------------Copy to Clipboard Copied!
NoteMembership in the
ipaserversgroup grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, theipa-replica-installutility can be run on the host successfully by a junior system administrator.- Method 2: a privileged user’s credentials
Choose one of the following methods to authorize the replica installation by providing a privileged user’s credentials:
-
Let RHEL Identity Management (IdM) prompt you for the credentials interactively after you start the
ipa-replica-installutility. This is the default behavior. Log in to the client as a privileged user immediately before running the
ipa-replica-installutility. The default privileged user isadmin:kinit admin
$ kinit adminCopy to Clipboard Copied!
-
Let RHEL Identity Management (IdM) prompt you for the credentials interactively after you start the
20.4. Authorizing the installation of a replica on a system that is not enrolled into IdM
When installing a replica on a system that is not enrolled in the RHEL Identity Management (IdM) domain, the ipa-replica-install utility first enrolls the system as a client and then installs the replica components. For this scenario, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:
- You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
- You want to automate your replica installation.
- Method 1: a random password generated on an IdM server
Enter the following commands on any server in the domain:
Log in as the administrator.
kinit admin
$ kinit adminCopy to Clipboard Copied! Add the external system as an IdM host. Use the
--randomoption with theipa host-addcommand to generate a random one-time password to be used for the subsequent replica installation.ipa host-add replica.example.com --random
$ ipa host-add replica.example.com --random -------------------------------------------------- Added host "replica.example.com" -------------------------------------------------- Host name: replica.example.com Random password: W5YpARl=7M.n Password: True Keytab: False Managed by: server.example.comCopy to Clipboard Copied! The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
Add the system to the
ipaservershost group.ipa hostgroup-add-member ipaservers --hosts replica.example.com
$ ipa hostgroup-add-member ipaservers --hosts replica.example.com Host-group: ipaservers Description: IPA server hosts Member hosts: server.example.com, replica.example.com ------------------------- Number of members added 1 -------------------------Copy to Clipboard Copied!
NoteMembership in the
ipaserversgroup grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, theipa-replica-installutility can be run on the host successfully by a junior system administrator that provides the generated random password.- Method 2: a privileged user’s credentials
Using this method, you authorize the replica installation by providing a privileged user’s credentials. The default privileged user is
admin.No action is required prior to running the IdM replica installation utility. Add the principal name and password options (
--principal admin --admin-password password) to theipa-replica-installcommand directly during the installation.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}