Red Hat SummitChapter 20. Preparing the system for an IdM replica installation
The following links list the requirements to install an Identity Management (IdM) replica. Before the installation, make sure your system meets these requirements.
- Ensure the target system meets the general requirements for IdM server installation.
- Ensure the target system meets the additional, version requirements for IdM replica installation.
- Optional: If you are adding a RHEL 9 Identity Management (IdM) replica on which FIPS mode is enabled to a RHEL 8 IdM deployment in FIPS mode, ensure that the replica has the correct encryption types enabled.
Authorize the target system for enrollment into the IdM domain. For more information, see one of the following sections that best fits your needs:
Additional resources
20.1. Replica version requirements
An IdM replica must be running the same or later version of IdM as other servers. For example:
- You have an IdM server installed on Red Hat Enterprise Linux 9 and it uses IdM 4.x packages.
- You must install the replica also on Red Hat Enterprise Linux 9 and use IdM version 4.x or later.
This ensures that configuration can be properly copied from the server to the replica.
For details on how to display the IdM software version, see Methods for displaying IdM software version.
20.2. Methods for displaying IdM software version
You can display the IdM version number with:
- The IdM WebUI
-
ipacommands -
rpmcommands
- Displaying version through the WebUI
In the IdM WebUI, the software version can be displayed by choosing
Aboutfrom the username menu at the upper-right.
- Displaying version with
ipacommands From the command line, use the
ipa --versioncommand.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa --version
[root@server ~]# ipa --version VERSION: 4.8.0, API_VERSION: 2.233- Displaying version with
rpmcommands If IdM services are not operating properly, you can use the
rpmutility to determine the version number of theipa-serverpackage that is currently installed.Copy to Clipboard Copied! Toggle word wrap Toggle overflow rpm -q ipa-server
[root@server ~]# rpm -q ipa-server ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
20.3. Ensuring FIPS compliance for a RHEL 9 replica joining a RHEL 8 IdM environment
If RHEL Identity Management (IdM) was originally installed on a RHEL 8.6 or earlier system, then the AES HMAC-SHA1 encryption types it uses are not supported by RHEL 9 in FIPS mode by default. To add a RHEL 9 replica in FIPS mode to the deployment, you must enable these encryption keys on the RHEL 9. For more information, see the AD Domain Users unable to login in to the FIPS-compliant environment KCS solution.
20.4. Authorizing the installation of a replica on an IdM client
When installing a replica on an existing Identity Management (IdM) client by running the ipa-replica-install utility, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:
- You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
- You want to automate your replica installation.
As of RHEL 9.5, during the installation of an IdM replica, checking if the provided Kerberos principal has the required privilege also extends to checking user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator.
- Method 1: the
ipaservershost group Log in to any IdM host as IdM admin:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow kinit admin
$ kinit adminAdd the client machine to the
ipaservershost group:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa hostgroup-add-member ipaservers --hosts client.idm.example.com
$ ipa hostgroup-add-member ipaservers --hosts client.idm.example.com Host-group: ipaservers Description: IPA server hosts Member hosts: server.idm.example.com, client.idm.example.com ------------------------- Number of members added 1 -------------------------
NoteMembership in the
ipaserversgroup grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, theipa-replica-installutility can be run on the host successfully by a junior system administrator.- Method 2: a privileged user’s credentials
Choose one of the following methods to authorize the replica installation by providing a privileged user’s credentials:
-
Let Identity Management (IdM) prompt you for the credentials interactively after you start the
ipa-replica-installutility. This is the default behavior. Log in to the client as a privileged user immediately before running the
ipa-replica-installutility. The default privileged user isadmin:Copy to Clipboard Copied! Toggle word wrap Toggle overflow kinit admin
$ kinit admin
-
Let Identity Management (IdM) prompt you for the credentials interactively after you start the
Additional resources
- To start the installation procedure, see Installing an IdM replica.
- You can use an Ansible playbook to install IdM replicas. For more information, see Installing an Identity Management replica using an Ansible playbook.
20.5. Authorizing the installation of a replica on a system that is not enrolled into IdM
When installing a replica on a system that is not enrolled in the Identity Management (IdM) domain, the ipa-replica-install utility first enrolls the system as a client and then installs the replica components. For this scenario, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:
- You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
- You want to automate your replica installation.
As of RHEL 9.5, during the installation of an IdM replica, checking if the provided Kerberos principal has the required privilege also extends to checking user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator.
- Method 1: a random password generated on an IdM server
Enter the following commands on any server in the domain:
Log in as the administrator.
Copy to Clipboard Copied! Toggle word wrap Toggle overflow kinit admin
$ kinit adminAdd the external system as an IdM host. Use the
--randomoption with theipa host-addcommand to generate a random one-time password to be used for the subsequent replica installation.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa host-add replica.example.com --random
$ ipa host-add replica.example.com --random -------------------------------------------------- Added host "replica.example.com" -------------------------------------------------- Host name: replica.example.com Random password: W5YpARl=7M.n Password: True Keytab: False Managed by: server.example.comThe generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
Add the system to the
ipaservershost group.Copy to Clipboard Copied! Toggle word wrap Toggle overflow ipa hostgroup-add-member ipaservers --hosts replica.example.com
$ ipa hostgroup-add-member ipaservers --hosts replica.example.com Host-group: ipaservers Description: IPA server hosts Member hosts: server.example.com, replica.example.com ------------------------- Number of members added 1 -------------------------
NoteMembership in the
ipaserversgroup grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, theipa-replica-installutility can be run on the host successfully by a junior system administrator that provides the generated random password.- Method 2: a privileged user’s credentials
Using this method, you authorize the replica installation by providing a privileged user’s credentials. The default privileged user is
admin.No action is required prior to running the IdM replica installation utility. Add the principal name and password options (
--principal admin --admin-password password) to theipa-replica-installcommand directly during the installation.
Additional resources
- To start the installation procedure, see Installing an IdM replica.
- You can use an Ansible playbook to install IdM replicas. For more information, see Installing an Identity Management replica using an Ansible playbook.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}