Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 20. Preparing the system for an IdM replica installation
Verify system requirements and authorization for Identity Management (IdM) replica installation to ensure successful deployment and prevent installation failures.
- Ensure the target system meets the general requirements for IdM server installation.
- Ensure the target system meets the additional, version requirements for IdM replica installation.
- Authorize the target system for enrollment into the IdM domain.
20.1. Replica version requirements
Identity Management (IdM) replicas must run compatible RHEL and IdM versions to maintain proper configuration replication across the topology.
IdM replicas must run the same major version of RHEL and the same or later version of IdM as other IdM servers. This ensures that configuration can be properly copied from the server to the replica.
20.2. Displaying the IdM software version
Display the Identity Management (IdM) software version using the IdM WebUI, command-line tools, or package management to verify compatibility and track updates.
Procedure
In the IdM WebUI, choose
Aboutfrom the username menu at the upper-right to display the software version.
From the command line, use the
ipa --versioncommand:[root@server ~]# ipa --versionVERSION: 4.8.0, API_VERSION: 2.233If IdM services are not operating properly, use the
rpmutility to determine the version number of theipa-serverpackage that is currently installed:[root@server ~]# rpm -q ipa-serveripa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
20.3. Authorizing the installation of a replica on an IdM client
Authorize Identity Management (IdM) replica installation on an existing client system. You can promote a configured host to a replica to expand the domain’s capacity and ensure high availability for authentication services.
Choose Method 1 or Method 2 to authorize the installation:
Method 1 uses a two-step authorization to separate duties or automate the process. A senior administrator adds the client to the ipaservers host group, granting the machine elevated privileges. A junior administrator or automation script can then successfully run the ipa-replica-install utility on the host.
Method 2 uses direct authorization during the installation. You authorize the replica enrollment by providing the credentials of an IdM user with administrative privileges, either interactively or via an active Kerberos ticket.
When installing an IdM replica, the system verifies if the provided Kerberos principal has the required privileges, which includes checking for user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator.
Procedure
Method 1: By using the
ipaservershost groupLog in to any IdM host as IdM admin:
$ kinit adminAdd the client machine to the
ipaservershost group:$ ipa hostgroup-add-member ipaservers --hosts <client_hostname>Host-group: ipaservers Description: IPA server hosts Member hosts: server.example.com, client.example.com ------------------------- Number of members added 1 -------------------------NoteMembership in the
ipaserversgroup grants the machine elevated privileges similar to the administrator’s credentials. Therefore, you can deploy a replica using the credentials of an AD administrator configured to act as an IdM administrator.
Method 2: By using a privileged user’s credentials
Choose one of the following methods to authorize the replica installation by providing a privileged user’s credentials:
-
Let IdM prompt you for the credentials interactively after you start the
ipa-replica-installutility. This is the default behavior. Log in to the client as a privileged user immediately before running the
ipa-replica-installutility. The default privileged user isadmin:$ kinit admin
-
Let IdM prompt you for the credentials interactively after you start the
20.4. Authorizing the installation of a replica on a system that is not enrolled into IdM
Authorize Identity Management (IdM) replica installation on a system that is not yet enrolled in the domain. You can pre-configure the host and provide the credentials required to join the system to the realm as a replica.
Choose Method 1 or Method 2 to authorize the installation:
Method 1 uses a two-step authorization that you can use to separate duries or automate the process. A senior system administrator adds the external system as an IdM host and generates a random one-time password (OTP). A junior administrator or automation script then uses the OTP to enroll the replica.
Method 2 uses direct authorization during the installation. You authorize the replica enrollment by providing the credentials of an IdM user with administrative privileges.
When installing an IdM replica, the system verifies if the provided Kerberos principal has the required privileges, which includes checking for user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator.
Procedure
Method 1: By using a random password generated on an IdM server
Log in as the administrator on any server in the domain:
$ kinit adminAdd the external system as an IdM host. Use the
--randomoption with theipa host-addcommand to generate a random one-time password to be used for the subsequent replica installation.$ ipa host-add replica.example.com --random-------------------------------------------------- Added host "replica.example.com" -------------------------------------------------- Host name: replica.example.com Random password: W5YpARl=7M.n Password: True Keytab: False Managed by: server.example.comThe generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.
Add the system to the
ipaservershost group.$ ipa hostgroup-add-member ipaservers --hosts replica.example.comHost-group: ipaservers Description: IPA server hosts Member hosts: server.example.com, replica.example.com ------------------------- Number of members added 1 -------------------------
NoteMembership in the
ipaserversgroup grants the machine elevated privileges similar to the administrator’s credentials. Therefore a junior system administrator can successfully run theipa-replica-installutility on the host by providing the generated random password.Method 2: By using a privileged user’s credentials
The default privileged user is
admin. No action is required prior to running the IdM replica installation utility. Add the principal name and password options (--principal admin --admin-password password) to theipa-replica-installcommand directly during the installation.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}