Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 20. Preparing the system for an IdM replica installation

The following links list the requirements to install an Identity Management (IdM) replica. Before the installation, make sure your system meets these requirements.

  1. Ensure the target system meets the general requirements for IdM server installation.
  2. Ensure the target system meets the additional, version requirements for IdM replica installation.
  3. Optional: If you are adding a RHEL 9 Identity Management (IdM) replica on which FIPS mode is enabled to a RHEL 8 IdM deployment in FIPS mode, ensure that the replica has the correct encryption types enabled.

  4. Authorize the target system for enrollment into the IdM domain. For more information, see one of the following sections that best fits your needs:

Additional resources

20.1. Replica version requirements
Copier lien

An IdM replica must be running the same or later version of IdM as other servers. For example:

  • You have an IdM server installed on Red Hat Enterprise Linux 9 and it uses IdM 4.x packages.
  • You must install the replica also on Red Hat Enterprise Linux 9 and use IdM version 4.x or later.

This ensures that configuration can be properly copied from the server to the replica.

For details on how to display the IdM software version, see Methods for displaying IdM software version.

20.2. Methods for displaying IdM software version
Copier lien

You can display the IdM version number with:

  • The IdM WebUI
  • ipa commands
  • rpm commands

 

Displaying version through the WebUI

In the IdM WebUI, the software version can be displayed by choosing About from the username menu at the upper-right.

Checking IdM Software Version
Displaying version with ipa commands

From the command line, use the ipa --version command. 

[root@server ~]# ipa --version
VERSION: 4.8.0, API_VERSION: 2.233
Copy to Clipboard Toggle word wrap
Displaying version with rpm commands

If IdM services are not operating properly, you can use the rpm utility to determine the version number of the ipa-server package that is currently installed. 

[root@server ~]# rpm -q ipa-server
ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64
Copy to Clipboard Toggle word wrap

If RHEL Identity Management (IdM) was originally installed on a RHEL 8.6 or earlier system, then the AES HMAC-SHA1 encryption types it uses are not supported by RHEL 9 in FIPS mode by default. To add a RHEL 9 replica in FIPS mode to the deployment, you must enable these encryption keys on the RHEL 9. For more information, see the AD Domain Users unable to login in to the FIPS-compliant environment KCS solution.

When installing a replica on an existing Identity Management (IdM) client by running the ipa-replica-install utility, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:

  • You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
  • You want to automate your replica installation.
Note

As of RHEL 9.5, during the installation of an IdM replica, checking if the provided Kerberos principal has the required privilege also extends to checking user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator.

Method 1: the ipaservers host group

  1. Log in to any IdM host as IdM admin: 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. Add the client machine to the ipaservers host group: 

    $ ipa hostgroup-add-member ipaservers --hosts client.idm.example.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: server.idm.example.com, client.idm.example.com
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap
Note

Membership in the ipaservers group grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, the ipa-replica-install utility can be run on the host successfully by a junior system administrator.

Method 2: a privileged user’s credentials

Choose one of the following methods to authorize the replica installation by providing a privileged user’s credentials:

  • Let Identity Management (IdM) prompt you for the credentials interactively after you start the ipa-replica-install utility. This is the default behavior.

  • Log in to the client as a privileged user immediately before running the ipa-replica-install utility. The default privileged user is admin: 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

When installing a replica on a system that is not enrolled in the Identity Management (IdM) domain, the ipa-replica-install utility first enrolls the system as a client and then installs the replica components. For this scenario, choose Method 1 or Method 2 below to authorize the replica installation. Choose Method 1 if one of the following applies:

  • You want a senior system administrator to perform the initial part of the procedure and a junior administrator to perform the rest.
  • You want to automate your replica installation.
Note

As of RHEL 9.5, during the installation of an IdM replica, checking if the provided Kerberos principal has the required privilege also extends to checking user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator.

Method 1: a random password generated on an IdM server

Enter the following commands on any server in the domain:

  1. Log in as the administrator. 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. Add the external system as an IdM host. Use the --random option with the ipa host-add command to generate a random one-time password to be used for the subsequent replica installation. 

    $ ipa host-add replica.example.com --random
--------------------------------------------------
Added host "replica.example.com"
--------------------------------------------------
  Host name: replica.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: server.example.com
    Copy to Clipboard Toggle word wrap

    The generated password will become invalid after you use it to enroll the machine into the IdM domain. It will be replaced with a proper host keytab after the enrollment is finished.

  3. Add the system to the ipaservers host group. 

    $ ipa hostgroup-add-member ipaservers --hosts replica.example.com
  Host-group: ipaservers
  Description: IPA server hosts
  Member hosts: server.example.com, replica.example.com
-------------------------
Number of members added 1
-------------------------
    Copy to Clipboard Toggle word wrap
Note

Membership in the ipaservers group grants the machine elevated privileges similar to the administrator’s credentials. Therefore, in the next step, the ipa-replica-install utility can be run on the host successfully by a junior system administrator that provides the generated random password.

Method 2: a privileged user’s credentials

Using this method, you authorize the replica installation by providing a privileged user’s credentials. The default privileged user is admin.

No action is required prior to running the IdM replica installation utility. Add the principal name and password options (--principal admin --admin-password password) to the ipa-replica-install command directly during the installation.

Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2026 Red HatRetour au début